polish-claw-project
Contribute to OpenClaw ecosystem projects (OpenClaw, NemoClaw, NanoClaw) through a structured 9-step workflow: target verification, codebase exploration, parallel audit, finding cross-reference, and pull request creation. Emphasizes false positive prevention and project convention adherence.
Best use case
polish-claw-project is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Contribute to OpenClaw ecosystem projects (OpenClaw, NemoClaw, NanoClaw) through a structured 9-step workflow: target verification, codebase exploration, parallel audit, finding cross-reference, and pull request creation. Emphasizes false positive prevention and project convention adherence.
Teams using polish-claw-project should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/polish-claw-project/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How polish-claw-project Compares
| Feature / Agent | polish-claw-project | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Contribute to OpenClaw ecosystem projects (OpenClaw, NemoClaw, NanoClaw) through a structured 9-step workflow: target verification, codebase exploration, parallel audit, finding cross-reference, and pull request creation. Emphasizes false positive prevention and project convention adherence.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Polish Claw Project Structured workflow for contributing to OpenClaw ecosystem projects. The novel value is in Steps 5-7: parallel audit, false positive prevention, and cross-referencing findings against open issues to select high-impact contributions. Mechanical steps (fork, PR creation) delegate to existing skills. ## When to Use - Contributing to NVIDIA/OpenClaw, NVIDIA/NemoClaw, NVIDIA/NanoClaw, or similar Claw ecosystem repos - First-time contributions to an unfamiliar open-source project with security-sensitive architecture - When you want a repeatable, auditable contribution workflow rather than ad-hoc fixes - After identifying a Claw project that accepts external contributions (check CONTRIBUTING.md) ## Inputs - **Required**: `repo_url` — GitHub URL of the target Claw project (e.g., `https://github.com/NVIDIA/NemoClaw`) - **Optional**: - `contribution_count` — Number of contributions to aim for (default: 1-3) - `focus` — Preferred contribution type: `security`, `tests`, `docs`, `bugs`, `any` (default: `any`) - `fork_org` — GitHub org/user to fork into (default: authenticated user) ## Procedure ### Step 1: Identify and Verify Target Confirm the project accepts external contributions and is actively maintained. 1. Open the repository URL and read `CONTRIBUTING.md`, `CODE_OF_CONDUCT.md`, and `LICENSE` 2. Check recent commit activity (last 30 days) and open PR merge rate 3. Verify the project uses a permissive or contribution-friendly license 4. Read `SECURITY.md` or security policy if present — note responsible disclosure rules 5. Identify the primary language, test framework, and CI system **Got:** CONTRIBUTING.md exists, commits within last 30 days, clear contribution guidelines. **If fail:** If no CONTRIBUTING.md or no recent activity, document why and stop — stale projects rarely merge external PRs. ### Step 2: Fork and Clone Create a working copy of the repository. 1. Fork: `gh repo fork <repo_url> --clone` 2. Set upstream remote: `git remote add upstream <repo_url>` 3. Verify: `git remote -v` shows both `origin` (fork) and `upstream` 4. Sync: `git fetch upstream && git checkout main && git merge upstream/main` **Got:** Local clone with both remotes configured and up to date. **If fail:** If fork fails, check GitHub authentication (`gh auth status`). If clone is slow, try `--depth=1` for initial exploration. ### Step 3: Explore Codebase Build a mental model of the project architecture. 1. Read `README.md` for architecture overview and project goals 2. Identify entry points, core modules, and public API surface 3. Map the test structure: where tests live, what framework, coverage level 4. Note code style conventions: linter config, naming patterns, import style 5. Check for Docker/container setup, CI configuration, and deployment patterns **Got:** Clear understanding of project structure, conventions, and where contributions would fit. **If fail:** If architecture is unclear, focus on a specific subsystem rather than the whole project. ### Step 4: Read Open Issues Survey existing issues to understand project needs and avoid duplicate work. 1. List open issues: `gh issue list --state open --limit 50` 2. Categorize by type: bugs, features, docs, security, good-first-issue 3. Note issues labeled `help wanted`, `good first issue`, or `hacktoberfest` 4. Check for stale issues (>90 days open, no recent comments) — these may be abandoned 5. Read any linked PRs to understand attempted solutions **Got:** Categorized list of unclaimed issues with type labels. **If fail:** If no open issues exist, proceed to Step 5 — audit may uncover unlisted improvements. ### Step 5: Parallel Audit Run security and code quality audits in parallel. This is where novel findings emerge. 