If onion.to can replace every instance of .onion with .onion.to, then it can read your password when you enter it in too. So you're trusting that the onion.to admin is a good person and doesn't hack your account, spam, post cp on your behalf, etc. Also, I hope you don't use that password anywhere else.