It's definitely evil, when it's used at runtime. In general (non-testing) usage, it would be written out to a file after compilation and there'd be no eval() action at runtime.
It's mainly just slow - the whole set of code has to be parsed, processed, validated, run, etc every time it's used.
It's not insecure in this usage (even if it were used on the client), as all the actual code is generated by uglify-js via an AST and it takes care of properly escaping everything.