From Facebook Developer Wiki

I don't see why this is an issue. If someone has the secret key, they can potentially make malicious calls to Facebook. It's a huge security risk to give out the api key and secret key. Seems to me like a test environment for developers would be a better solution. --1470030056 22:35, 29 September 2007 (PDT)

[edit] How to handle keys

Basically the ToS forbids use of the Python programming language, since being interpreted means the source (and hence the secret_key) is always viewable.