chore: skills signing batch 3

[miyoungc]

Summary

Related Issue

Changes

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Your Name your-email@example.com

Summary by CodeRabbit

• Documentation
  • Added comprehensive guides for sandbox lifecycle, health/diagnostics, port forwards, recovery, runtime controls, and workspace file behavior.
  • Added detailed docs for customizing network policies, common integration examples, messaging channel setup, backup/restore workflows, and approving network requests.
• Tests
  • Streamlined evaluation case formats across relevant skills to a simpler, focused structure.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds comprehensive documentation, reference guides, evaluation datasets, benchmarks, skill-cards, and signature bundles for NemoClaw network-policy and sandbox-lifecycle skills; normalizes agent eval JSON by removing expected_behavior arrays.

Changes

NemoClaw Network Policy Skill Documentation

Layer / File(s)	Summary
Policy skill guide and fundamentals skills/nemoclaw-user-manage-policy/SKILL.md	Primary guide covering static baseline edits, dynamic live updates, OpenShell TUI approvals, policy presets, and custom preset authoring/apply semantics.
Policy approval and integration reference guides skills/nemoclaw-user-manage-policy/references/approve-network-requests.md, customize-network-policy-details.md, integration-policy-examples.md	Reference pages for interactive approval, preset removal, integration examples (Outlook, Telegram, Slack, Discord, WeChat, WhatsApp, GitHub, Jira, Brave, package tooling, local inference), and next-step commands.
Policy skill evaluation cases and metadata skills/nemoclaw-user-manage-policy/evals/evals.json, BENCHMARK.md, skill-card.md, skill.oms.sig	Six eval items with NemoClaw-specific ground-truths, NVSkills-Eval benchmark report, skill-card metadata, and Sigstore DSSE signature bundle.

NemoClaw Sandbox Lifecycle Skill Documentation

Layer / File(s)	Summary
Sandbox lifecycle skill guide and operations skills/nemoclaw-user-manage-sandboxes/SKILL.md	Operational guide for listing, health checks, logs/diagnostics, port-forward management, multi-sandbox port handling, runtime reconfiguration, rebuilds preserving workspace, upgrades, snapshots, and uninstall flows.
Sandbox advanced operational reference guides skills/nemoclaw-user-manage-sandboxes/references/*	Reference docs covering backup/restore, lifecycle rebuild details, messaging channel setup/QR pairing, runtime vs rebuild mutability, and workspace file layout and persistence.
Sandbox skill evaluation cases and metadata skills/nemoclaw-user-manage-sandboxes/evals/evals.json, BENCHMARK.md, skill-card.md, skill.oms.sig	Eleven eval items with detailed ground-truths, NVSkills-Eval benchmark report, skill-card metadata, and Sigstore DSSE signature bundle.

Evaluation Structure Normalization

Layer / File(s)	Summary
Remove expected_behavior arrays from agent evals .agents/skills/nemoclaw-user-manage-policy/evals/evals.json, .agents/skills/nemoclaw-user-manage-sandboxes/evals/evals.json	Agent-facing eval JSON objects simplified by removing expected_behavior arrays; objects now contain only id, question, expected_skill, and ground_truth.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4360: Overlaps with approve-network-requests.md content edits.

Suggested labels

enhancement: skill

Suggested reviewers

• cv
• ericksoa

Poem

🐰 A rabbit hops through docs and code,
Guiding presets down the road.
Sandboxes safe, policies neat,
Backups stored and channels meet.
Cheers to NemoClaw — tidy and sweet!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: skills signing batch 3' accurately describes the main change: attaching NVSkills validation signatures to multiple skills (nemoclaw-user-manage-policy and nemoclaw-user-manage-sandboxes), which is clearly evidenced by the signature files added and the commit message.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch skills-sign-batch-3

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[miyoungc]

/nvskills-ci

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: docs-validation-e2e, skill-agent-e2e, network-policy-e2e, sandbox-operations-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None.

