diff --git a/.agents/catalog-skills.yaml b/.agents/catalog-skills.yaml
deleted file mode 100644
index 94616a5f33..0000000000
--- a/.agents/catalog-skills.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-
-# Explicit allowlist for NemoClaw skills exported to the NVIDIA Verified Skills catalog.
-# Keep this file deterministic: no timestamps, no generated comments, and no implicit globs.
-# The export is regenerated with: python3 scripts/export-catalog-skills.py
-version: 1
-source: .agents/skills
-export: skills
-include:
-  - skill: nemoclaw-skills-guide
-    rationale: Public index for user-facing NemoClaw skills.
-  - skill: nemoclaw-user-agent-skills
-    rationale: Public user documentation skill.
-  - skill: nemoclaw-user-configure-inference
-    rationale: Public user documentation skill.
-  - skill: nemoclaw-user-configure-security
-    rationale: Public user documentation skill.
-  - skill: nemoclaw-user-deploy-remote
-    rationale: Public user documentation skill.
-  - skill: nemoclaw-user-get-started
-    rationale: Public user documentation skill.
-  - skill: nemoclaw-user-manage-policy
-    rationale: Public user documentation skill.
-  - skill: nemoclaw-user-manage-sandboxes
-    rationale: Public user documentation skill.
-  - skill: nemoclaw-user-monitor-sandbox
-    rationale: Public user documentation skill.
-  - skill: nemoclaw-user-overview
-    rationale: Public user documentation skill.
-  - skill: nemoclaw-user-reference
-    rationale: Public user documentation skill.
-exclude:
-  - pattern: nemoclaw-maintainer-*
-    rationale: Internal maintainer workflows are not catalog/customer-facing.
-  - pattern: nemoclaw-contributor-*
-    rationale: Contributor workflows are repo-local until explicitly approved for catalog publication.
-metadata:
-  minNemoClawVersion: "0.1.0"
-  testedNemoClawVersion: "0.1.0"
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index f826c36a7c..36d30b0982 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -31,7 +31,6 @@
 /spark-install.md                   @NVIDIA/nemoclaw-engineer
 
 # ── Agent skills catalog ──
-/.agents/catalog-skills.yaml        @NVIDIA/nemoclaw-maintainer @NVIDIA/nemoclaw-engineer
 /.agents/skills/                    @NVIDIA/nemoclaw-maintainer @NVIDIA/nemoclaw-engineer
 /skills/                            @NVIDIA/nemoclaw-maintainer @NVIDIA/nemoclaw-engineer
 
diff --git a/.github/catalog-skills-signing-flow.md b/.github/catalog-skills-signing-flow.md
index ba560b0926..773dc99808 100644
--- a/.github/catalog-skills-signing-flow.md
+++ b/.github/catalog-skills-signing-flow.md
@@ -1,79 +1,51 @@
 <!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
 <!-- SPDX-License-Identifier: Apache-2.0 -->
 
-# NemoClaw catalog skills signing flow
+# Publishing a NemoClaw skill to the NVIDIA Verified Skills catalog
 
-This diagram shows the required sequence for publishing NemoClaw user-facing skills into the NVIDIA Verified Skills catalog through the generated `skills/` export.
+The `skills/` directory at the repo root is the NVSkills CI watched location.
+Whatever lives there is what gets signed and published. There is no
+allowlist, manifest, or generator script — adding a skill to the catalog
+means copying the source skill into `skills/` and pushing it through
+NVSkills CI signing.
 
-```mermaid
-sequenceDiagram
-    autonumber
-    actor Maintainer as Human maintainer
-    participant Source as NemoClaw source<br/>.agents/skills + .agents/catalog-skills.yaml
-    participant Exporter as scripts/export-catalog-skills.py
-    participant Export as Generated export<br/>skills
-    participant PRCI as PR workflow<br/>CI / Pull Request
-    participant Refresh as Skills / Catalog Refresh workflow
-    participant PR as Same-repo refresh PR
-    participant NVSkills as NVSkills CI signer
-    participant Main as NVIDIA/NemoClaw main
-    participant Target as NVIDIA/skills sync
+## Add a skill to the catalog
 
-    Note over Source,Export: Implementation PR path added by issue #4282
-    Maintainer->>Source: Curate catalog-safe skills in .agents/catalog-skills.yaml
-    Maintainer->>Exporter: Run python3 scripts/export-catalog-skills.py
-    Exporter->>Export: Copy allowlisted skills as real files<br/>write catalog-metadata.json<br/>preserve skill.oms.sig + skill-card.md if present
-    Maintainer->>PRCI: Open implementation or content PR
-    PRCI->>Exporter: python3 scripts/export-catalog-skills.py --check --allow-missing
-    Exporter-->>PRCI: Pass before first export exists;<br/>after refresh PR, fail if skills is stale or hand-edited
-    Maintainer->>Main: Merge reviewed PR after checks pass
-
-    Note over Refresh,PR: Post-merge refresh automation added by this PR
-    Maintainer->>Refresh: Optional manual workflow_dispatch<br/>dry_run=true first
-    Refresh->>Exporter: Regenerate export and show diff only
-    Refresh-->>Maintainer: No branch or PR created in dry run
-    Maintainer->>Refresh: Run dry_run=false when ready<br/>optionally request_nvskills_ci=true
-    Refresh->>Exporter: Regenerate export
-    Exporter->>Export: Update generated files if source changed
-    Refresh->>PR: Create/update automation/catalog-skills-refresh PR<br/>with export diff
-
-    alt request_nvskills_ci=true and bot is accepted
-        Refresh->>PR: Comment /nvskills-ci
-    else bot rejected or manual process preferred
-        Maintainer->>PR: Comment /nvskills-ci manually
-    end
-
-    NVSkills->>PR: Push signing artifacts<br/>skill.oms.sig + skill-card.md
-    PRCI->>Exporter: Re-run --check; signer artifacts are preserved
-    Maintainer->>PR: Review generated export and signing artifacts
-    Maintainer->>Main: Merge signed refresh PR
-    Target->>Main: Sync configured NemoClaw catalog path
-    Target->>Target: Keep only skills with skill.oms.sig and skill-card.md
+```bash
+mkdir -p skills
+cp -R .agents/skills/nemoclaw-user-<name> skills/
+git add skills/nemoclaw-user-<name>
+git commit -m "chore(skills): publish nemoclaw-user-<name>"
 ```
 
-## Human handoff points
+Open the PR, comment `/nvskills-ci`, wait for the signing job to push back
+`skill.oms.sig` and `skill-card.md`, then merge. Repeat per skill — NVSkills
+CI signs one at a time.
