chore: skills signing batch 2

[miyoungc]

Summary

Related Issue

Changes

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Your Name your-email@example.com

Summary by CodeRabbit

• Documentation

  • Added comprehensive NemoClaw guides: local inference setup, switching providers at runtime, sub-agent setup, tool-calling reliability, credential storage, and security best practices.
  • Added skill cards and benchmark summaries for inference and security skills.

• Tests

  • Added evaluation datasets for NemoClaw inference and security skills.
  • Adjusted evaluation data format across skill assessments.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 61e946b2-e16f-4bd0-b7bb-ffed9164517e

📥 Commits

Reviewing files that changed from the base of the PR and between aafdce3 and dc1bfc7.

📒 Files selected for processing (6)

• skills/nemoclaw-user-configure-inference/BENCHMARK.md
• skills/nemoclaw-user-configure-inference/skill-card.md
• skills/nemoclaw-user-configure-inference/skill.oms.sig
• skills/nemoclaw-user-configure-security/BENCHMARK.md
• skills/nemoclaw-user-configure-security/skill-card.md
• skills/nemoclaw-user-configure-security/skill.oms.sig

✅ Files skipped from review due to trivial changes (4)

• skills/nemoclaw-user-configure-security/skill-card.md
• skills/nemoclaw-user-configure-inference/skill-card.md
• skills/nemoclaw-user-configure-security/BENCHMARK.md
• skills/nemoclaw-user-configure-inference/skill.oms.sig

---

📝 Walkthrough

Walkthrough

This PR adds comprehensive docs, evaluation datasets, and artifacts for two NemoClaw skills (inference configuration and security best practices) and removes expected_behavior arrays from agent-side eval JSON, leaving eval items with id, question, expected_skill, and ground_truth.

Changes

NemoClaw Inference Configuration Skill

Layer / File(s)	Summary
Inference routing model and provider overview skills/nemoclaw-user-configure-inference/SKILL.md, skills/nemoclaw-user-configure-inference/references/inference-options.md	Introduces inference.local routing, provider status/options, and onboarding/model-router guidance.
Provider-specific setup: Ollama, OpenAI-compatible, vLLM, NIM skills/nemoclaw-user-configure-inference/SKILL.md, .../use-local-inference-details.md	Setup and operational guidance for Ollama, OpenAI-compatible endpoints, Anthropic notes, experimental vLLM, and NVIDIA NIM.
Runtime inference operations: switching, verification, tool-calling references/switch-inference-providers.md, references/tool-calling-reliability.md	Runtime nemoclaw inference workflows, verification, tool-calling reliability diagnosis and remediations.
OpenClaw sub-agent configuration in sandbox references/set-up-sub-agent.md	Sandbox sub-agent config, credential placement, network policy updates, delegation instructions, and demo assets.
Inference skill evaluation cases skills/nemoclaw-user-configure-inference/evals/evals.json	Top-level eval dataset: entries with id, question, expected_skill, and ground_truth.
Docs, artifacts and metadata SKILL.md, skill-card.md, BENCHMARK.md, skill.oms.sig	Adds SKILL, skill-card, BENCHMARK, and signature artifact for the inference skill.

NemoClaw Security Best Practices Skill

Layer / File(s)	Summary
Security controls architecture and posture profiles skills/nemoclaw-user-configure-security/SKILL.md, references/best-practices.md	Introduces four-layer security model, deny-by-default controls, posture profiles, enforcement points, and limitations.
Credential storage and OpenClaw security boundaries references/credential-storage.md, references/openclaw-controls.md	Documents credential handling without host-disk persistence, CLI/env precedence, rotation/migration, and OpenClaw responsibility boundaries.
Security skill evaluation cases skills/nemoclaw-user-configure-security/evals/evals.json	Top-level security eval dataset: entries with id, question, expected_skill, and ground_truth.
Docs, artifacts and metadata SKILL.md, skill-card.md, BENCHMARK.md, skill.oms.sig	Adds SKILL, skill-card, BENCHMARK, and signature artifact for the security skill.

