Cathedral Audit
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a plausible Cathedral code-audit workflow, but it also directs broad automated code changes, commits, Claude Code sub-sessions, and cron monitoring without clear user approval or cleanup boundaries.
Use this skill first as a read-only audit. Before allowing remediation, confirm each priority tier, inspect the generated task brief, avoid or tightly limit Bash access, and ensure any cron monitor is removed when work finishes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad audit finding or task brief could cause unintended edits, deletions, shell commands, or commits in the local codebase.
This delegates remediation to a Claude Code session with file editing, writing, reading, and shell access, then commits the results. The workflow does not clearly require user confirmation before launching the broad-tool session or before committing.
Execute fixes by priority tier ... Launch CC session: `cat /tmp/task.md | claude -p --allowedTools 'Edit,Write,Read,Bash'` ... Commit with descriptive message
Separate audit from remediation by default, require explicit user approval before each fix tier and commit, and restrict tools to the narrowest needed set for each task.
Background monitoring or spawned sessions could continue longer than intended, consume resources, or operate after the user believes the audit is finished.
The skill instructs spawning multiple Claude Code sessions and creating a recurring cron monitor, but does not specify the cron command, lifetime, cleanup, or limits on background activity.
Use parallel CC agents ... Set up monitoring cron (every 5 min)
Avoid cron by default; if monitoring is needed, make it foreground or time-limited, document the exact job, and remove it automatically when the session completes.
Persistent memory is useful for recovery, but incorrect or sensitive entries could influence later work or expose project history within the workspace.
The skill intentionally writes persistent audit state, task status, files changed, issues, and commit hashes to a memory file that future sessions may rely on.
ALWAYS log to daily memory file at every step ... Every audit produces a complete trail in `memory/YYYY-MM-DD.md`
Review memory logs before future agents rely on them, avoid placing secrets in them, and define retention or cleanup expectations.
Users have less provenance information for a workflow that can modify and commit local source code.
The skill is instruction-only, so there is no install-time code to inspect, but its origin is not identified while it can direct broad codebase changes.
Source: unknown; Homepage: none
Verify the skill came from a trusted maintainer and review the instructions before allowing it to run remediation steps.