(cont) But I'm not sure if you're gaining anything since you'd still be sending it to a single address (the bot) in the end anyway, which could be used to steal the funds.
this was exactly the plan but can't even get past sharing the pubkey (we're only in touch via memo). the point is not to make it foolproof, but to alleviate the bot writer's risk.
In that case, your only option is to share the extended key as you did (which is not ideal). But going forward, you might want to find a secure way to share it 👍
