Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(6610)

100
4144
Medium Cost
CoplayDev icon

unity-mcp

by CoplayDev

Sec4

MCP for Unity acts as a bridge, allowing AI assistants to interact directly with the Unity Editor to manage assets, control scenes, edit scripts, and automate tasks.

Setup Requirements

  • ⚠️Requires Python 3.10 or newer.
  • ⚠️Requires Unity Hub & Editor 2021.3 LTS or newer, with the 'MCP for Unity Bridge' Unity package installed.
  • ⚠️Requires 'uv' (Python toolchain manager) for local installation and execution, or 'uvx' for direct execution.
Review RequiredView Analysis
The server's core function is to enable AI agents (LLMs) to perform highly privileged operations within the Unity Editor, including editing/creating C# scripts and executing arbitrary Unity menu items or custom C# tools. If the controlling LLM or user input is compromised or malicious, this can lead to arbitrary code execution and significant damage to the Unity project. While the server itself doesn't use dangerous functions like `eval` in Python (it uses `ast.literal_eval` safely) and doesn't contain obvious hardcoded secrets, its design inherently grants powerful capabilities. Binding to `0.0.0.0` (as shown in the Docker example) makes it network-accessible, increasing risk if not properly firewalled or isolated. The `precondition_sha256` for script edits and structured editing aim to mitigate unintended modifications but do not prevent maliciously intended code injection.
Updated: 2025-12-05GitHub
100
1100
Medium Cost
MicrosoftDocs icon

mcp

by MicrosoftDocs

Sec9

Provides AI assistants with direct, real-time access to official Microsoft Learn documentation to prevent hallucinations and retrieve accurate technical information.

Setup Requirements

  • ⚠️Requires an MCP-compatible IDE or client (e.g., VS Code, Claude Desktop, Cursor) for integration.
  • ⚠️The remote endpoint does not support direct browser access; it returns a '405 Method Not Allowed' error if accessed manually.
Verified SafeView Analysis
The provided source code consists solely of documentation files (`README.md`, `ThirdPartyNotices.md`, `SECURITY.md`) and does not contain server-side implementation details. Therefore, direct code analysis for 'eval', obfuscation, or hardcoded secrets is not possible. The service itself is a remote Microsoft-managed endpoint (https://learn.microsoft.com/api/mcp), which adheres to Microsoft's security policies outlined in `SECURITY.md`. The `README` explicitly states it 'only accesses official 1st-party Microsoft documentation' and is '100% Trusted & Safe,' operating without requiring API keys or authentication. The risk is minimal as the user connects to a trusted remote service, rather than running server code locally from this repository.
Updated: 2025-12-02GitHub
100
1673
Medium Cost
bytebase icon

dbhub

by bytebase

Sec8

A universal database abstraction layer exposing databases as tools for AI/ML agents via the Model Context Protocol (MCP), and providing an admin console for monitoring requests.

Setup Requirements

  • ⚠️Requires explicit database connection configuration (either via DSN in command-line arguments/environment variables or a TOML configuration file) to start; the server will exit if no valid configuration is provided.
  • ⚠️If a `dbhub.toml` configuration file is used, command-line flags such as `--id`, `--readonly`, and `--max-rows` are intentionally disabled to prevent conflicts. Per-source configuration for these options must then be defined directly within the TOML file.
  • ⚠️Deployment in containers (e.g., Docker) for MySQL and MariaDB might encounter 'container privilege restrictions' that prevent full introspection of stored procedures and functions without additional database user permissions or container configuration.
  • ⚠️SSH private key paths (e.g., `~/.ssh/id_rsa`) specified in TOML configuration or environment variables are expanded relative to the user's home directory on the host system, and these files require appropriate read permissions.
Verified SafeView Analysis
The server demonstrates strong security awareness through features like DSN password redaction, explicit `SafeURL` parsing to handle special characters in connection strings, and structured validation for custom SQL tools' parameters. For its HTTP API, it includes CORS configuration and `Origin` header validation to mitigate DNS rebinding attacks. File system interactions, such as loading TOML configuration, environment files, and SSH keys, are part of the setup, implying a reliance on a trusted deployment environment where these paths and configurations are controlled by an administrator. SQL injection risks are mitigated via parameterized queries for user-provided SQL in custom tools and built-in SQL execution, and through robust identifier quoting for database metadata access. The primary security considerations for operators are the inherent risks of executing user-defined SQL (even if validated) and managing access to sensitive configuration files and network ports.
Updated: 2025-12-06GitHub
100
7849
Medium Cost
modelcontextprotocol icon

