I see two major flaws with this approach. First, it's invasive. You have to open an additional hole in your network to allow traffic into the app, which makes your network inherently less secure. Second, unless you do an audit of the source, there are no guarantees as to the security of the app itself. This app of unknown reliability would be acting as a 24/7 gatekeeper into your network.
You could hide it behind VPN, I guess, but that kinda defeats the purpose of secure shell.
Not really. OpenSSH is a battle-tested ssh server. You can be resonably sure that opening it to the world will not compromise your network. Not so of this ajax ssh app. Basically it's a question of exposure. Am I comfortable exposing OpenSSH? Yes. Ajax ssh app? No way. Not without further testing and widespread acceptance.