 
-These are the manual review and approval points in the catalog signing flow.
+## Update an already-published skill
 
-- Curate `.agents/catalog-skills.yaml` when public skill scope changes.
-- Review the generated `skills/` diff in the same PR as the allowlist/source update.
-- Manually comment `/nvskills-ci` if the workflow bot cannot request signing.
-- Review and merge the signer-updated PR before expecting `NVIDIA/skills` to sync the signed skills.
+```bash
+rm -rf skills/nemoclaw-user-<name>
+cp -R .agents/skills/nemoclaw-user-<name> skills/
+git add -A skills/nemoclaw-user-<name>
+git commit -m "chore(skills): refresh nemoclaw-user-<name>"
+```
 
-## Workflow steps added in this PR
+The `skill.oms.sig` from the previous signing is removed by the `rm -rf`,
+so NVSkills CI will re-sign on the next `/nvskills-ci` comment. Use
+`git add -A` so newly added files in the refreshed skill are staged
+alongside removals tracked by `git commit -a`.
 
-These checks and workflow steps automate export freshness while keeping signing under maintainer control.
+## Spot-checking for drift
 
-- `CI / Pull Request` runs `python3 scripts/export-catalog-skills.py --check --allow-missing` so this infrastructure PR can merge before the first generated export, while later export PRs still reject stale or hand-edited files.
-- `Skills / Catalog Refresh` supports:
-  - `dry_run=true` to regenerate and report changes without pushing.
-  - `dry_run=false` to create or update `automation/catalog-skills-refresh`.
-  - `request_nvskills_ci=true` to attempt the `/nvskills-ci` comment after opening/updating the PR.
-  - scheduled no-op/refresh behavior using the same exporter.
+Source (`/.agents/skills/`) and published (`/skills/`) can drift if a
+source-side edit lands without a corresponding refresh PR. To check, ask
+an agent to compare every subdirectory of `skills/` against its counterpart
+under `.agents/skills/` and report any file content differences (ignoring
+`skill.oms.sig` and `skill-card.md`).
 
-## Next Steps
+## What goes in the catalog
 
-- Review the exporter implementation in [`scripts/export-catalog-skills.py`](../scripts/export-catalog-skills.py).
-- Update the catalog allowlist in [`.agents/catalog-skills.yaml`](../.agents/catalog-skills.yaml) when public skill scope changes.
-- Review generated export diffs under `skills/` in the refresh PR before requesting or accepting signing artifacts.
-- Check the workflow definitions in [`.github/workflows/pr.yaml`](workflows/pr.yaml) and [`.github/workflows/catalog-skills-refresh.yaml`](workflows/catalog-skills-refresh.yaml).
+Only customer-facing skills, identified by the `nemoclaw-user-*` naming
+convention. Internal skills (`nemoclaw-maintainer-*`, `nemoclaw-contributor-*`)
+must not be copied into `skills/`.
diff --git a/.github/pr-bodies/catalog-skills-refresh.md b/.github/pr-bodies/catalog-skills-refresh.md
deleted file mode 100644
index c7bdef9185..0000000000
--- a/.github/pr-bodies/catalog-skills-refresh.md
+++ /dev/null
@@ -1,15 +0,0 @@
-<!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
-<!-- SPDX-License-Identifier: Apache-2.0 -->
-
-# Catalog Skills Refresh
-
-## Summary
-
-- Regenerates `skills/` from `.agents/catalog-skills.yaml` and `.agents/skills/`.
-- Keeps the NVIDIA Verified Skills catalog export deterministic and reviewable.