Optional E2E

• docs-validation-e2e (low): Optional sanity check for newly added Markdown-heavy skill/reference content and cross-links. It is useful confidence, but not merge-blocking because the PR does not change CLI/runtime behavior.
• skill-agent-e2e (medium): Optional broad check that a sandboxed OpenClaw agent can load and use an injected skill. It does not validate these specific skill bundles, so it should not block merge for this content-only PR.
• network-policy-e2e (medium): Optional implementation spot-check if reviewers want confidence that the policy workflows described by the new skill still pass in the current branch. The PR itself does not alter policy code or policy YAML, so this is not required.
• sandbox-operations-e2e (high): Optional implementation spot-check for sandbox lifecycle commands discussed by the new sandbox-management skill. Since only guidance/eval assets changed, this is not merge-blocking.

New E2E recommendations

• agent-skill-content (medium): Existing skill-agent-e2e uses a synthetic fixture and does not install or query the actual newly added nemoclaw-user-manage-policy and nemoclaw-user-manage-sandboxes skills.
  • Suggested test: Add a live-agent skill content E2E that installs/loads each changed user skill and asks representative prompts from its evals.json, asserting the expected skill is selected and the answer references the right SKILL.md/reference file without inventing unsupported behavior.
• skill-publication-validation (medium): The PR adds skill.oms.sig bundles and public skill-card/BENCHMARK metadata, but existing NemoClaw E2E jobs do not verify published skill bundle integrity or signature consistency.
  • Suggested test: Add a lightweight skill publication E2E/check that verifies each published skill directory has valid frontmatter, evals.json schema, skill-card metadata, SPDX headers, and a signature bundle matching the shipped files.

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• None. No scenario workflow, scenario metadata, scenario runtime, or validation-suite files changed.

Optional scenario E2E

• None.

Relevant changed files

• None.

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 6 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 4 still apply, 1 new item found

