It also doesn't even need an API key since the checking is done client-side!
This may be a bad idea, especially given that it could be easily botted with a qr code API. The whole point of reCaptcha and hCaptcha is that they can't be booted, so the validation is done on the server-side. "Never trust the client to be truthful". This would mean that the client could just not do the captcha and remove it before the script ever sees it.