-
-## Validation
-
-- `python3 scripts/export-catalog-skills.py --check`
-
-After maintainer review, request signing by commenting `/nvskills-ci` on this PR if the workflow did not do so automatically.
diff --git a/.github/workflows/catalog-skills-refresh.yaml b/.github/workflows/catalog-skills-refresh.yaml
deleted file mode 100644
index 57bd6d2634..0000000000
--- a/.github/workflows/catalog-skills-refresh.yaml
+++ /dev/null
@@ -1,142 +0,0 @@
-# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-
-name: Skills / Catalog Refresh
-
-on:
-  workflow_dispatch:
-    inputs:
-      dry_run:
-        description: "Regenerate and report changes without pushing or opening a PR"
-        type: boolean
-        required: true
-        default: true
-      request_nvskills_ci:
-        description: "Comment /nvskills-ci on the refresh PR after opening/updating it"
-        type: boolean
-        required: true
-        default: false
-  schedule:
-    - cron: "17 10 * * *"
-
-permissions:
-  contents: write
-  pull-requests: write
-  issues: write
-
-concurrency:
-  group: catalog-skills-refresh
-  cancel-in-progress: false
-
-jobs:
-  refresh:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-          # Keep the write-capable token out of git config while repository
-          # code (exporter, etc.) runs. Push credentials are configured
-          # narrowly inside the create/update step via `gh auth setup-git`.
-          persist-credentials: false
-
-      - name: Configure git author
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-
-      - name: Preserve signer artifacts from existing refresh branch
-        env:
-          BRANCH: automation/catalog-skills-refresh
-        run: |
-          set -euo pipefail
-          # If NVSkills CI has already pushed signing artifacts (skill.oms.sig,
-          # skill-card.md) to the refresh branch, overlay that branch's
-          # skills/ into the working tree before regenerating. The
-          # exporter (scripts/export-catalog-skills.py) auto-preserves those
-          # files when an existing export tree is present, so this overlay is
-          # what keeps signer artifacts from being dropped on force-push.
-          if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
-            echo "Existing $BRANCH found; overlaying skills/ to preserve NVSkills artifacts"
-            git fetch --depth 1 origin "$BRANCH":"refs/remotes/origin/$BRANCH"
-            # Use `git cat-file -e` instead of `git ls-tree -d`: the latter can
-            # exit 0 with empty output when the tree exists but the path does
-            # not, which would otherwise wipe skills/ and then fail at
-            # checkout. cat-file -e fails when the object is absent.
-            if git cat-file -e "origin/$BRANCH:skills" 2>/dev/null; then
-              rm -rf skills
-              git checkout "origin/$BRANCH" -- skills
-            fi
-          else
-            echo "No existing $BRANCH; running fresh export from main"
-          fi
-
-      - name: Regenerate catalog skills export
-        run: python3 scripts/export-catalog-skills.py
-
-      - name: Check for changes
-        id: diff
-        run: |
-          # Mark any new files under the export paths as intent-to-add so
-          # `git diff` reports them. Without this, an empty `skills/`
-          # tree on main causes a freshly-exported catalog to look unchanged
-          # and the workflow short-circuits without opening a PR.
-          git add --intent-to-add -- .agents/catalog-skills.yaml skills
-          if git diff --quiet -- .agents/catalog-skills.yaml skills; then
-            echo "changed=false" >> "$GITHUB_OUTPUT"
-            echo "No catalog skill export changes detected."
-          else
-            echo "changed=true" >> "$GITHUB_OUTPUT"
-            git diff --stat -- .agents/catalog-skills.yaml skills
-          fi
-
-      - name: Stop after dry run
-        if: ${{ (github.event_name == 'workflow_dispatch' && inputs.dry_run) || (github.event_name == 'schedule' && steps.diff.outputs.changed != 'true') }}
-        run: |
-          if [[ "${{ steps.diff.outputs.changed }}" == "true" ]]; then
-            echo "Dry run detected catalog skill export changes; no branch or PR was created."
-          else
-            echo "Catalog skill export is already current."
-          fi
-
-      - name: Create or update refresh pull request
-        id: cpr
-        if: ${{ steps.diff.outputs.changed == 'true' && (github.event_name == 'schedule' || !inputs.dry_run) }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          BRANCH: automation/catalog-skills-refresh
-        run: |
-          set -euo pipefail
-          # Install the GITHUB_TOKEN as a git credential helper at push time
-          # only. Combined with persist-credentials: false on checkout, this
-          # keeps the write-capable token out of git config while exporter
-          # code runs.
-          gh auth setup-git
-
-          git checkout -B "$BRANCH"
-          git add .agents/catalog-skills.yaml skills
-          git commit -m "chore(skills): refresh catalog export"
-          git push --force-with-lease origin "$BRANCH"
-
-          PR_NUMBER="$(gh pr list --head "$BRANCH" --state open --json number --jq '.[0].number // empty')"
-          if [[ -z "$PR_NUMBER" ]]; then
-            PR_URL="$(gh pr create \
-              --head "$BRANCH" \
-              --base main \
-              --title "chore(skills): refresh catalog export" \
-              --body-file .github/pr-bodies/catalog-skills-refresh.md \
-              --label documentation \
-              --label CI/CD)"
-            PR_NUMBER="${PR_URL##*/}"
-          fi
-          echo "pull-request-number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
-
-      - name: Request NVSkills signing
-        if: ${{ steps.cpr.outputs.pull-request-number != '' && github.event_name == 'workflow_dispatch' && inputs.request_nvskills_ci && !inputs.dry_run }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
-        run: |
-          gh pr comment "$PR_NUMBER" --body "/nvskills-ci"
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 9f169813a3..5b8c8e9184 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -51,9 +51,6 @@ jobs:
       - name: Verify platform matrix is in sync
         run: python3 scripts/generate-platform-docs.py --check
 
-      - name: Verify catalog skills export is in sync
-        run: python3 scripts/export-catalog-skills.py --check --allow-missing
-
   test-e2e-ollama-proxy:
     needs: [checks, changes]
     if: needs.changes.outputs.code == 'true'
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 57a1d9ed93..583f66a2a3 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -160,14 +160,6 @@ repos:
         pass_filenames: false
         priority: 10
 
-      - id: catalog-skills-export
-        name: Verify catalog skills export
-        entry: python3 scripts/export-catalog-skills.py --check --allow-missing
-        language: system
-        files: ^(\.agents/catalog-skills\.yaml|\.agents/skills/.*|skills/.*|scripts/export-catalog-skills\.py)$
-        pass_filenames: false
-        priority: 10
-
       - id: env-var-docs
         name: NEMOCLAW_* env-var documentation gate
         entry: npx tsx scripts/check-env-var-docs.ts
diff --git a/scripts/export-catalog-skills.py b/scripts/export-catalog-skills.py
deleted file mode 100755
index cde3dcc9be..0000000000
--- a/scripts/export-catalog-skills.py
+++ /dev/null
@@ -1,460 +0,0 @@
-#!/usr/bin/env python3
-# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-"""Export catalog-safe NemoClaw skills to the NVSkills watched directory.