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Source-of-truth review needed: Channel credential runtime-controls documentation: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: `runtime-controls.md:19` says tokens are baked into the image; code comments state real tokens are never visible inside the sandbox and credentials flow through OpenShell providers.
• Source-of-truth review needed: Hosted uninstall fallback documentation: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: `skills/nemoclaw-user-manage-sandboxes/SKILL.md:242` and `:248` pipe a mutable branch URL directly to `bash`.
• Channel-token docs contradict the OpenShell provider boundary (skills/nemoclaw-user-manage-sandboxes/references/runtime-controls.md:19): The runtime-controls table says Slack/Discord/Telegram channel tokens are baked into the sandbox image. Nearby source-of-truth code says only channel configuration and placeholder values enter the sandbox; real credentials stay in OpenShell provider storage and are rewritten by the L7 proxy at egress. For a security-sensitive skill, this can teach users or assistants the wrong credential exposure boundary.
  • Recommendation: Reword the row to say channel configuration and provider placeholders are baked into the sandbox image, while real tokens remain in host/OpenShell provider storage and are resolved at egress.
  • Evidence: Changed doc: `Channel tokens ... tokens are baked into the sandbox image at onboard`. Existing code: `scripts/lib/sandbox-init.sh` says `Placeholder tokens flow through to the L7 proxy... Real tokens are never visible inside the sandbox`; `src/lib/onboard.ts` says credentials flow through OpenShell providers and the L7 proxy rewrites real secrets at egress.
• Eval guardrails were removed from security-sensitive skills (.agents/skills/nemoclaw-user-manage-policy/evals/evals.json:5): The PR removes `expected_behavior` arrays from both manage-policy and manage-sandboxes eval files. Those removed assertions required loading the expected skill/reference, avoiding unsupported NemoClaw behavior, and following progressive disclosure. These skills cover network policy, approval decisions, backups, credentials, and sandbox lifecycle, so this weakens regression coverage unless the eval runner intentionally migrated away from this field.
  • Recommendation: Either keep the `expected_behavior` arrays for these evals or point to/update the eval tooling and schema that makes the field obsolete across the catalog. Apply the same decision consistently to both `.agents/skills/...` and top-level `skills/...` eval copies.
  • Evidence: Diff removes `expected_behavior` from `.agents/skills/nemoclaw-user-manage-policy/evals/evals.json` and `.agents/skills/nemoclaw-user-manage-sandboxes/evals/evals.json`; grep found many neighboring `.agents/skills/*/evals/evals.json` files still contain `expected_behavior`.
• Hosted uninstall fallback should call out current-branch trust (skills/nemoclaw-user-manage-sandboxes/SKILL.md:242): The uninstall section correctly prefers the installed, version-pinned `nemoclaw uninstall` path, but the fallback pipes the current `main` branch `uninstall.sh` directly to `bash`. Installer and uninstaller trust is a high-risk NemoClaw surface, and the trust tradeoff is not explicit at the fallback command site.
  • Recommendation: Add a short warning beside the hosted fallback that it trusts the current `main` branch over the network and should be reserved for cases where the installed CLI/version-pinned script is unavailable. If a pinned release URL or checksum flow exists, document that instead.
  • Evidence: Changed doc: `curl -fsSL https://raw.githubusercontent.com/NVIDIA/NemoClaw/refs/heads/main/uninstall.sh | bash`; preceding text says the installed CLI path uses the version-pinned `uninstall.sh` and does not fetch over the network.
• Skill-card readiness conflicts with failing benchmarks (skills/nemoclaw-user-manage-policy/skill-card.md:4): Both new skill cards say the skills are ready for commercial/non-commercial use, but both new benchmark reports say the overall verdict is FAIL and recommend review before NVSkills-Eval publication. That mismatch can give catalog consumers a false readiness signal for security-sensitive guidance about network policy and sandbox lifecycle.
  • Recommendation: Align the skill-card readiness language with the benchmark results, or update the benchmark after addressing its findings so the publication signal is consistent.
  • Evidence: `skills/nemoclaw-user-manage-policy/skill-card.md:4` and `skills/nemoclaw-user-manage-sandboxes/skill-card.md:4` say `This skill is ready for commercial/non-commercial use`; `skills/nemoclaw-user-manage-policy/BENCHMARK.md:12` and `skills/nemoclaw-user-manage-sandboxes/BENCHMARK.md:12` say `Overall verdict: FAIL`.

🌱 Nice ideas

• None.

Since last review details

Current findings:

