feat(marketplace): implement skills tab with MCP/modes placeholders#7122
Merged
Conversation
markijbema
force-pushed
the
mark/marketplace-skills-only
branch
from
1d47d70 to
51f82a4
Compare
Adds the marketplace feature to the VS Code extension with the Skills tab fully functional and MCP Servers/Modes tabs as placeholders. Backend: marketplace API client, installation detection, skill installer (MCP/mode install not yet implemented), path resolution. IPC: fetchMarketplaceData, installMarketplaceItem, removeInstalledMarketplaceItem message types. Webview: MarketplaceView with 3-tab UI, SkillsMarketplace with search and category filtering, ItemCard, InstallModal, RemoveDialog. Marketplace opens as editor panel via SettingsEditorProvider with multi-root workspace project directory support.
Internationalize all hardcoded strings in marketplace components using useLanguage() and add translations to kilo-i18n for all 16 supported locales: en, ar, br, bs, da, de, es, fr, ja, ko, no, pl, ru, th, zh, zht. 27 translation keys added per locale covering tabs, search, card actions, install modal, and remove dialog.
markijbema
force-pushed
the
mark/marketplace-skills-only
branch
from
7ac21e8 to
ea4f5eb
Compare
The modal was transparent because it referenced non-existent CSS variables (--bg-base, --fg-base, etc). Replace all instances with the correct kilo-ui vscode-bridge variables (--background-base, --text-base, --text-weak, --text-on-success-base, --text-on-critical-base, etc).
imanolmzd-svg
approved these changes
Mar 16, 2026
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
| await fs.writeFile(tarball, buffer) | ||
|
|
||
| await fs.mkdir(staging, { recursive: true }) | ||
| await exec("tar", ["-xzf", tarball, "--strip-components=1", "-C", staging]) |
Contributor
There was a problem hiding this comment.
CRITICAL: Untrusted tarball extraction can escape the staging directory
findEscapedPaths() runs only after tar -xzf has already materialized the archive. A crafted marketplace tarball can use ../ entries or link entries to write outside staging, so the malicious write happens before we ever validate it. Please validate archive entries before extraction or use an extractor that rejects path traversal, otherwise installing a skill can overwrite arbitrary files on the user's machine.
| private async fetchCliSkills(): Promise<Array<{ name: string; location: string }> | undefined> { | ||
| if (!this.client) return undefined | ||
| try { | ||
| const dir = this.getWorkspaceDirectory() |
Contributor
There was a problem hiding this comment.
WARNING: Marketplace panels still read skills from workspaceFolders[0]
fetchMarketplaceData() passes a project-aware directory into the marketplace service, but this helper ignores it and always calls getWorkspaceDirectory(). In a multi-root workspace, opening the marketplace from repo B will still fetch skill state from repo A, so project installs/removals are shown against the wrong repo and newly installed skills in repo B will not appear until the extension is reloaded.
Contributor
Code Review SummaryStatus: 2 Issues Found | Recommendation: Address before merge Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)CRITICAL
WARNING
Other Observations (not in diff)None. Files Reviewed (39 files)
Reviewed by gpt-5.4-20260305 · 1,094,487 tokens |
jliounis
pushed a commit
to jliounis/kilocode
that referenced
this pull request
May 18, 2026
…s-only feat(marketplace): implement skills tab with MCP/modes placeholders
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SettingsEditorProviderWhat's Included
Extension-Side Services (
src/services/marketplace/):IPC Protocol:
fetchMarketplaceData/marketplaceDatainstallMarketplaceItem/marketplaceInstallResultremoveInstalledMarketplaceItem/marketplaceRemoveResultWebview UI (
webview-ui/src/components/marketplace/):MarketplaceView— 3-tab UI (Skills, MCP Servers, Modes)SkillsMarketplace— search + category filter + card gridItemCard— reusable card with install/remove actionsInstallModal— scope selection, parameter form, prerequisitesRemoveDialog— confirmation before removalOther:
project-directory.ts— multi-root workspace directory resolution for standalone panelsyamldependency for mode content parsing