The directory of plugins from the Cursor community.
├── apps/
│ └── cursor/ # Next.js app
├── supabase/
│ └── migrations/ # Database migrations
└── package.json # Bun workspace config
All data lives in the database — there is no local data in the repo.
git clone https://github.com/cursor/community-plugins.git
cd community-plugins
bun install
cp apps/cursor/.env.example apps/cursor/.env
Fill in the required values:
| Variable | Required | Description |
|---|---|---|
NEXT_PUBLIC_SUPABASE_URL |
Yes | Supabase project URL |
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY |
Yes | Supabase Publishable key (sb_publishable_..., replaces the legacy anon key) |
SUPABASE_SECRET_KEY |
Yes | Supabase Secret key (sb_secret_..., replaces the legacy service role key) |
NEXT_PUBLIC_APP_URL |
No | Defaults to http://localhost:3000 |
Apply the migrations in supabase/migrations/ to your Supabase project.
bun dev
Open http://localhost:3000.
All content is submitted through the website — no pull requests needed for data.
Auto-detected components:
| Component | Path |
|---|---|
| Rules | rules/*.mdc |
| MCP Servers | .mcp.json |
| Skills | skills/*/SKILL.md |
| Agents | agents/*.md |
| Hooks | hooks/hooks.json |
| LSP Servers | .lsp.json |
See the Open Plugins specification and plugin template for details.
pgmq) drained by a 1-min Vercel cronSubmitted plugins are auto-reviewed by a Cursor SDK agent (composer-2) running
in local mode against a fresh clone of the plugin's repo plus its inline
component content. The verdict (safe / suspicious / malicious) is written
back to plugins.scan_status and surfaces in the admin queue.
The scan is asynchronous and runs out of the request lifecycle:
enqueuePluginScan(pluginId) which sends a message to the plugin_scans
pgmq queue.kickDrainAfterResponse() so the
drain route is called via next/server after() immediately after the
response is flushed. Scans typically start within a few hundred ms./api/queue/plugin-scans/drain reads one message
(vt=900s, n=1), runs runPluginScan(pluginId), archives the message on
success, leaves it for VT-expiry on retryable error, or buries it after
MAX_ATTEMPTS=5 deliveries.The drain route uses maxDuration = 800 (Vercel Pro+ Fluid Compute ceiling) and
relies on CURSOR_API_KEY + CRON_SECRET from the env file.
$ claude mcp add community-plugins \
-- python -m otcore.mcp_server <graph>