Agent-Side Evaluation Schema Simplification

Layer / File(s)	Summary
Removal of expected_behavior field from eval cases .agents/skills/nemoclaw-user-configure-inference/evals/evals.json, .agents/skills/nemoclaw-user-configure-security/evals/evals.json	Deletes expected_behavior arrays from agent-side eval JSON files; eval items now contain only id, question, expected_skill, and ground_truth.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4405

Suggested labels

enhancement: skill

Suggested reviewers

• jyaunches
• cv

Poem

🐇 I hopped through docs and JSON rows,
Tidied evals where structure goes —
Guides for Ollama, NIM, and more,
Security fences round the door.
hop hop ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'chore: skills signing batch 2' is vague and generic, using imprecise terms like 'batch 2' without conveying the specific nature of the changes (adding NemoClaw security and inference configuration skills with documentation and signatures).	Consider a more descriptive title such as 'docs: Add NemoClaw inference and security configuration skills' or 'chore: Add skill documentation and validation signatures for NemoClaw skills' to better reflect the PR's main objectives.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch skills-sign-batch-2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[miyoungc]

/nvskills-ci

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: skill-agent-e2e, docs-validation-e2e

Dispatch hint: skill-agent-e2e,docs-validation-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None.

Optional E2E

• skill-agent-e2e (medium): Useful adjacent confidence that OpenClaw sandboxes can receive a skill and the agent can load and use skill content. This does not directly validate the two new published skills, so it should be optional rather than merge-blocking.
• docs-validation-e2e (low): Optional broad documentation/link sanity check for nearby user-facing Markdown workflows. Current nightly wiring primarily validates docs/ and core docs, so coverage for skills/ Markdown is incomplete.

New E2E recommendations

• published skill content validation (high): No existing E2E appears to install the actual skills under skills/nemoclaw-user-configure-inference and skills/nemoclaw-user-configure-security into a sandbox and prompt an agent through their eval scenarios. Add coverage that verifies the expected skill is discoverable, referenced files load, responses avoid secret leakage, and security/inference boundary guidance remains accurate.
  • Suggested test: Add a changed-skill agent E2E that installs selected skills/ packages into an OpenClaw sandbox and runs representative prompts from their evals/evals.json.
• skill package link/schema/signature checks (medium): The current docs-validation E2E only scans .agents/skills when invoked with --with-skills and does not appear to scan the new top-level skills/ publication packages. These Markdown references and skill.oms.sig artifacts need package-level validation before publication.
  • Suggested test: Extend docs-validation or add a skill-package-validation E2E/script to validate skills/**/*.md links, SKILL.md frontmatter, eval schema, and signature bundle presence for published skills.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: skill-agent-e2e,docs-validation-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• None. No scenario workflow, scenario metadata, scenario runtime, or validation-suite files changed.

Optional scenario E2E

• None.

Relevant changed files

• None.

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 9 worth checking, 1 nice ideas
Since last review: 0 prior items resolved, 7 still apply, 0 new items found