1. Run `security-audit-codebase` skill against the project root 2. Simultaneously run `review-codebase` skill with scope `quality` 3. **Critical: verify each finding against the project's threat model and architecture** - A "hardcoded secret" in a sandbox bootstrap script is not a vulnerability - A missing input validation on an internal-only function is low severity - A dependency flagged as vulnerable may already be mitigated by the project's architecture 4. Rate verified findings: CRITICAL, HIGH, MEDIUM, LOW 5. Document false positives with reasoning — they inform Common Pitfalls for future runs **Got:** List of verified findings with severity ratings and false positive annotations. **If fail:** If no findings emerge, shift focus to test coverage gaps, documentation improvements, or developer experience enhancements. ### Step 6: Cross-Reference Findings Map verified audit findings to open issues — the core judgment step. 1. For each verified finding, search open issues for related discussions 2. Categorize each finding as: - **Matches open issue** — link the finding to the issue - **New finding** — no existing issue covers this - **Already fixed in PR** — check open PRs for in-progress fixes 3. Prioritize findings that match existing issues (highest merge probability) 4. For new findings, assess whether the maintainers would welcome the fix based on project priorities **Got:** Prioritized list with finding-to-issue mapping and merge probability assessment. **If fail:** If all findings are already addressed, return to Step 4 and look for documentation, test, or developer experience contributions. ### Step 7: Select Contributions Pick 1-3 contributions based on impact, effort, and expertise. 1. Score each candidate on: - **Impact**: How much does this improve the project? (security > bugs > tests > docs) - **Effort**: Can this be done well in a focused session? (prefer small, complete PRs) - **Expertise**: Does the contributor have domain knowledge for this fix? - **Merge probability**: Does this match stated project priorities? 2. Select the top candidates (default: 1-3) 3. For each, define: branch name, scope boundary, acceptance criteria, test plan **Got:** 1-3 selected contributions with clear scope and acceptance criteria. **If fail:** If no contributions score well, consider filing well-written issues instead of PRs. ### Step 8: Implement Create a branch per contribution and implement the fix. 1. For each contribution: `git checkout -b fix/<description>` 2. Follow project conventions exactly (linter, naming, import style) 3. Add or update tests covering the change 4. Run the project's test suite: verify all tests pass 5. Run the project's linter: verify no new warnings 6. Keep each PR focused — one logical change per branch **Got:** Clean implementation with passing tests and no linter warnings. **If fail:** If tests fail on pre-existing issues, document them and ensure the PR doesn't introduce new failures. ### Step 9: Create Pull Requests Submit contributions following the project's CONTRIBUTING.md. 1. Push branch: `git push origin fix/<description>` 2. Create PR using the `create-pull-request` skill 3. Reference the related issue in the PR body (e.g., "Fixes #123") 4. Follow the project's PR template if one exists 5. Be responsive to reviewer feedback — iterate quickly **Got:** PRs created, linked to issues, following project conventions. **If fail:** If PR creation fails, check branch protection rules and contributor license agreements. ## Validation 1. All selected contributions have been implemented and submitted as PRs 2. Each PR references the related issue (if one exists) 3. All project tests pass on each PR branch 4. No false positive findings were submitted as real issues 5. PR descriptions follow the project's CONTRIBUTING.md template ## Pitfalls - **False positive overclaim**: Claw projects use sandbox architectures — a "vulnerability" inside a sandboxed environment may be by design. Always verify against the project's threat model before reporting. - **Digest/signature chain disruption**: Claw projects often use verification chains for model integrity. Changes must preserve these chains or the PR will be rejected. - **Convention mismatch**: Claw projects enforce strict style. Run the project's own linter, not a generic one. Match import ordering, docstring format, and test patterns exactly. - **Scope creep**: 3 focused PRs merge faster than 1 sprawling PR. Keep each contribution atomic. - **Stale fork**: Always sync with upstream before starting work (`git fetch upstream && git merge upstream/main`). ## Related Skills - [security-audit-codebase](../security-audit-codebase/SKILL.md) — used in Step 5 for security findings - [review-codebase](../review-codebase/SKILL.md) — used in Step 5 for code quality review - [create-pull-request](../create-pull-request/SKILL.md) — used in Step 9 for PR creation - [create-github-issues](../create-github-issues/SKILL.md) — for filing issues from findings not addressed as PRs - [manage-git-branches](../manage-git-branches/SKILL.md) — branch management during implementation - [commit-changes](../commit-changes/SKILL.md) — commit workflow
Related Skills
tidy-project-structure
Organize project files into conventional directories, update stale READMEs, clean configuration drift, and archive deprecated items without changing code logic. Use when files are scattered without clear organization, READMEs are outdated or contain broken examples, configuration files have multiplied across dev/staging/prod, deprecated files remain in the project root, or naming conventions are inconsistent across directories.
