Just use MetaMask, it doesn't expose your private key.
It looks legit, can't say for 100% sure for any projects, but so long as you don't enter your private keys anywhere your funds are safe.
Using the MetaMask extension will only allow their site to check for your EOS token holdings via your public key, before they would issue you with their token.
I've got 100 tokens already, and it went on smoothly for me at least.
Not sure how much those 100 tokens are worth though, perhaps worthless in a few mths, or perhaps it may be worth more than US$100?
At any rate, neither of my registered EOS address pair is exposed -- only the ETH public address is being read via MetaMask, so I'd say its safe to collect.
Also use the above URLs I guess, to avoid any chance of accidentally landing on a phishing site.