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Source-of-truth review needed: Eval schema for user-skill evaluation files: The advisor marked localized patch analysis as missing.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: .agents/skills/nemoclaw-user-configure-inference/evals/evals.json and .agents/skills/nemoclaw-user-configure-security/evals/evals.json lose expected_behavior, while grep still finds expected_behavior in other .agents/skills/*/evals/evals.json files.
• Source-of-truth review needed: OpenClaw sub-agent config hash lock workflow: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: set-up-sub-agent.md says the hash becomes a trust anchor only after root-owned/read-only state, but the command block only chmods openclaw.json and .config-hash.
• Source-of-truth review needed: Direct sub-agent provider credentials: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: set-up-sub-agent.md instructs users to write /sandbox/.openclaw/agents/vision-operator/agent/auth-profiles.json, chown it to sandbox:sandbox, and allow /usr/local/bin/node egress.
• Restore or consistently migrate the removed eval expected_behavior checks (.agents/skills/nemoclaw-user-configure-inference/evals/evals.json:6): The two changed source eval files remove every expected_behavior array while other user-skill eval files in .agents/skills still use that field. Those arrays encoded behavior such as loading the expected skill/reference, avoiding unsupported NemoClaw behavior, and using progressive disclosure. If the evaluator still consumes this field, the inference and security skills now have weaker coverage; if the schema intentionally changed, the migration is incomplete in this PR.
  • Recommendation: Restore expected_behavior for these evals, or include the evaluator/schema migration and a validation check proving the new format is accepted consistently across all user-skill evals.
  • Evidence: The diff deletes expected_behavior blocks from .agents/skills/nemoclaw-user-configure-inference/evals/evals.json and .agents/skills/nemoclaw-user-configure-security/evals/evals.json. A repository grep still finds expected_behavior in other .agents/skills/*/evals/evals.json files such as nemoclaw-user-overview and nemoclaw-user-get-started, and no evaluator/schema file was changed.
• Clarify that direct sub-agent auth profiles bypass NemoClaw credential isolation (skills/nemoclaw-user-configure-inference/references/set-up-sub-agent.md:73): The sub-agent setup guide tells users to put auxiliary provider credentials under /sandbox/.openclaw/agents/<agent-id>/agent/auth-profiles.json, chown that tree to the sandbox user, and allow /usr/local/bin/node provider egress. That can be a deliberate direct-provider setup, but it is a different threat model from the normal inference.local path where credentials stay in the OpenShell gateway and are injected at egress.
  • Recommendation: Add a prominent warning that this bypasses host-side credential isolation and should be used only when host-managed inference routing is not suitable. Recommend least-privilege credentials, tight endpoint/path/method policy, and host-managed providers or nemoclaw inference set where possible.
  • Evidence: set-up-sub-agent.md says, "If the auxiliary model uses a provider key outside the normal NemoClaw inference route, put that key in the sub-agent auth profile," shows /sandbox/.openclaw/agents/vision-operator/agent/auth-profiles.json, then chown -R sandbox:sandbox, and later says the NVIDIA endpoint policy must allow /usr/local/bin/node. credential-storage.md says normal provider credentials live in the OpenShell gateway and sandboxed agents see placeholders instead of raw secrets.
• Do not leave the config-hash lock workflow at chmod-only integrity (skills/nemoclaw-user-configure-inference/references/set-up-sub-agent.md:57): The guide now says the default mutable hash is not tamper-proof, but the sample workflow still only chmods openclaw.json and .config-hash after writing them from the agent container context. Without root ownership and verification from a trusted host-side workflow, readers may overestimate the integrity of the sandbox-owned config tree.
  • Recommendation: Either show the complete trusted lockdown flow, including root ownership and a host-side verification step, or state that the sample only keeps the hash consistent for mutable config and does not establish the startup-enforced immutable posture.
  • Evidence: set-up-sub-agent.md says .config-hash becomes a startup-enforced trust anchor only after the file is root-owned and read-only, then the command block uses chmod 644/444 but does not show chown root:root or trusted ownership verification.
• Avoid mutable image tags and all-interface binding in the vLLM example (skills/nemoclaw-user-configure-inference/references/tool-calling-reliability.md:69): The Docker Compose example uses a mutable vLLM image tag and publishes the endpoint on all host interfaces by default. For a security-sensitive local inference path that uses an API key and may be copied into production-like environments, this creates supply-chain drift and can expose the model endpoint to the LAN unless external firewall controls are correct.
  • Recommendation: Use a pinned vLLM tag or digest and bind the example to loopback, for example 127.0.0.1:8002:8000, or add an explicit warning explaining when broader binding is intentional and what firewall/auth controls are required.
  • Evidence: tool-calling-reliability.md contains image: vllm/vllm-openai:latest and ports: - "8002:8000". The security best-practices docs in the same PR emphasize image digest pinning and credential boundaries.
• Add automated validation for the published skills directory (skills/nemoclaw-user-configure-inference/SKILL.md:1): This PR copies generated user skills into the root skills/ catalog location and adds signed artifacts, but the nearby repository validation still targets .agents/skills only. That leaves the published payload vulnerable to source-vs-catalog drift or malformed eval/frontmatter content during signing-focused PRs.
  • Recommendation: Add or identify a validation step that compares each root skills/nemoclaw-user-* directory to its .agents/skills counterpart, validates root skills frontmatter/SPDX/evals, and fails on drift except for generated signature/card files.
  • Evidence: .github/catalog-skills-signing-flow.md says the root skills/ directory is what NVSkills CI watches and publishes. test/skills-frontmatter.test.ts sets skillsRoot = path.join(repoRoot, ".agents", "skills") and does not validate root skills/.
• Resolve the benchmark FAIL versus skill-card ready-to-use contradiction (skills/nemoclaw-user-configure-inference/BENCHMARK.md:10): Both new benchmark reports say the skills failed NVSkills-Eval and should be reviewed before publication, while both generated skill cards say the skills are ready for commercial/non-commercial use. That contradiction makes the signed catalog artifact's readiness unclear.
  • Recommendation: Either address the benchmark findings and refresh the benchmark before signing/publication, or adjust the skill-card/readiness language so it accurately reflects that the skills require review before use.
  • Evidence: skills/nemoclaw-user-configure-inference/BENCHMARK.md and skills/nemoclaw-user-configure-security/BENCHMARK.md state Overall verdict: FAIL and recommend review before publication. The corresponding skill-card.md files state, "This skill is ready for commercial/non-commercial use."

