Sort:  

If you use the API access, you can give it read-only permission. Bottom line, it is safe as long as you set the permissions correctly.

If you give them the wallet addresses, you are only providing the public key (so they can't steal your money).

If ANYONE asks you directly for your username and password to an exchange, they are trying to take your money. Never give this information out!