Skip to content

Add ambassador skill and gitignore local secrets#392

Merged
leerob merged 1 commit into
mainfrom
cursor/add-ambassador-skill
May 19, 2026
Merged

Add ambassador skill and gitignore local secrets#392
leerob merged 1 commit into
mainfrom
cursor/add-ambassador-skill

Conversation

@leerob
Copy link
Copy Markdown
Collaborator

@leerob leerob commented May 19, 2026
edited by cursor Bot
Loading

Summary

  • Add .cursor/skills/add-cursor-ambassador skill to grant ambassador badges via Supabase MCP (lookup by name/email, set users.is_ambassador)
  • Add .cursor/settings.json for project Cursor settings
  • Extend .gitignore to exclude .env.local, .env*.local, and .react-email alongside existing .vercel/ rules

Test plan

  • Confirm .env.local and .vercel/ no longer appear as untracked in git status
  • Invoke /add-cursor-ambassador with a test email and verify Supabase MCP flow

Made with Cursor

Note

Low Risk
Low risk: adds Cursor editor configuration and a documented MCP skill, plus .gitignore tweaks; no runtime application code changes.

Overview
Adds a new Cursor skill (.cursor/skills/add-cursor-ambassador/SKILL.md) that documents a Supabase MCP workflow to look up a cursor.directory user by email/name/UUID and set public.users.is_ambassador (with guidance for disambiguation and optional revocation).

Enables the Supabase Cursor plugin via .cursor/settings.json, and extends .gitignore to exclude .env*.local and .react-email artifacts.

Reviewed by Cursor Bugbot for commit 85cf31b. Bugbot is set up for automated code reviews on this repo. Configure here.

@leerob @cursoragent
Add ambassador skill and ignore local env/vercel files
85cf31b 
Introduce a Cursor skill for granting ambassador badges via Supabase and
extend .gitignore to exclude .env.local and .vercel from commits.

Co-authored-by: Cursor <cursoragent@cursor.com>
@vercel
Copy link
Copy Markdown

vercel Bot commented May 19, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cursor-directory Ready Ready Preview, Comment May 19, 2026 1:40pm

Request Review

@leerob leerob marked this pull request as ready for review May 19, 2026 13:37
cursor[bot]
cursor Bot reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default mode and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 85cf31b. Configure here.

Comment thread .cursor/skills/add-cursor-ambassador/SKILL.md
UPDATE public.users
SET is_ambassador = true
WHERE id = '<user_id>'
RETURNING id, name, slug, email, is_ambassador;
Copy link
Copy Markdown

@cursor cursor Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unescaped SQL in skill

High Severity · Security Issue

The skill tells the agent to paste the user’s email, name, or UUID directly into SQL string literals for SELECT and UPDATE against production public.users. A crafted identifier can break out of the quoted value and run arbitrary SQL under whatever privileges the Supabase MCP connection has.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 85cf31b. Configure here.

@leerob leerob merged commit d7c6469 into main May 19, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@leerob