• Source-of-truth review needed: Channel credential runtime-controls documentation: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: `runtime-controls.md:19` says tokens are baked into the image; code comments state real tokens are never visible inside the sandbox and credentials flow through OpenShell providers.
• Source-of-truth review needed: Hosted uninstall fallback documentation: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: `skills/nemoclaw-user-manage-sandboxes/SKILL.md:242` and `:248` pipe a mutable branch URL directly to `bash`.
• Channel-token docs contradict the OpenShell provider boundary (skills/nemoclaw-user-manage-sandboxes/references/runtime-controls.md:19): The runtime-controls table says Slack/Discord/Telegram channel tokens are baked into the sandbox image. Nearby source-of-truth code says only channel configuration and placeholder values enter the sandbox; real credentials stay in OpenShell provider storage and are rewritten by the L7 proxy at egress. For a security-sensitive skill, this can teach users or assistants the wrong credential exposure boundary.
  • Recommendation: Reword the row to say channel configuration and provider placeholders are baked into the sandbox image, while real tokens remain in host/OpenShell provider storage and are resolved at egress.
  • Evidence: Changed doc: `Channel tokens ... tokens are baked into the sandbox image at onboard`. Existing code: `scripts/lib/sandbox-init.sh` says `Placeholder tokens flow through to the L7 proxy... Real tokens are never visible inside the sandbox`; `src/lib/onboard.ts` says credentials flow through OpenShell providers and the L7 proxy rewrites real secrets at egress.
• Eval guardrails were removed from security-sensitive skills (.agents/skills/nemoclaw-user-manage-policy/evals/evals.json:5): The PR removes `expected_behavior` arrays from both manage-policy and manage-sandboxes eval files. Those removed assertions required loading the expected skill/reference, avoiding unsupported NemoClaw behavior, and following progressive disclosure. These skills cover network policy, approval decisions, backups, credentials, and sandbox lifecycle, so this weakens regression coverage unless the eval runner intentionally migrated away from this field.
  • Recommendation: Either keep the `expected_behavior` arrays for these evals or point to/update the eval tooling and schema that makes the field obsolete across the catalog. Apply the same decision consistently to both `.agents/skills/...` and top-level `skills/...` eval copies.
  • Evidence: Diff removes `expected_behavior` from `.agents/skills/nemoclaw-user-manage-policy/evals/evals.json` and `.agents/skills/nemoclaw-user-manage-sandboxes/evals/evals.json`; grep found many neighboring `.agents/skills/*/evals/evals.json` files still contain `expected_behavior`.
• Hosted uninstall fallback should call out current-branch trust (skills/nemoclaw-user-manage-sandboxes/SKILL.md:242): The uninstall section correctly prefers the installed, version-pinned `nemoclaw uninstall` path, but the fallback pipes the current `main` branch `uninstall.sh` directly to `bash`. Installer and uninstaller trust is a high-risk NemoClaw surface, and the trust tradeoff is not explicit at the fallback command site.
  • Recommendation: Add a short warning beside the hosted fallback that it trusts the current `main` branch over the network and should be reserved for cases where the installed CLI/version-pinned script is unavailable. If a pinned release URL or checksum flow exists, document that instead.
  • Evidence: Changed doc: `curl -fsSL https://raw.githubusercontent.com/NVIDIA/NemoClaw/refs/heads/main/uninstall.sh | bash`; preceding text says the installed CLI path uses the version-pinned `uninstall.sh` and does not fetch over the network.
• Skill-card readiness conflicts with failing benchmarks (skills/nemoclaw-user-manage-policy/skill-card.md:4): Both new skill cards say the skills are ready for commercial/non-commercial use, but both new benchmark reports say the overall verdict is FAIL and recommend review before NVSkills-Eval publication. That mismatch can give catalog consumers a false readiness signal for security-sensitive guidance about network policy and sandbox lifecycle.
  • Recommendation: Align the skill-card readiness language with the benchmark results, or update the benchmark after addressing its findings so the publication signal is consistent.
  • Evidence: `skills/nemoclaw-user-manage-policy/skill-card.md:4` and `skills/nemoclaw-user-manage-sandboxes/skill-card.md:4` say `This skill is ready for commercial/non-commercial use`; `skills/nemoclaw-user-manage-policy/BENCHMARK.md:12` and `skills/nemoclaw-user-manage-sandboxes/BENCHMARK.md:12` say `Overall verdict: FAIL`.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@skills/nemoclaw-user-manage-sandboxes/references/messaging-channels.md`:
- Line 102: Remove the emoji checkmark from the confirmation text examples:
replace occurrences of "✓ WeChat login confirmed" (and the duplicate at the
other location) with plain text "WeChat login confirmed" so the
messaging-channels.md examples comply with the "no emoji in technical prose"
guideline.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c8a94385-a2c9-4f9e-8c52-a6765581cccd

📥 Commits

Reviewing files that changed from the base of the PR and between 5e416ba and 76623d4.

