The directory of plugins from the Cursor community.
├── apps/
│ └── cursor/ # Next.js app
├── supabase/
│ └── migrations/ # Database migrations
└── package.json # Bun workspace config
All data lives in the database — there is no local data in the repo.
- Clone the repo
git clone https://github.com/cursor/community-plugins.git
cd community-plugins- Install dependencies
bun install- Configure environment variables
cp apps/cursor/.env.example apps/cursor/.envFill in the required values:
| Variable | Required | Description |
|---|---|---|
NEXT_PUBLIC_SUPABASE_URL |
Yes | Supabase project URL |
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY |
Yes | Supabase Publishable key (sb_publishable_..., replaces the legacy anon key) |
SUPABASE_SECRET_KEY |
Yes | Supabase Secret key (sb_secret_..., replaces the legacy service role key) |
NEXT_PUBLIC_APP_URL |
No | Defaults to http://localhost:3000 |
- Run the database migrations
Apply the migrations in supabase/migrations/ to your Supabase project.
- Start the dev server
bun devOpen http://localhost:3000.
All content is submitted through the website — no pull requests needed for data.
- Go to cursor.directory/plugins/new
- Sign in with GitHub or Google
- Paste a GitHub repo URL — we auto-detect components following the Open Plugins standard
- Click Submit
Auto-detected components:
| Component | Path |
|---|---|
| Rules | rules/*.mdc |
| MCP Servers | .mcp.json |
| Skills | skills/*/SKILL.md |
| Agents | agents/*.md |
| Hooks | hooks/hooks.json |
| LSP Servers | .lsp.json |
See the Open Plugins specification and plugin template for details.
- Framework: Next.js (App Router, Turbopack)
- Runtime: Bun
- Database: Supabase (PostgreSQL)
- Job Queue: Supabase Queues (
pgmq) drained by a 1-min Vercel cron - Styling: Tailwind CSS
- UI: Radix UI + shadcn/ui
- Search: Fuse.js (client-side fuzzy search)
- URL State: nuqs
- Linting: Biome
Submitted plugins are auto-reviewed by a Cursor SDK agent (composer-2) running
in local mode against a fresh clone of the plugin's repo plus its inline
component content. The verdict (safe / suspicious / malicious) is written
back to plugins.scan_status and surfaces in the admin queue.
The scan is asynchronous and runs out of the request lifecycle:
- Enqueue — server actions and the recover-stuck-scans cron call
enqueuePluginScan(pluginId)which sends a message to theplugin_scanspgmq queue. - Kick — user-facing actions also fire
kickDrainAfterResponse()so the drain route is called vianext/serverafter()immediately after the response is flushed. Scans typically start within a few hundred ms. - Drain —
/api/queue/plugin-scans/drainreads one message (vt=900s,n=1), runsrunPluginScan(pluginId), archives the message on success, leaves it for VT-expiry on retryable error, or buries it afterMAX_ATTEMPTS=5deliveries. - Cron safety net — Vercel cron hits the same drain route every minute so any messages that missed their kick still get processed.
The drain route uses maxDuration = 800 (Vercel Pro+ Fluid Compute ceiling) and
relies on CURSOR_API_KEY + CRON_SECRET from the env file.