inspector

by modelcontextprotocol

Sec3

The MCP Inspector is a UI tool designed for connecting to, inspecting, and interacting with Model Context Protocol (MCP) servers, facilitating debugging and development of AI agent systems.

Setup Requirements

  • ⚠️Requires an existing Model Context Protocol (MCP) server to connect to, or it can start one locally via STDIO.
  • ⚠️If using the MCP Inspector Proxy (default for STDIO, SSE, Streamable HTTP), a session token displayed in the proxy server console on startup is required for authentication via the 'X-MCP-Proxy-Auth' header.
  • ⚠️For 'direct' connections, the target MCP server must have Cross-Origin Resource Sharing (CORS) configured to allow requests from the Inspector's origin (typically http://localhost:6274).
Review RequiredView Analysis
The proxy server component (server/src/index.ts) can execute arbitrary commands via 'stdio' transport by spawning child processes based on client-provided 'command' and 'args' parameters. While 'shell-quote' is used for parsing, this design pattern creates a significant Remote Code Execution (RCE) vulnerability if the proxy is exposed to untrusted input or if the authentication mechanism is bypassed. The 'X-MCP-Proxy-Auth' session token provides a layer of protection, but the 'DANGEROUSLY_OMIT_AUTH' environment variable can disable this critical authentication. Direct connections bypass the proxy but still involve potentially arbitrary server URLs, which could expose the client to other network risks like SSRF if not properly isolated. Overall, the system has high-risk components that require strict environmental controls and trusted user interaction to mitigate severe security implications.
Updated: 2025-12-04GitHub
100
16052
Medium Cost
ChromeDevTools icon

chrome-devtools-mcp

by ChromeDevTools

Sec5

Enables AI coding agents to control and inspect a live Chrome browser for reliable automation, in-depth debugging, and performance analysis via the Model-Context-Protocol (MCP).

Setup Requirements

  • ⚠️Requires Node.js v20.19+ (or v22.12+) and a current stable version of Chrome browser.
  • ⚠️Connecting to a running Chrome instance requires launching Chrome with `--remote-debugging-port` and a non-default `--user-data-dir`, which introduces security warnings.
  • ⚠️May be incompatible with MCP clients that enforce strict operating system sandboxing (e.g., macOS Seatbelt, Linux containers) if the server needs to launch Chrome itself.
Verified SafeView Analysis
The `evaluate_script` tool explicitly allows AI agents to execute arbitrary JavaScript within the browser context, enabling inspection, debugging, and modification of any data in the browser or DevTools. This is a core, intended feature for powerful automation but inherently carries a significant security risk if the AI client or its prompts are compromised. The server launches or connects to a full Chrome instance, and users are explicitly warned against sharing sensitive information with MCP clients. If connecting to a manually launched browser, enabling the remote debugging port (`--remote-debugging-port`) opens up a debugging interface that any application on the machine can connect to.
Updated: 2025-12-05GitHub
100
11686
Medium Cost
googleapis icon

genai-toolbox

by googleapis

Sec7

MCP Toolbox for Databases is an open-source server enabling AI agents to interact with various databases through defined tools, simplifying development, improving performance, and enhancing security for Gen AI applications.

