[Skills] Add support for installing/removing skills

[DaleSeo]

Description

The Skills extension currently allows users to browse and search for skills on skills.sh, but it doesn't let them install or manage those skills within Raycast. Users have to copy the install command manually and run it in a terminal, and they can't see what's already installed on their machine.

This PR adds those missing features. Now, users can install skills directly from the search and trending views with just one action. There's also a new "Manage Skills" command that shows all installed skills along with agent information and SKILL.md content. Users can remove skills through a confirmation dialog to prevent accidental deletions.

Behind the scenes, all skill operations are handled by the npx skills CLI instead of directly manipulating the filesystem. This keeps the extension in sync with how the CLI manages its internal state, including agent directories and symlinks, and it automatically supports all 30+ agents that the CLI recognizes.

We're parsing the CLI output after removing ANSI codes since the CLI doesn't yet support --json flag yet. I've reached out to the Vecel team about this. Once they add support, we can simplify the parsing logic.

Screencast

Checklist

• I read the extension guidelines
• I read the documentation about publishing
• I ran npm run build and tested this distribution build in Raycast
• I checked that files in the assets folder are used by the extension itself
• I checked that assets used in the README are located outside the metadata folder if they were not generated with our metadata tool

[raycastbot]

Thank you for your contribution! 🎉

🔔 @keito4 you might want to have a look.

You can use this guide to learn how to check out the Pull Request locally in order to test it.

📋 Quick checkout commands

BRANCH="manage-skills"
FORK_URL="https://github.com/DaleSeo/extensions.git"
EXTENSION_NAME="skills"
REPO_NAME="extensions"

git clone -n --depth=1 --filter=tree:0 -b $BRANCH $FORK_URL
cd $REPO_NAME
git sparse-checkout set --no-cone "extensions/$EXTENSION_NAME"
git checkout
cd "extensions/$EXTENSION_NAME"
npm install && npm run dev

We're currently experiencing a high volume of incoming requests. As a result, the initial review may take up to 10-15 business days.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds skill installation and management capabilities to the Skills extension. Users can now install skills directly from search/trending views and manage installed skills through a new command with agent filtering.

Key Changes

• Added InstallSkillAction component with confirmation dialog for installing skills
• New "Manage Skills" command that lists installed skills with agent filtering dropdown
• RemoveSkillAction component with destructive confirmation for removing skills
• CLI wrapper in skills-cli.ts that executes npx skills commands with shell escaping and ANSI stripping
• Added Windows platform support
• Proper error handling with toast notifications throughout

Critical Issue

• Command injection vulnerability on Windows in skills-cli.ts:16-22 - the execWithPath function on Windows doesn't properly escape the command before passing to execAsync, allowing user-controlled data from skill sources to inject arbitrary commands

Confidence Score: 3/5

• This PR has a critical command injection vulnerability on Windows that must be fixed before merging
• The implementation is well-structured with good UX patterns (confirmations, toasts, error handling), but contains a critical security vulnerability in the Windows code path of execWithPath that allows command injection through user-controlled skill data
• extensions/skills/src/utils/skills-cli.ts requires immediate attention to fix the command injection vulnerability

Important Files Changed

Filename	Overview
extensions/skills/src/utils/skills-cli.ts	Implements CLI wrapper with shell escaping, but has a critical command injection vulnerability on Windows (line 20)
extensions/skills/src/components/actions/InstallSkillAction.tsx	Adds confirmation dialog and toast notifications for installing skills
extensions/skills/src/components/actions/RemoveSkillAction.tsx	Adds destructive confirmation dialog for removing skills with proper navigation handling
extensions/skills/src/manage-skills.tsx	New command showing installed skills with agent filtering dropdown and proper error handling
extensions/skills/src/components/InstalledSkillDetail.tsx	Detail view for installed skills with SKILL.md content and metadata

[greptile-apps]

_{22 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[keito4]

LGTM
I think this is a great feature! Thanks for adding it.