-
-The repository source of truth remains `.agents/skills/`. This script copies the
-checked-in allowlist from `.agents/catalog-skills.yaml` into `skills/`
-using deterministic ordering and metadata so CI can detect stale or hand-edited
-catalog exports.
-"""
-
-from __future__ import annotations
-
-import argparse
-import filecmp
-import fnmatch
-import hashlib
-import json
-import os
-import shutil
-import subprocess
-import sys
-import tempfile
-from dataclasses import dataclass
-from pathlib import Path
-from typing import Any
-
-REPO_ROOT = Path(__file__).resolve().parents[1]
-DEFAULT_ALLOWLIST = Path(".agents/catalog-skills.yaml")
-GENERATED_HEADER = """<!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
-<!-- SPDX-License-Identifier: Apache-2.0 -->
-
-# Generated NemoClaw Catalog Skills
-
-This directory is generated from `.agents/catalog-skills.yaml` and `.agents/skills/`.
-Do not edit files here directly. The exporter preserves NVSkills signing artifacts (`skill.oms.sig` and `skill-card.md`) when regenerating an already-signed export.
-
-To update this export, edit the source skills or allowlist, then run:
-
-```bash
-python3 scripts/export-catalog-skills.py
-```
-
-CI verifies the directory with:
-
-```bash
-python3 scripts/export-catalog-skills.py --check
-```
-"""
-
-PRESERVED_SIGNING_FILES = {"skill.oms.sig", "skill-card.md"}
-MARKDOWN_EXTENSIONS = {".md", ".mdx"}
-
-
-def strip_markdown_spdx_preamble(text: str) -> str:
-    """Remove generated SPDX comments from catalog Markdown exports."""
-    lines = text.splitlines(keepends=True)
-    idx = 0
-    prefix: list[str] = []
-    if lines and lines[0].strip() == "---":
-        idx = 1
-        while idx < len(lines):
-            idx += 1
-            if lines[idx - 1].strip() == "---":
-                break
-        prefix = lines[:idx]
-        if idx < len(lines) and not lines[idx].strip():
-            idx += 1
-    while idx < len(lines) and lines[idx].startswith("<!-- SPDX-"):
-        idx += 1
-    if not prefix and idx == 0:
-        return text
-    if idx < len(lines) and not lines[idx].strip():
-        idx += 1
-    return "".join(prefix + lines[idx:])
-
-
-@dataclass(frozen=True)
-class CatalogConfig:
-    source: Path
-    export: Path
-    skills: tuple[str, ...]
-    excluded_patterns: tuple[str, ...]
-    metadata: dict[str, str]
-
-
-def repo_path(path: Path) -> str:
-    return path.as_posix()
-
-
-def parse_scalar(value: str) -> str | int:
-    stripped = value.strip()
-    if stripped.startswith('"') and stripped.endswith('"'):
-        return stripped[1:-1]
-    if stripped.isdigit():
-        return int(stripped)
-    return stripped
-
-
-def load_allowlist_yaml(path: Path) -> dict[str, Any]:
-    """Parse the small checked-in allowlist schema without external YAML deps."""
