cs-autoresponder
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent mock customer-service autoresponder, with no active hidden exfiltration or destructive behavior, but users should configure logging, background operation, and production channel credentials carefully.
This looks safe to install as the included mock implementation, but before using it with real customer channels, decide who may approve automatic replies, protect and redact local logs, keep the log directory dedicated, and manage any Kakao, email, Instagram, or Discord credentials with least privilege.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to real channels, the skill can reply to customers automatically without per-message approval.
When the monitor finds a FAQ match, it sends the generated response through the channel adapter. The included adapter is mock-only, but this is the intended automatic response path.
await this.channelAdapter.sendMessage(channelName, msg.user, response);
Test in mock mode first, limit enabled channels, review FAQ answers and thresholds, and monitor early production runs.
Customer messages, phone numbers, emails, or other personal information may be retained on disk.
The documented log format stores customer identifiers and message text in local JSONL conversation logs.
logs/YYYY-MM-DD/{clientId}.jsonl ... "user":"010-1234-5678","message":"환불하고 싶어요"Use a protected log directory, set an appropriate retention period, avoid storing sensitive fields, and add redaction before production use.
The autoresponder can continue polling and processing messages until the background process is stopped.
The documentation recommends running the monitor as a background pm2 process.
백그라운드 실행 (pm2 권장): pm2 start {baseDir}/scripts/monitor.js --name cs-mufi -- --config config/고객사명.jsonRun it under an account you control, document the stop command, and disable channels or stop pm2 when unattended operation is not desired.
Real channel integrations may gain authority to send customer messages through business accounts.
The production configuration template anticipates third-party messaging credentials, even though the current mock code does not actively use them.
"apiKey": "YOUR_KAKAO_API_KEY", "senderKey": "YOUR_SENDER_KEY"
Use least-privileged credentials, keep secrets out of committed config files, and rotate keys if they are exposed.
If logDir is pointed at a non-dedicated directory, old date-named folders there could be removed.
The retention cleanup recursively deletes old date-named directories under the configured logDir. The default is ./logs, but the path is configurable.
if (daysDiff > retentionDays) { ... fs.rmSync(dirPath, { recursive: true, force: true }); }Keep logDir set to a dedicated logs folder and avoid pointing it at shared or important directories.