🌱 Nice ideas

• Coordinate with the overlapping skills catalog refresh (skills/nemoclaw-user-configure-inference/SKILL.md:1): Another open skills catalog refresh overlaps many of the same generated/published skill files. Because this PR signs and publishes copied catalog content, overlapping refreshes can easily leave this branch stale or reintroduce source/published drift.
  • Recommendation: Before signing or merging, compare against the overlapping skills refresh and regenerate/copy from the current .agents/skills source if necessary.
  • Evidence: Trusted drift context reports open PR chore(skills): refresh catalog export #4344 touching the same skills/nemoclaw-user-configure-inference/** and skills/nemoclaw-user-configure-security/** catalog files.

Since last review details

Current findings:

• Source-of-truth review needed: Eval schema for user-skill evaluation files: The advisor marked localized patch analysis as missing.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: .agents/skills/nemoclaw-user-configure-inference/evals/evals.json and .agents/skills/nemoclaw-user-configure-security/evals/evals.json lose expected_behavior, while grep still finds expected_behavior in other .agents/skills/*/evals/evals.json files.
• Source-of-truth review needed: OpenClaw sub-agent config hash lock workflow: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: set-up-sub-agent.md says the hash becomes a trust anchor only after root-owned/read-only state, but the command block only chmods openclaw.json and .config-hash.
• Source-of-truth review needed: Direct sub-agent provider credentials: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: set-up-sub-agent.md instructs users to write /sandbox/.openclaw/agents/vision-operator/agent/auth-profiles.json, chown it to sandbox:sandbox, and allow /usr/local/bin/node egress.
• Restore or consistently migrate the removed eval expected_behavior checks (.agents/skills/nemoclaw-user-configure-inference/evals/evals.json:6): The two changed source eval files remove every expected_behavior array while other user-skill eval files in .agents/skills still use that field. Those arrays encoded behavior such as loading the expected skill/reference, avoiding unsupported NemoClaw behavior, and using progressive disclosure. If the evaluator still consumes this field, the inference and security skills now have weaker coverage; if the schema intentionally changed, the migration is incomplete in this PR.
  • Recommendation: Restore expected_behavior for these evals, or include the evaluator/schema migration and a validation check proving the new format is accepted consistently across all user-skill evals.
  • Evidence: The diff deletes expected_behavior blocks from .agents/skills/nemoclaw-user-configure-inference/evals/evals.json and .agents/skills/nemoclaw-user-configure-security/evals/evals.json. A repository grep still finds expected_behavior in other .agents/skills/*/evals/evals.json files such as nemoclaw-user-overview and nemoclaw-user-get-started, and no evaluator/schema file was changed.
• Clarify that direct sub-agent auth profiles bypass NemoClaw credential isolation (skills/nemoclaw-user-configure-inference/references/set-up-sub-agent.md:73): The sub-agent setup guide tells users to put auxiliary provider credentials under /sandbox/.openclaw/agents/<agent-id>/agent/auth-profiles.json, chown that tree to the sandbox user, and allow /usr/local/bin/node provider egress. That can be a deliberate direct-provider setup, but it is a different threat model from the normal inference.local path where credentials stay in the OpenShell gateway and are injected at egress.
  • Recommendation: Add a prominent warning that this bypasses host-side credential isolation and should be used only when host-managed inference routing is not suitable. Recommend least-privilege credentials, tight endpoint/path/method policy, and host-managed providers or nemoclaw inference set where possible.
  • Evidence: set-up-sub-agent.md says, "If the auxiliary model uses a provider key outside the normal NemoClaw inference route, put that key in the sub-agent auth profile," shows /sandbox/.openclaw/agents/vision-operator/agent/auth-profiles.json, then chown -R sandbox:sandbox, and later says the NVIDIA endpoint policy must allow /usr/local/bin/node. credential-storage.md says normal provider credentials live in the OpenShell gateway and sandboxed agents see placeholders instead of raw secrets.