-    raw: dict[str, Any] = {"include": [], "exclude": [], "metadata": {}}
-    section: str | None = None
-
-    lines = path.read_text(encoding="utf-8").splitlines()
-    for line_number, original in enumerate(lines, start=1):
-        line = original.split("#", 1)[0].rstrip()
-        if not line.strip():
-            continue
-
-        if not line.startswith(" "):
-            key, separator, value = line.partition(":")
-            if not separator:
-                raise ValueError(f"{repo_path(path)}:{line_number}: expected key: value")
-            key = key.strip()
-            if value.strip():
-                raw[key] = parse_scalar(value)
-                section = None
-            else:
-                section = key
-                raw.setdefault(key, [] if key in {"include", "exclude"} else {})
-            continue
-
-        if section in {"include", "exclude"}:
-            stripped = line.strip()
-            if stripped.startswith("- "):
-                key, separator, value = stripped[2:].partition(":")
-                if not separator:
-                    raise ValueError(
-                        f"{repo_path(path)}:{line_number}: expected list item mapping"
-                    )
-                raw[section].append({key.strip(): parse_scalar(value)})
-            elif raw[section] and ":" in stripped:
-                key, _, value = stripped.partition(":")
-                raw[section][-1][key.strip()] = parse_scalar(value)
-            else:
-                raise ValueError(f"{repo_path(path)}:{line_number}: unsupported {section} entry")
-            continue
-
-        if section == "metadata":
-            key, separator, value = line.strip().partition(":")
-            if not separator:
-                raise ValueError(f"{repo_path(path)}:{line_number}: expected metadata key: value")
-            raw["metadata"][key.strip()] = parse_scalar(value)
-            continue
-
-        raise ValueError(f"{repo_path(path)}:{line_number}: unsupported nested content")
-
-    return raw
-
-
-def load_config(path: Path) -> CatalogConfig:
-    raw = load_allowlist_yaml(path)
-
-    version = raw.get("version")
-    if version != 1:
-        raise ValueError(f"{repo_path(path)} version must be 1")
-
-    source = Path(str(raw.get("source", ".agents/skills")))
-    export = Path(str(raw.get("export", "skills")))
-    for label, candidate in (("source", source), ("export", export)):
-        if candidate.is_absolute() or ".." in candidate.parts:
-            raise ValueError(f"{repo_path(path)} {label} must be a safe relative path")
-
-    include = raw.get("include")
-    exclude = raw.get("exclude", [])
-    metadata = raw.get("metadata", {})
-
-    if not isinstance(include, list) or not include:
-        raise ValueError(f"{repo_path(path)} include must be a non-empty list")
-    if not isinstance(exclude, list):
-        raise ValueError(f"{repo_path(path)} exclude must be a list")
-    if not isinstance(metadata, dict):
-        raise ValueError(f"{repo_path(path)} metadata must be a mapping")
-
-    skills: list[str] = []
-    for idx, item in enumerate(include):
-        if not isinstance(item, dict) or not isinstance(item.get("skill"), str):
-            raise ValueError(f"{repo_path(path)} include[{idx}] must contain a string skill")
-        skill = item["skill"].strip()
-        if not skill:
-            raise ValueError(f"{repo_path(path)} include[{idx}].skill must not be empty")
-        skill_path = Path(skill)
-        if skill_path.is_absolute() or ".." in skill_path.parts or len(skill_path.parts) != 1:
-            raise ValueError(
-                f"{repo_path(path)} include[{idx}].skill must be a single directory name"
-            )
-        skills.append(skill)
-
-    if skills != sorted(skills):
-        raise ValueError(f"{repo_path(path)} include must be sorted by skill name")
-    if len(set(skills)) != len(skills):
-        raise ValueError(f"{repo_path(path)} include contains duplicate skills")
-
-    excluded_patterns: list[str] = []
-    for idx, item in enumerate(exclude):
-        if not isinstance(item, dict) or not isinstance(item.get("pattern"), str):
-            raise ValueError(f"{repo_path(path)} exclude[{idx}] must contain a string pattern")
-        excluded_patterns.append(item["pattern"].strip())
-
-    normalized_metadata = {str(key): str(value) for key, value in sorted(metadata.items())}
-    return CatalogConfig(
-        source=source,
-        export=export,
-        skills=tuple(skills),
-        excluded_patterns=tuple(excluded_patterns),
-        metadata=normalized_metadata,
-    )
-
-
-def git_commit() -> str:
-    try:
-        result = subprocess.run(
-            ["git", "rev-parse", "HEAD"],
-            cwd=REPO_ROOT,
-            check=True,
-            text=True,
-            stdout=subprocess.PIPE,
-            stderr=subprocess.DEVNULL,
-        )
-        return result.stdout.strip()
-    except (OSError, subprocess.CalledProcessError):
-        return "unknown"
-
-
-def copy_skill(source_dir: Path, target_dir: Path) -> None:
-    target_dir.mkdir(parents=True, exist_ok=True)
-    for root, dirs, files in os.walk(source_dir):
-        dirs.sort()
-        files.sort()
-        rel_root = Path(root).relative_to(source_dir)
-        for directory in dirs:
-            (target_dir / rel_root / directory).mkdir(parents=True, exist_ok=True)
-        for filename in files:
-            src = Path(root) / filename
-            dst = target_dir / rel_root / filename
-            dst.parent.mkdir(parents=True, exist_ok=True)
-            if src.suffix.lower() in MARKDOWN_EXTENSIONS:
-                # Source skills keep SPDX headers for repo policy. The catalog
-                # export strips boilerplate so semantic dedupe only sees content.
