Summary
Prepare NemoClaw's public/user-facing skills for the NVIDIA Verified Skills catalog signing flow and keep the catalog export deterministic.
Constraints from NVIDIA/skills and NVSkills CI
- Catalog sync in
NVIDIA/skills mirrors from product repos and now drops any skill missing skill.oms.sig and skill-card.md.
- NVSkills signing is currently PR-oriented: a maintainer/admin requests signing by commenting
/nvskills-ci on an open same-repo PR.
- The central NVSkills service rejects fork PRs and only allows onboarded repos/base refs; NemoClaw is onboarded for
NVIDIA/NemoClaw targeting main.
- The signing workflow pushes generated artifacts back to the source PR branch; those artifacts must be merged to
main before NVIDIA/skills can sync them.
NVIDIA/skills currently syncs NemoClaw from .agents/skills/, but central NVSkills watched paths did not include .agents/skills/ when we investigated. We opened NVIDIA/nvskills-ci#20 to add that support.- The catalog is external/customer-facing; internal-only or experimental skills should not be published.
- The visible catalog model is single-current-version per skill, not multi-versioned; compatibility should be represented in deterministic metadata and release process, not assumed from catalog versioning.
Decisions made to accommodate those constraints
- Keep
.agents/skills/ as the internal source of truth.
- Add a generated watched export directory, likely
skills/nemoclaw/, containing only catalog-safe/user-facing skills as real copied files (no symlinks).
- Use a checked-in allowlist, likely
.agents/catalog-skills.yaml, as the explicit curation source for catalog inclusion/exclusion rationale.
- Let Pi help classify skills and update the allowlist, but keep daily export deterministic and script-driven.
- Keep allowlist updates and generated export updates in the same PR so there is one review surface.
- Prevent direct edits to the watched export directory by adding a generated-file notice plus a CI check in the existing
CI / Pull Request workflow.
- Use deterministic metadata only (for example source commit/content hash and tested/min NemoClaw version); avoid timestamps that churn every skill on every run.
- Try automated
/nvskills-ci comments later, but expect a manual maintainer comment fallback if github-actions[bot] is rejected by NVSkills permission checks.
Proposed implementation plan
- Land
NVIDIA/nvskills-ci#20 or otherwise confirm .agents/skills/ is a supported watched path.
- Add
.agents/catalog-skills.yaml with initial catalog-safe set:
nemoclaw-skills-guidenemoclaw-user-*- exclude
nemoclaw-maintainer-* by default as internal/maintainer workflows
- evaluate
nemoclaw-contributor-* explicitly before including
- Add
scripts/export-catalog-skills.py to regenerate skills/nemoclaw/ from the allowlist.
- Add
skills/nemoclaw/README.md explaining that the directory is generated and must not be edited directly.
- Add a check to
.github/workflows/pr.yaml that runs the exporter in --check mode and fails if skills/nemoclaw/ is stale or hand-edited.
- Add optional
.gitattributes/CODEOWNERS coverage for generated export, allowlist, and exporter script.
- Add a daily or manual workflow that opens/updates one same-repo PR with allowlist/export changes, then optionally attempts
/nvskills-ci comment.
- After signing artifacts are pushed to the PR branch, merge the PR before release tagging/catalog sync.
- Update
NVIDIA/skills/components.d/nemoclaw.yml if needed so catalog sync points at the final export path rather than all .agents/skills/.
Open questions
- Will NVSkills accept
/nvskills-ci comments authored by github-actions[bot], or do we need a maintainer/service-account token?
- Should
nemoclaw-contributor-* skills be customer-facing, or remain repo-local only?
- Should catalog metadata record
minNemoClawVersion, testedNemoClawVersion, source commit, or all three?
- Does NVSkills downstream sign all skill directories in a PR or only changed skill directories?
References
NVIDIA/nvskills-ci#20 — add .agents/skills/ watched-path support.NVIDIA/skills#30 — original NemoClaw catalog onboarding.NVIDIA/skills#86 — sync dropped NemoClaw skills because signatures/cards were missing.NVIDIA/nvskills-ci#19 — central onboarding of NemoClaw to NVSkills CI.
Summary
Prepare NemoClaw's public/user-facing skills for the NVIDIA Verified Skills catalog signing flow and keep the catalog export deterministic.
Constraints from NVIDIA/skills and NVSkills CI
NVIDIA/skillsmirrors from product repos and now drops any skill missingskill.oms.sigandskill-card.md./nvskills-cion an open same-repo PR.NVIDIA/NemoClawtargetingmain.mainbeforeNVIDIA/skillscan sync them.NVIDIA/skillscurrently syncs NemoClaw from.agents/skills/, but central NVSkills watched paths did not include.agents/skills/when we investigated. We openedNVIDIA/nvskills-ci#20to add that support.Decisions made to accommodate those constraints
.agents/skills/as the internal source of truth.skills/nemoclaw/, containing only catalog-safe/user-facing skills as real copied files (no symlinks)..agents/catalog-skills.yaml, as the explicit curation source for catalog inclusion/exclusion rationale.CI / Pull Requestworkflow./nvskills-cicomments later, but expect a manual maintainer comment fallback ifgithub-actions[bot]is rejected by NVSkills permission checks.Proposed implementation plan
NVIDIA/nvskills-ci#20or otherwise confirm.agents/skills/is a supported watched path..agents/catalog-skills.yamlwith initial catalog-safe set:nemoclaw-skills-guidenemoclaw-user-*nemoclaw-maintainer-*by default as internal/maintainer workflowsnemoclaw-contributor-*explicitly before includingscripts/export-catalog-skills.pyto regenerateskills/nemoclaw/from the allowlist.skills/nemoclaw/README.mdexplaining that the directory is generated and must not be edited directly..github/workflows/pr.yamlthat runs the exporter in--checkmode and fails ifskills/nemoclaw/is stale or hand-edited..gitattributes/CODEOWNERS coverage for generated export, allowlist, and exporter script./nvskills-cicomment.NVIDIA/skills/components.d/nemoclaw.ymlif needed so catalog sync points at the final export path rather than all.agents/skills/.Open questions
/nvskills-cicomments authored bygithub-actions[bot], or do we need a maintainer/service-account token?nemoclaw-contributor-*skills be customer-facing, or remain repo-local only?minNemoClawVersion,testedNemoClawVersion, source commit, or all three?References
NVIDIA/nvskills-ci#20— add.agents/skills/watched-path support.NVIDIA/skills#30— original NemoClaw catalog onboarding.NVIDIA/skills#86— sync dropped NemoClaw skills because signatures/cards were missing.NVIDIA/nvskills-ci#19— central onboarding of NemoClaw to NVSkills CI.