• Do not leave the config-hash lock workflow at chmod-only integrity (skills/nemoclaw-user-configure-inference/references/set-up-sub-agent.md:57): The guide now says the default mutable hash is not tamper-proof, but the sample workflow still only chmods openclaw.json and .config-hash after writing them from the agent container context. Without root ownership and verification from a trusted host-side workflow, readers may overestimate the integrity of the sandbox-owned config tree.
  • Recommendation: Either show the complete trusted lockdown flow, including root ownership and a host-side verification step, or state that the sample only keeps the hash consistent for mutable config and does not establish the startup-enforced immutable posture.
  • Evidence: set-up-sub-agent.md says .config-hash becomes a startup-enforced trust anchor only after the file is root-owned and read-only, then the command block uses chmod 644/444 but does not show chown root:root or trusted ownership verification.
• Avoid mutable image tags and all-interface binding in the vLLM example (skills/nemoclaw-user-configure-inference/references/tool-calling-reliability.md:69): The Docker Compose example uses a mutable vLLM image tag and publishes the endpoint on all host interfaces by default. For a security-sensitive local inference path that uses an API key and may be copied into production-like environments, this creates supply-chain drift and can expose the model endpoint to the LAN unless external firewall controls are correct.
  • Recommendation: Use a pinned vLLM tag or digest and bind the example to loopback, for example 127.0.0.1:8002:8000, or add an explicit warning explaining when broader binding is intentional and what firewall/auth controls are required.
  • Evidence: tool-calling-reliability.md contains image: vllm/vllm-openai:latest and ports: - "8002:8000". The security best-practices docs in the same PR emphasize image digest pinning and credential boundaries.
• Add automated validation for the published skills directory (skills/nemoclaw-user-configure-inference/SKILL.md:1): This PR copies generated user skills into the root skills/ catalog location and adds signed artifacts, but the nearby repository validation still targets .agents/skills only. That leaves the published payload vulnerable to source-vs-catalog drift or malformed eval/frontmatter content during signing-focused PRs.
  • Recommendation: Add or identify a validation step that compares each root skills/nemoclaw-user-* directory to its .agents/skills counterpart, validates root skills frontmatter/SPDX/evals, and fails on drift except for generated signature/card files.
  • Evidence: .github/catalog-skills-signing-flow.md says the root skills/ directory is what NVSkills CI watches and publishes. test/skills-frontmatter.test.ts sets skillsRoot = path.join(repoRoot, ".agents", "skills") and does not validate root skills/.
• Resolve the benchmark FAIL versus skill-card ready-to-use contradiction (skills/nemoclaw-user-configure-inference/BENCHMARK.md:10): Both new benchmark reports say the skills failed NVSkills-Eval and should be reviewed before publication, while both generated skill cards say the skills are ready for commercial/non-commercial use. That contradiction makes the signed catalog artifact's readiness unclear.
  • Recommendation: Either address the benchmark findings and refresh the benchmark before signing/publication, or adjust the skill-card/readiness language so it accurately reflects that the skills require review before use.
  • Evidence: skills/nemoclaw-user-configure-inference/BENCHMARK.md and skills/nemoclaw-user-configure-security/BENCHMARK.md state Overall verdict: FAIL and recommend review before publication. The corresponding skill-card.md files state, "This skill is ready for commercial/non-commercial use."
• Coordinate with the overlapping skills catalog refresh (skills/nemoclaw-user-configure-inference/SKILL.md:1): Another open skills catalog refresh overlaps many of the same generated/published skill files. Because this PR signs and publishes copied catalog content, overlapping refreshes can easily leave this branch stale or reintroduce source/published drift.
  • Recommendation: Before signing or merging, compare against the overlapping skills refresh and regenerate/copy from the current .agents/skills source if necessary.
  • Evidence: Trusted drift context reports open PR chore(skills): refresh catalog export #4344 touching the same skills/nemoclaw-user-configure-inference/** and skills/nemoclaw-user-configure-security/** catalog files.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