-                content = strip_markdown_spdx_preamble(src.read_text(encoding="utf-8"))
-                dst.write_text(content, encoding="utf-8")
-                shutil.copymode(src, dst)
-            else:
-                shutil.copy2(src, dst)
-
-
-def hash_file(path: Path, base: Path, digest: hashlib._Hash) -> None:
-    rel = path.relative_to(base).as_posix()
-    digest.update(rel.encode("utf-8"))
-    digest.update(b"\0")
-    digest.update(path.read_bytes())
-    digest.update(b"\0")
-
-
-def hash_tree(paths: list[Path], base: Path) -> str:
-    digest = hashlib.sha256()
-    for path in sorted(paths, key=lambda item: item.relative_to(base).as_posix()):
-        hash_file(path, base, digest)
-    return digest.hexdigest()
-
-
-def list_files(root: Path) -> list[Path]:
-    if not root.exists():
-        return []
-    files = (path for path in root.rglob("*") if path.is_file())
-    return sorted(files, key=lambda item: item.as_posix())
-
-
-def write_manifest(target_root: Path, config: CatalogConfig, source_root: Path) -> None:
-    exported_files = [
-        path
-        for skill in config.skills
-        for path in list_files(target_root / skill)
-        if path.name not in PRESERVED_SIGNING_FILES
-    ]
-    source_files = [path for skill in config.skills for path in list_files(source_root / skill)]
-    manifest = {
-        "schemaVersion": 1,
-        "generatedBy": "scripts/export-catalog-skills.py",
-        "source": repo_path(config.source),
-        "sourceCommit": git_commit(),
-        "sourceContentSha256": hash_tree(source_files, source_root),
-        "exportContentSha256": hash_tree(exported_files, target_root),
-        "metadata": config.metadata,
-        "skills": list(config.skills),
-    }
-    (target_root / "catalog-metadata.json").write_text(
-        json.dumps(manifest, indent=2, sort_keys=True) + "\n", encoding="utf-8"
-    )
-
-
-def preserve_signing_artifacts(
-    existing_root: Path, temp_root: Path, skills: tuple[str, ...]
-) -> None:
-    for skill in skills:
-        existing_skill = existing_root / skill
-        if not existing_skill.exists():
-            continue
-        for artifact_name in sorted(PRESERVED_SIGNING_FILES):
-            artifact = existing_skill / artifact_name
-            if artifact.is_file():
-                destination = temp_root / skill / artifact_name
-                destination.parent.mkdir(parents=True, exist_ok=True)
-                shutil.copy2(artifact, destination)
-
-
-def validate_preserved_signing_artifacts(
-    existing_root: Path, temp_root: Path, skills: tuple[str, ...]
-) -> None:
-    missing: list[str] = []
-    for skill in skills:
-        existing_skill = existing_root / skill
-        if not existing_skill.exists():
-            continue
-        for artifact_name in sorted(PRESERVED_SIGNING_FILES):
-            if (existing_skill / artifact_name).is_file() and not (
-                temp_root / skill / artifact_name
-            ).is_file():
-                missing.append(f"{skill}/{artifact_name}")
-    if missing:
-        preview = ", ".join(missing[:10])
-        suffix = f" (+{len(missing) - 10} more)" if len(missing) > 10 else ""
-        raise FileNotFoundError(f"Missing preserved signing artifacts: {preview}{suffix}")
-
-
-def render_export(config: CatalogConfig, target_root: Path, preserve_from: Path | None = None) -> None:
-    source_root = REPO_ROOT / config.source
-    if not source_root.is_dir():
-        raise FileNotFoundError(f"Source skills directory not found: {repo_path(config.source)}")
-
-    target_root.mkdir(parents=True, exist_ok=True)
-    (target_root / "README.md").write_text(GENERATED_HEADER, encoding="utf-8")
-
-    for skill in config.skills:
-        source_skill = source_root / skill
-        if not source_skill.is_dir():
-            raise FileNotFoundError(f"Allowlisted skill not found: {repo_path(config.source / skill)}")
-        for pattern in config.excluded_patterns:
-            if fnmatch.fnmatch(skill, pattern):
-                raise ValueError(f"Allowlisted skill {skill!r} matches excluded pattern {pattern!r}")
-        copy_skill(source_skill, target_root / skill)
-
-    if preserve_from is not None:
-        preserve_signing_artifacts(preserve_from, target_root, config.skills)
-        validate_preserved_signing_artifacts(preserve_from, target_root, config.skills)
-
-    write_manifest(target_root, config, source_root)
-
-
-def files_match_for_export_check(left_file: Path, right_file: Path, rel_path: str) -> bool:
-    if rel_path != "catalog-metadata.json":
-        return filecmp.cmp(left_file, right_file, shallow=False)
-
-    try:
-        left_metadata = json.loads(left_file.read_text(encoding="utf-8"))
-        right_metadata = json.loads(right_file.read_text(encoding="utf-8"))
-    except (OSError, json.JSONDecodeError):
-        return False
-
-    # This field records the commit that generated the export. A fresh commit
-    # changes HEAD after files are written, so freshness checks compare content
-    # hashes and ignore this bookkeeping-only value.