Setup Requirements

  • ⚠️Requires setup and configuration of specific database instances (e.g., PostgreSQL, MySQL, BigQuery, MongoDB, Neo4j) to be accessible.
  • ⚠️Configuration relies on a 'tools.yaml' file, which can contain sensitive credentials if not managed via secret managers (e.g., Google Cloud Secret Manager for Cloud Run deployments).
  • ⚠️Many tools, especially 'execute-sql' types and those with 'templateParameters', expose direct database interaction that can lead to injection vulnerabilities if not carefully controlled and reviewed.
Verified SafeView Analysis
The server design generally promotes parameterized queries for security. However, several tools, particularly those utilizing 'templateParameters' or 'execute-sql' variants, explicitly allow direct modification of SQL/CQL/Cypher statements, including identifiers, table names, or raw query text. This significantly increases the risk of SQL/CQL/Cypher injection if not used with extreme caution, proper input validation (e.g., 'allowedValues' for template parameters), and human-in-the-loop oversight. Admin-level tools for Cloud SQL and AlloyDB also require careful IAM permission management. The HTTP tool allows arbitrary requests, posing a risk if the LLM is not constrained. It is critical to configure tools and grant IAM roles with the principle of least privilege.
Updated: 2025-12-06GitHub
100
76201
Low Cost
punkpeye icon
Sec10

This repository serves as a curated directory for discovering a wide range of Model Context Protocol (MCP) servers, designed to extend AI capabilities by enabling interaction with local and remote resources.

Setup Requirements

  • ⚠️To inform an LLM about the Model Context Protocol and how to utilize the servers listed, users must manually provide external documentation (e.g., `https://modelcontextprotocol.io/llms-full.txt`) to their AI client.
Verified SafeView Analysis
The repository itself is a collection of Markdown files (documentation) and does not contain executable server code, direct vulnerabilities, or hardcoded secrets. Any security implications would arise from interacting with the *linked* third-party MCP server implementations, each requiring its own security assessment, which is beyond the scope of this repository's source code.
Updated: 2025-12-05GitHub
100
3566
High Cost
opensumi icon

core

by opensumi

Sec6

A framework for building AI-Native IDE products, providing core functionalities like editor, file management, terminal, debugging, search, and extension support, with a strong focus on AI integration and interactive UI components.

Setup Requirements

  • ⚠️Requires Node.js >= 18 for development and deployment.
  • ⚠️Requires Yarn as the package manager.
  • ⚠️Requires `git` command-line tool to be available in PATH for SCM features.
  • ⚠️Native module rebuilding (e.g., `node-pty`, `@parcel/watcher`, `nsfw`, `keytar`) may require `build-essential` and `libsecret-1-dev` (Linux) or other system-specific development tools.
  • ⚠️Installation of vscode-compatible extensions happens via `yarn run download-extension` from `open-vsx.org` by default.
Verified SafeView Analysis
The server includes extensive capabilities for file system access, network communication (websockets, HTTP), and running child processes for terminals, extensions, and debugging, which are inherent to an IDE. The use of `new Function` for executing webview content in `tools/cli-engine/src/webview/webview-host/webview-manager.ts` is a powerful feature that, if not rigorously sandboxed and input-sanitized, could pose a code injection risk. While sandboxing with `sandbox` iframe attributes is present, such constructs always warrant careful security review. The `staticAllowOrigin: '*'` setting in development server configurations is broad but typical for dev tools, though it could be a misconfiguration risk if deployed without restrictions. Overall, the project's nature as an extensible IDE means a larger attack surface, necessitating robust security practices for both the core framework and any integrated extensions.
Updated: 2025-12-02GitHub
100
2905
Medium Cost
laravel icon

boost

by laravel

Sec4

Laravel Boost accelerates AI-assisted development by providing context and specialized tools for AI to generate high-quality, Laravel-specific code.

Setup Requirements

  • ⚠️Requires an existing Laravel application.
  • ⚠️Initial setup requires running `php artisan boost:install` and potentially configuring editor-specific MCP settings (e.g., PhpStorm, VS Code, Cursor).
  • ⚠️The `SearchDocs` and `ReportFeedback` tools rely on an external hosted documentation/feedback API service (`boost.laravel.com`).
  • ⚠️Integration with Laravel Herd or Sail requires user confirmation during installation.
Review RequiredView Analysis
The `Tinker` tool uses `eval` for executing arbitrary PHP code within the application context. While intended for developer use and executed in an isolated subprocess by `ToolExecutor`, `eval` is inherently a high-risk function as it allows for remote code execution if an attacker gains control over the input. The `SearchDocs` and `ReportFeedback` tools make external HTTP requests to `boost.laravel.com`, sending user queries and feedback data, which might raise privacy concerns for some users. The `MakesHttpRequests` concern disables SSL verification for local/testing environments, which is common but should be noted.
Updated: 2025-12-05GitHub
100
9351
Medium Cost
JoeanAmier icon

XHS-Downloader

by JoeanAmier

Sec3

A tool to extract links and collect watermark-free media (images, videos) from RedNote (XiaoHongShu), offering TUI, CLI, API, and MCP interfaces.