setup-gxp-r-project
Set up an R project structure compliant with GxP regulations (21 CFR Part 11, EU Annex 11). Covers validated environments, qualification documentation, change control, and electronic records requirements. Use when starting an R analysis project in a regulated environment (pharma, biotech, medical devices), setting up R for clinical trial analysis, creating a validated computing environment for regulatory submissions, or implementing 21 CFR Part 11 or EU Annex 11 requirements.
polish-gemstone
Polish cut gemstones to final finish using progressive abrasive sequences. Covers pre-polish sanding, polishing compounds, lap selection, and quality assessment for both cabochons and faceted stones. Use when a cabochon or faceted stone has completed cutting and is ready for polishing, selecting the correct compound and lap for a specific species, troubleshooting a polish that will not reach full lustre (orange peel, haze, scratches), or re-polishing a stone with surface wear.
draft-project-charter
Draft a project charter that defines scope, stakeholders, success criteria, and initial risk register. Covers problem statement, RACI matrix, milestone planning, and scope boundaries for both agile and classic methodologies. Use when kicking off a new project or initiative, formalizing scope after an informal start, aligning stakeholders before detailed planning begins, or transitioning from discovery to active project work.
cross-review-project
Conduct a structured cross-project code review between two Claude Code instances via the cross-review-mcp broker. Each agent reads its own codebase, reviews the peer's code, and engages in evidence-backed dialogue — with QSG scaling laws enforcing review quality through minimum bandwidth constraints and phase-gated progression.
skill-name-here
One to three sentences describing what this skill accomplishes, followed by key activation triggers. This field is the primary mechanism agents use to decide whether to activate the skill — it is read during discovery before the full body is loaded. Start with a verb. Include the most important "when to use" conditions inline. Max 1024 characters.
write-vignette
Create R package vignettes using R Markdown or Quarto. Covers vignette setup, YAML configuration, code chunk options, building and testing, and CRAN requirements for vignettes. Use when adding a Getting Started tutorial, documenting complex workflows spanning multiple functions, creating domain-specific guides, or when CRAN submission requires user-facing documentation beyond function help pages.
write-validation-documentation
Write IQ/OQ/PQ validation documentation for computerized systems in regulated environments. Covers protocols, reports, test scripts, deviation handling, and approval workflows. Use when validating R or other software for regulated use, preparing for a regulatory audit, documenting qualification of computing environments, or creating and updating validation protocols and reports for new or re-qualified systems.
write-testthat-tests
Write comprehensive testthat (edition 3) tests for R package functions. Covers test organization, expectations, fixtures, mocking, snapshot tests, parameterized tests, and achieving high coverage. Use when adding tests for new package functions, increasing test coverage for existing code, writing regression tests for bug fixes, or setting up test infrastructure for a package that lacks it.
write-standard-operating-procedure
Write a GxP-compliant Standard Operating Procedure (SOP). Covers regulatory SOP template structure (purpose, scope, definitions, responsibilities, procedure, references, revision history), approval workflow design, periodic review scheduling, and operational procedures for system use. Use when a new validated system requires operational procedures, when existing informal procedures need formalisation, when an audit finding cites missing procedures, when a change control triggers SOP updates, or when periodic review identifies outdated procedural content.
write-roxygen-docs
Write roxygen2 documentation for R package functions, datasets, and classes. Covers all standard tags, cross-references, examples, and generating NAMESPACE entries. Follows tidyverse documentation style. Use when adding documentation to new exported functions, documenting internal helpers or datasets, documenting S3/S4/R6 classes and methods, or fixing documentation-related R CMD check notes.
write-incident-runbook
Create structured incident runbooks with diagnostic steps, resolution procedures, escalation paths, and communication templates for effective incident response. Use when documenting response procedures for recurring alerts, standardizing incident response across an on-call rotation, reducing MTTR with clear diagnostic steps, creating training materials for new team members, or linking alert annotations directly to resolution procedures.