📒 Files selected for processing (14)

• .agents/skills/nemoclaw-user-manage-policy/evals/evals.json
• .agents/skills/nemoclaw-user-manage-sandboxes/evals/evals.json
• skills/nemoclaw-user-manage-policy/SKILL.md
• skills/nemoclaw-user-manage-policy/evals/evals.json
• skills/nemoclaw-user-manage-policy/references/approve-network-requests.md
• skills/nemoclaw-user-manage-policy/references/customize-network-policy-details.md
• skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md
• skills/nemoclaw-user-manage-sandboxes/SKILL.md
• skills/nemoclaw-user-manage-sandboxes/evals/evals.json
• skills/nemoclaw-user-manage-sandboxes/references/backup-restore.md
• skills/nemoclaw-user-manage-sandboxes/references/lifecycle-details.md
• skills/nemoclaw-user-manage-sandboxes/references/messaging-channels.md
• skills/nemoclaw-user-manage-sandboxes/references/runtime-controls.md
• skills/nemoclaw-user-manage-sandboxes/references/workspace-files.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove emoji from confirmation text examples.

The ✓ symbol violates the Markdown docs rule forbidding emoji in technical prose. Use plain text confirmation instead.

Suggested edit

-Keep the terminal in the foreground until you see `✓ WeChat login confirmed`.
+Keep the terminal in the foreground until you see `WeChat login confirmed`.
...
-Keep the terminal in the foreground until you see `✓ WeChat login confirmed`.
+Keep the terminal in the foreground until you see `WeChat login confirmed`.

As per coding guidelines, "No emoji in technical prose."

Also applies to: 190-190

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/nemoclaw-user-manage-sandboxes/references/messaging-channels.md` at
line 102, Remove the emoji checkmark from the confirmation text examples:
replace occurrences of "✓ WeChat login confirmed" (and the duplicate at the
other location) with plain text "WeChat login confirmed" so the
messaging-channels.md examples comply with the "no emoji in technical prose"
guideline.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@skills/nemoclaw-user-manage-sandboxes/BENCHMARK.md`:
- Line 1: Add the required SPDX header as an HTML comment at the top of the
BENCHMARK.md file (above the existing "# Evaluation Report" heading) — insert a
line like <!-- SPDX-License-Identifier: MIT --> (or the correct SPDX identifier
for this project) so the document contains the SPDX header in HTML comment
format.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: af3bab56-583b-4eff-bd7d-2bd9a155c7c4

📥 Commits

Reviewing files that changed from the base of the PR and between 76623d4 and 323614f.

📒 Files selected for processing (6)

• skills/nemoclaw-user-manage-policy/BENCHMARK.md
• skills/nemoclaw-user-manage-policy/skill-card.md
• skills/nemoclaw-user-manage-policy/skill.oms.sig
• skills/nemoclaw-user-manage-sandboxes/BENCHMARK.md
• skills/nemoclaw-user-manage-sandboxes/skill-card.md
• skills/nemoclaw-user-manage-sandboxes/skill.oms.sig

✅ Files skipped from review due to trivial changes (4)

• skills/nemoclaw-user-manage-sandboxes/skill-card.md
• skills/nemoclaw-user-manage-sandboxes/skill.oms.sig
• skills/nemoclaw-user-manage-policy/BENCHMARK.md
• skills/nemoclaw-user-manage-policy/skill-card.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add required SPDX header.

Markdown documentation files must include SPDX headers in HTML comment format. As per coding guidelines, Markdown documentation files must include SPDX headers in HTML comment format.

📝 Proposed fix to add SPDX header

+<!-- SPDX-License-Identifier: Apache-2.0 -->
+<!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
+
 # Evaluation Report

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Evaluation Report
	<!-- SPDX-License-Identifier: Apache-2.0 -->
	<!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
	# Evaluation Report

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/nemoclaw-user-manage-sandboxes/BENCHMARK.md` at line 1, Add the
required SPDX header as an HTML comment at the top of the BENCHMARK.md file
(above the existing "# Evaluation Report" heading) — insert a line like <!--
SPDX-License-Identifier: MIT --> (or the correct SPDX identifier for this
project) so the document contains the SPDX header in HTML comment format.