Setup Requirements

  • ⚠️Requires Python 3.12+
  • ⚠️Reading browser cookies on Windows requires running the program with administrator privileges.
  • ⚠️Clipboard monitoring functionality on Linux systems requires `xclip` or `xsel` commands (or `qtpy`/`PyQT5` modules) to be installed.
Review RequiredView Analysis
The presence of an obfuscated JavaScript file (`static/20250619.js`) within the repository is a critical security concern. Obfuscated code significantly reduces transparency and makes security auditing extremely difficult, potentially concealing malicious functionalities. Running the `BrowserCookie` feature on Windows requires administrator privileges, which, while a common pattern for such functionality, is a security consideration for users. The API and MCP servers bind to `0.0.0.0` by default, meaning they are accessible from all network interfaces; users should be aware of this for proper network configuration.
Updated: 2025-12-06GitHub
100
1584
Low Cost
modelcontextprotocol icon

mcpb

by modelcontextprotocol

Sec8

A CLI toolchain for developing, validating, packing, and signing MCP (Model Context Protocol) Bundles for AI desktop applications, with experimental UV runtime support for Python.

Setup Requirements

  • ⚠️Requires Node.js (v16.0.0+) to run the CLI tool.
  • ⚠️Python extensions using the traditional 'python' server type have a 'Limitation: Cannot portably bundle compiled dependencies' (e.g., pydantic).
  • ⚠️UV runtime support for Python extensions is experimental and may change in future versions.
  • ⚠️Icon validation warns for remote URLs and errors for absolute paths or '${__dirname}' variables; icons should be local PNG files for optimal Claude Desktop compatibility.
Verified SafeView Analysis
The server code demonstrates good security practices, especially in file unpacking with explicit 'Path traversal attempt detected' checks to prevent zip slip attacks. Uses 'child_process.execFile' for OS-level certificate verification (`openssl`, `security`, `powershell`) and self-signed certificate generation, which is a controlled use of external commands. Variable replacement in `mcp_config` patterns using `new RegExp` is present; while keys are typically simple, arbitrary user input as a key could theoretically pose a regex injection risk if not sufficiently sanitized upstream, though this is a low practical risk given the context of configuration keys. No 'eval' or obvious hardcoded secrets were found.
Updated: 2025-12-04GitHub
100
1289
Low Cost
mcp-router icon

mcp-router

by mcp-router

Sec3

A desktop application for managing Model Context Protocol (MCP) servers, supporting local and remote connections, context management, and integration with AI tools.

Setup Requirements

  • ⚠️Requires Node.js >= 20.0.0 and pnpm >= 8.0.0 for development/building.
  • ⚠️The Electron app installation is platform-specific (Windows/macOS installer via releases page).
  • ⚠️User-defined 'hooks' in workflows utilize `vm.Script.runInContext`, which, despite sandboxing efforts, carries inherent security risks due to arbitrary code execution capabilities if exploited.
Review RequiredView Analysis
The application uses `vm.Script.runInContext` for executing user-defined 'hooks' in workflows. While attempts at sandboxing are present (using `vm.createContext`), `eval`-like mechanisms are inherently high-risk and can be vulnerable to bypasses if the sandbox is not perfectly isolated, potentially leading to arbitrary code execution. Additionally, a PostHog analytics API key is hardcoded in `posthog-service.ts`, which, while not a critical access credential, is a secret in plain text that is transmitted externally, contradicting the README's privacy statement about credentials never being transmitted externally. User-provided bearer tokens and API keys for MCP servers are stated to be stored locally and not transmitted externally without explicit configuration.
Updated: 2025-12-02GitHub
PreviousPage 1 of 551Next