Right now /keys just passes passwords around like it wants to get hacked.
We must make sure that the default behavior of the Cosmos-SDK server doesn't allow for such unsafe operations. We'll need to discuss how to properly handshake between the server and client (e.g. TLS or secret_connection or other). We discussed this a bit during SDK standup meetings a month ago.