this was exactly the plan but can't even get past sharing the pubkey (we're only in touch via memo). the point is not to make it foolproof, but to alleviate the bot writer's risk.
In that case, your only option is to share the extended key as you did (which is not ideal). But going forward, you might want to find a secure way to share it 👍