-    left_metadata["sourceCommit"] = "<ignored>"
-    right_metadata["sourceCommit"] = "<ignored>"
-    return left_metadata == right_metadata
-
-
-def dircmp_diff(left: Path, right: Path) -> list[str]:
-    messages: list[str] = []
-
-    def visit(cmp: filecmp.dircmp[str]) -> None:
-        for name in sorted(cmp.left_only):
-            messages.append(f"unexpected: {(Path(cmp.left) / name).relative_to(left).as_posix()}")
-        for name in sorted(cmp.right_only):
-            messages.append(f"missing: {(Path(cmp.right) / name).relative_to(right).as_posix()}")
-        for name in sorted(cmp.diff_files):
-            left_file = Path(cmp.left) / name
-            rel_path = left_file.relative_to(left).as_posix()
-            if files_match_for_export_check(left_file, Path(cmp.right) / name, rel_path):
-                continue
-            messages.append(f"stale: {rel_path}")
-        for subdir in sorted(cmp.subdirs):
-            visit(cmp.subdirs[subdir])
-
-    visit(filecmp.dircmp(left, right))
-    return messages
-
-
-def replace_directory(source: Path, destination: Path) -> None:
-    if destination.exists():
-        shutil.rmtree(destination)
-    destination.parent.mkdir(parents=True, exist_ok=True)
-    shutil.move(str(source), str(destination))
-
-
-def export_catalog(allowlist: Path, check: bool, allow_missing: bool) -> int:
-    config = load_config(allowlist)
-    export_root = REPO_ROOT / config.export
-
-    with tempfile.TemporaryDirectory(prefix="nemoclaw-catalog-skills-") as tmp:
-        expected = Path(tmp) / "expected"
-        render_export(config, expected, preserve_from=export_root if export_root.exists() else None)
-
-        if check:
-            if not export_root.exists():
-                if allow_missing:
-                    print(
-                        f"Catalog export is not present yet: {repo_path(config.export)} "
-                        "(allowed by --allow-missing)",
-                    )
-                    return 0
-                print(f"Catalog export is missing: {repo_path(config.export)}", file=sys.stderr)
-                return 1
-            diffs = dircmp_diff(export_root, expected)
-            if diffs:
-                print("Catalog skills export is stale. Run:", file=sys.stderr)
-                print("  python3 scripts/export-catalog-skills.py", file=sys.stderr)
-                for diff in diffs[:50]:
-                    print(f"  - {diff}", file=sys.stderr)
-                if len(diffs) > 50:
-                    print(f"  ... {len(diffs) - 50} more difference(s)", file=sys.stderr)
-                return 1
-            print(f"Catalog skills export is current: {repo_path(config.export)}")
-            return 0
-
-        replace_directory(expected, export_root)
-        print(f"Exported {len(config.skills)} catalog skill(s) to {repo_path(config.export)}")
-        return 0
-
-
-def parse_args() -> argparse.Namespace:
-    parser = argparse.ArgumentParser(description=__doc__)
-    parser.add_argument(
-        "--allowlist",
-        type=Path,
-        default=DEFAULT_ALLOWLIST,
-        help="Catalog skill allowlist YAML (default: .agents/catalog-skills.yaml)",
-    )
-    parser.add_argument(
-        "--check",
-        action="store_true",
-        help="Check whether the generated export is current without writing files",
-    )
-    parser.add_argument(
-        "--allow-missing",
-        action="store_true",
-        help="In --check mode, pass when the export directory has not been created yet",
-    )
-    return parser.parse_args()
-
-
-def main() -> int:
-    args = parse_args()
-    allowlist = args.allowlist if args.allowlist.is_absolute() else REPO_ROOT / args.allowlist
-    return export_catalog(allowlist, bool(args.check), bool(args.allow_missing))
-
-
-if __name__ == "__main__":
-    raise SystemExit(main())
diff --git a/test/catalog-skills-export.test.ts b/test/catalog-skills-export.test.ts
deleted file mode 100644
index ac2bbaf67e..0000000000
--- a/test/catalog-skills-export.test.ts
+++ /dev/null
@@ -1,210 +0,0 @@
-// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-import { execFileSync } from "node:child_process";
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-import { describe, expect, it } from "vitest";
-
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-const repoRoot = path.resolve(__dirname, "..");
-const exporter = path.join(repoRoot, "scripts", "export-catalog-skills.py");
-const sourceRoot = path.join(repoRoot, ".agents", "skills");
-
-function listSkillDirs(root: string): string[] {
-  return fs
-    .readdirSync(root, { withFileTypes: true })
-    .filter((entry) => entry.isDirectory())
-    .map((entry) => entry.name)
-    .sort();
-}
-
-describe("catalog skills export", () => {
-  it("allows the export to be absent before the first refresh PR", () => {
-    const tempDir = fs.mkdtempSync(
-      path.join(os.tmpdir(), "nemoclaw-catalog-missing-"),
-    );
-    const cleanup = () => fs.rmSync(tempDir, { recursive: true, force: true });
-
-    try {
-      const tempAgents = path.join(tempDir, ".agents");
-      const tempScripts = path.join(tempDir, "scripts");
-      fs.mkdirSync(tempAgents, { recursive: true });
-      fs.mkdirSync(tempScripts, { recursive: true });
-      fs.cpSync(sourceRoot, path.join(tempAgents, "skills"), {
-        recursive: true,
-      });
-      fs.copyFileSync(
-        path.join(repoRoot, ".agents", "catalog-skills.yaml"),
-        path.join(tempAgents, "catalog-skills.yaml"),
-      );
-      fs.copyFileSync(
