Is revealing just the AUTH_KEY a security issue?

Well, AUTH_KEY and it´s brothers where introduced in WordPress 2.6 to improve safety for logged in users. They are used to encrypt and validate the information in your backend login cookie.

While revealing the AUTH_KEY alone might not be a real security issue, you should nevertheless not output/use this anywhere to give less surface for attacks.

Furthermore I don´t see why you would use the AUTH_KEY to prepare a folder/download link. I think it would be much better to use something like time() to generate folder names if you want randomness or uniqueness or whatever without compromising the security of the system.

Update: I opened a thread in the plugins support area. Let´s see if the author responds to it.