If they compromise the server running the scripts - yes. I suppose if they got ahold of the active key they could do the same too.

It'd be pretty obvious (hopefully) to the owners that some of the funds were being redirected else where. At least in those scenarios, all of the funds that have already been processed would be safe :)