-        exporter,
-        path.join(tempScripts, "export-catalog-skills.py"),
-      );
-
-      const output = execFileSync(
-        "python3",
-        [
-          path.join(tempScripts, "export-catalog-skills.py"),
-          "--check",
-          "--allow-missing",
-        ],
-        {
-          cwd: tempDir,
-          encoding: "utf8",
-        },
-      );
-
-      expect(output).toContain("Catalog export is not present yet");
-    } finally {
-      cleanup();
-    }
-  });
-
-  it("preserves existing signing artifacts when regenerating", () => {
-    const tempDir = fs.mkdtempSync(
-      path.join(os.tmpdir(), "nemoclaw-catalog-export-"),
-    );
-    const cleanup = () => fs.rmSync(tempDir, { recursive: true, force: true });
-
-    try {
-      const tempAgents = path.join(tempDir, ".agents");
-      const tempScripts = path.join(tempDir, "scripts");
-      const tempSkills = path.join(tempDir, "skills");
-      fs.mkdirSync(tempAgents, { recursive: true });
-      fs.mkdirSync(tempScripts, { recursive: true });
-      fs.cpSync(sourceRoot, path.join(tempAgents, "skills"), {
-        recursive: true,
-      });
-      fs.copyFileSync(
-        path.join(repoRoot, ".agents", "catalog-skills.yaml"),
-        path.join(tempAgents, "catalog-skills.yaml"),
-      );
-      fs.copyFileSync(
-        exporter,
-        path.join(tempScripts, "export-catalog-skills.py"),
-      );
-
-      const signedSkill = path.join(tempSkills, "nemoclaw-user-get-started");
-      fs.mkdirSync(signedSkill, { recursive: true });
-      fs.writeFileSync(path.join(signedSkill, "skill.oms.sig"), "signature\n");
-      fs.writeFileSync(
-        path.join(signedSkill, "skill-card.md"),
-        "# Signed card\n",
-      );
-
-      execFileSync(
-        "python3",
-        [path.join(tempScripts, "export-catalog-skills.py")],
-        {
-          cwd: tempDir,
-          encoding: "utf8",
-        },
-      );
-
-      expect(
-        fs.readFileSync(path.join(signedSkill, "skill.oms.sig"), "utf8"),
-      ).toBe("signature\n");
-      expect(
-        fs.readFileSync(path.join(signedSkill, "skill-card.md"), "utf8"),
-      ).toBe("# Signed card\n");
-      expect(listSkillDirs(tempSkills)).toEqual([
-        "nemoclaw-skills-guide",
-        "nemoclaw-user-agent-skills",
-        "nemoclaw-user-configure-inference",
-        "nemoclaw-user-configure-security",
-        "nemoclaw-user-deploy-remote",
-        "nemoclaw-user-get-started",
-        "nemoclaw-user-manage-policy",
-        "nemoclaw-user-manage-sandboxes",
-        "nemoclaw-user-monitor-sandbox",
-        "nemoclaw-user-overview",
-        "nemoclaw-user-reference",
-      ]);
-    } finally {
-      cleanup();
-    }
-  });
-
-  it("rejects unsafe allowlist path fragments", () => {
-    const tempDir = fs.mkdtempSync(
-      path.join(os.tmpdir(), "nemoclaw-catalog-config-"),
-    );
-    const cleanup = () => fs.rmSync(tempDir, { recursive: true, force: true });
-
-    try {
-      const config = path.join(tempDir, "catalog-skills.yaml");
-      fs.writeFileSync(
-        config,
-        [
-          "version: 1",
-          "source: ../outside",
-          "export: skills",
-          "include:",
-          "  - skill: ../escape",
-          "",
-        ].join("\n"),
-      );
-
-      expect(() =>
-        execFileSync("python3", [exporter, "--allowlist", config, "--check"], {
-          cwd: repoRoot,
-          encoding: "utf8",
-          stdio: "pipe",
-        }),
-      ).toThrow(/source must be a safe relative path/);
-    } finally {
-      cleanup();
-    }
-  });
-
-  it("fails when preserved signing artifacts are not copied into the final export", () => {
-    const tempDir = fs.mkdtempSync(
-      path.join(os.tmpdir(), "nemoclaw-catalog-export-"),
-    );
-    const cleanup = () => fs.rmSync(tempDir, { recursive: true, force: true });
-
-    try {
-      const tempAgents = path.join(tempDir, ".agents");
-      const tempScripts = path.join(tempDir, "scripts");
-      const tempSkills = path.join(tempDir, "skills");
-      fs.mkdirSync(tempAgents, { recursive: true });
-      fs.mkdirSync(tempScripts, { recursive: true });
-      fs.cpSync(sourceRoot, path.join(tempAgents, "skills"), {
-        recursive: true,
-      });
-      fs.copyFileSync(
-        path.join(repoRoot, ".agents", "catalog-skills.yaml"),
-        path.join(tempAgents, "catalog-skills.yaml"),
-      );
-      const tempExporter = path.join(tempScripts, "export-catalog-skills.py");
-      fs.copyFileSync(exporter, tempExporter);
-      let exporterSource = fs.readFileSync(tempExporter, "utf8");
-      exporterSource = exporterSource.replace(
-        "def preserve_signing_artifacts(\n    existing_root: Path, temp_root: Path, skills: tuple[str, ...]\n) -> None:",
-        "def preserve_signing_artifacts(\n    existing_root: Path, temp_root: Path, skills: tuple[str, ...]\n) -> None:\n    return",
-      );
-      fs.writeFileSync(tempExporter, exporterSource);
-
-      const signedSkill = path.join(tempSkills, "nemoclaw-user-get-started");
-      fs.mkdirSync(signedSkill, { recursive: true });
-      fs.writeFileSync(path.join(signedSkill, "skill.oms.sig"), "signature\n");
-
-      expect(() =>
-        execFileSync("python3", [tempExporter], {
-          cwd: tempDir,
-          encoding: "utf8",
-          stdio: "pipe",
-        }),
-      ).toThrow(
-        /Missing preserved signing artifacts: nemoclaw-user-get-started\/skill\.oms\.sig/,
-      );
-    } finally {
-      cleanup();
-    }
-  });
-});