Perhaps I'm missing something here, but I do not see any security in this solution, except for the user not having to enter his Twitter credentials in an app that only he uses anyway.
Open source means, well, open (readable and modifiable by anyone) source. Meaning, your API Consumer Key is readable to anyone, and it is also the only piece of identity used when requesting keys and secrets. Let's say you have an XYZ open source project, and Twitter assigns to it API Consumer Key "QWER". What exactly prevents any spammer / hacker / bad person out there from masquerading as your app by using your API Consumer Key "QWER" to request keys and secrets? There is no way for Twitter to determine that the request was actually made from within the code of your XYZ project.