Not only are they spitting back opaque binaries, but they're doing so by running arbitrary and untrusted user code.
There are already single-command tools for releasing a project to Maven, including tagging the release, bumping the version number in the build file, building and signing the jars, and uploading the results to a Maven repository.
Maven artifacts can be GPG signed; GPG signing is required for Maven central.
It would be irresponsible to use a service like this to build binary JARs that you then signed and uploaded with your own signature guaranteeing their providence.
But unless the signers have a public certificate, or publish their public keys on their website (which you need to obtain manually), the signatures on Maven Central can be just as fake as the artifacts.
Not only are they spitting back opaque binaries, but they're doing so by running arbitrary and untrusted user code.
There are already single-command tools for releasing a project to Maven, including tagging the release, bumping the version number in the build file, building and signing the jars, and uploading the results to a Maven repository.
Given that, why would you SaaS trusted builds!?!