skills/nemoclaw-user-configure-inference/evals/evals.json (1)

1-92: ⚡ Quick win

Avoid maintaining a second handwritten copy of this eval dataset.

This file matches .agents/skills/nemoclaw-user-configure-inference/evals/evals.json entry-for-entry. Keeping both copies editable will drift sooner or later; please generate one from the other or add a sync check in CI.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/nemoclaw-user-configure-inference/evals/evals.json` around lines 1 -
92, This eval dataset is duplicated elsewhere in the repo; remove manual
duplication by making this evals.json the single source of truth and either (a)
regenerate the other copy from this file during the build or (b) add a CI sync
check that diffs this evals.json against the duplicate and fails if they
diverge; implement the generator or CI check as a script (e.g., sync-evals.sh or
a Node/Python script invoked by CI) and update the PR to remove the redundant
handwritten copy so only one evals.json is edited going forward.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@skills/nemoclaw-user-configure-inference/evals/evals.json`:
- Around line 1-92: This eval dataset is duplicated elsewhere in the repo;
remove manual duplication by making this evals.json the single source of truth
and either (a) regenerate the other copy from this file during the build or (b)
add a CI sync check that diffs this evals.json against the duplicate and fails
if they diverge; implement the generator or CI check as a script (e.g.,
sync-evals.sh or a Node/Python script invoked by CI) and update the PR to remove
the redundant handwritten copy so only one evals.json is edited going forward.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: de9f5829-9997-4b7a-bced-97dd7fd927c2

📥 Commits

Reviewing files that changed from the base of the PR and between 5e416ba and aafdce3.

📒 Files selected for processing (14)

• .agents/skills/nemoclaw-user-configure-inference/evals/evals.json
• .agents/skills/nemoclaw-user-configure-security/evals/evals.json
• skills/nemoclaw-user-configure-inference/SKILL.md
• skills/nemoclaw-user-configure-inference/evals/evals.json
• skills/nemoclaw-user-configure-inference/references/inference-options.md
• skills/nemoclaw-user-configure-inference/references/set-up-sub-agent.md
• skills/nemoclaw-user-configure-inference/references/switch-inference-providers.md
• skills/nemoclaw-user-configure-inference/references/tool-calling-reliability.md
• skills/nemoclaw-user-configure-inference/references/use-local-inference-details.md
• skills/nemoclaw-user-configure-security/SKILL.md
• skills/nemoclaw-user-configure-security/evals/evals.json
• skills/nemoclaw-user-configure-security/references/best-practices.md
• skills/nemoclaw-user-configure-security/references/credential-storage.md
• skills/nemoclaw-user-configure-security/references/openclaw-controls.md

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Actionable comments posted: 0