If people only used auth_url popups to confirm then your bot wouldn't do harm. Doing confirms through popups has other useful features. I wonder if I should implement the 'secret' thing and only show connection requests with a secret in the nsec.app itself.