If you post your BTC tip publicly, someone could enter the site and fill out the form, "on your behalf", and exchange it to ETH instead, since there's no other (practical) way to validate whose tip it is. A possible "attacker" would gain nothing from this but just annoy people.
Ah, I see. Is there no plan to add a verification or something similar to prevent it? I guess the user can simply never post it publicly, but it would be interesting if there was an additional check before somebody made the transaction even in private. I guess that's doable with account registration or something similar, although it would reduce the user experience. I can see people abusing this to discourage using your service, at least publicly since they'd need to do multiple transactions to convert it to the right coins if they fall to such an attack.
I do not know if this have been suggested by someone else before, but what I did say is, why have the option of either to post the tip publicly when it is strongly advised against?
I mean, if the op doesn't want users to post their exchange request publicly, as it could be hijacked by some random person for whatever reason, why include that option on the exchange form?, they could have just removed it and this will make sure that every exchange request coming from the poorbot will be posted privately which no chance of anyone mistakenly, or out of curiosity, posting or making the request public.
I may need a bit of explanation on this, if non have been given before, what are the possible benefits of posting an exchange request publicly?