Add ExtensionDetails dialog and support install

[chrstnb]

Summary

Add an extension details view on enter in the /extensions registry and add support for installing extensions

Screen.Recording.2026-03-02.at.6.12.10.PM.mov

Details

Related Issues

Fixes https://github.com/google-gemini/maintainers-gemini-cli/issues/1402

How to Validate

in settings.json:

experimental {
"extensionRegistry": true
}

• run /extensions explore
• select an extension with enter
• set enter to install it
• step through dialog
• confirm returned to extension page and extension has been installed

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the user experience for managing extensions within the CLI by introducing a dedicated ExtensionDetails dialog. Previously, selecting an extension might have directly initiated an action; now, users are presented with a detailed view of the extension, its capabilities, and a clear prompt for installation. This change improves clarity and control, allowing users to make informed decisions before installing extensions.

Highlights

• Introduced Extension Details Dialog: A new ExtensionDetails React component has been added to display comprehensive information about a selected extension, including its name, version, author, description, features (MCP, Context, Hooks, Skills, Commands), and installation status.
• Enhanced Extension Selection Flow: The ExtensionRegistryView now transitions to displaying the ExtensionDetails dialog upon selecting an extension from the list, allowing users to review details before initiating an installation.
• Improved Keyboard Focus Management: The SearchableList component was updated with an isFocused prop, enabling precise control over keyboard input focus, which is essential for navigating between the extension list and the new details dialog.
• Streamlined Installation Trigger: The onSelect callback in ExtensionRegistryView has been modified to first show the ExtensionDetails dialog, and then, if the user confirms installation from within the dialog, it triggers the installAction.
• Added Comprehensive Unit Tests: New unit tests for the ExtensionDetails component ensure its correct rendering and interaction handling, including navigation (Escape key) and installation (Enter key).

Changelog

• packages/cli/src/ui/commands/extensionsCommand.ts
  • Updated the onSelect handler within ExtensionRegistryView to asynchronously call the installAction with the selected extension's URL, reflecting the new installation flow.
• packages/cli/src/ui/components/shared/SearchableList.tsx
  • Modified the SearchableList component by adding an isFocused prop, which defaults to true, to control whether the list accepts keyboard input.
  • Integrated the isFocused prop into its internal useSelectionList and useKeypress hooks, as well as the TextInput component.
• packages/cli/src/ui/components/views/ExtensionDetails.test.tsx
  • Added a new test file containing unit tests for the ExtensionDetails component.
  • Verified its rendering of extension data, display of install/installed states, and correct handling of Escape (back) and Enter (install) key presses.
• packages/cli/src/ui/components/views/ExtensionDetails.tsx
  • Introduced a new React component, ExtensionDetails, responsible for rendering a detailed view of a RegistryExtension.
  • Included metadata, features, and an installation warning within the ExtensionDetails component.
  • Implemented handling for onBack and onInstall actions via keyboard input within the ExtensionDetails component.
• packages/cli/src/ui/components/views/ExtensionRegistryView.tsx
  • Refactored the ExtensionRegistryView to manage a selectedExtension state, conditionally rendering either the SearchableList or the new ExtensionDetails component.
  • Updated the onSelect callback to set the selectedExtension.
  • Introduced handleBack and handleInstall functions to manage navigation and installation from the details view.
  • Passed the isFocused prop to SearchableList based on whether an extension is selected.
  • Updated the onSelect prop type to support Promise<void>.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: +10.7 kB (+0.04%)

Total Size: 26.2 MB

Filename	Size	Change
./bundle/gemini.js	25.7 MB	+10.7 kB (+0.04%)

ℹ️ View Unchanged

Filename	Size
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB
./bundle/sandbox-macos-strict-open.sb	4.82 kB
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request introduces an ExtensionDetails dialog, displayed when a user selects an extension from the registry list, providing more information and an install button. While the feature is well-implemented, a critical security vulnerability has been identified. The installAction function, now reachable via this new UI, has insufficient validation logic to prevent command injection if a malicious URL is provided. It is recommended to strengthen the validation and ensure safe execution of external commands to address this risk.

[gemini-code-assist]

The installAction function, which is now called when an extension is selected in the gallery, contains a flawed validation logic that could lead to command injection.

In installAction (lines 478-489), the code checks for disallowed characters ([;&|'" ]) only if the input is NOT a valid URL. However, a valid URL can still contain these characters (e.g., in the pathname) and remain a valid URL according to the new URL() constructor. For example, https://example.com/repo.git;touch/tmp/pwned is a valid URL but could lead to command execution if passed to a shell command in downstream functions like cloneFromGit.

While the registry is currently a trusted source, this flaw also affects the /extensions install <source> command which takes arbitrary user input. An attacker could trick a user into installing an extension from a malicious URL, leading to remote code execution.

[scidomino]

I'm seeing compile issues.

[scidomino]

The description says "confirm returned to search page and extension has been installed" but it doesn't return to the search page. I think the description is wrong, not the code.