Even if it's letting you know your id_rsa file and ~/.ssh/config is exposed? I know I'd want to know...

Malicious bots don't care if there is an API. They can screen scrape easily.

I'm sure malicious bots do try to mass message repository owners through Github. It's called spam and every platform over a certain size experiences it. I expect Github already has measures in place to block it.

Why not? Serious question.

When I searched Github it seemed like most of the supposedly leaked passwords were actually examples or placeholders and not a problem.

It would be one thing if Github ran (or at least sanctioned) a feature that warned you of possible security problems, but I don't think I'd like potentially multiple, poorly-coded bots going around messaging repo owners.