Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(1547)

100
4253
High Cost
u14app icon

deep-research

by u14app

Sec3

An AI-powered research assistant that generates comprehensive reports, leverages various LLMs and web search engines, and offers integration as a SaaS or MCP service.

Setup Requirements

  • ⚠️Requires API Keys for multiple Large Language Models (LLMs) and search providers, most of which are paid services.
  • ⚠️Requires `ACCESS_PASSWORD` environment variable for authentication, particularly in proxy mode.
  • ⚠️If using Ollama, a local Ollama instance must be running at `http://localhost:11434`.
Review RequiredView Analysis
**CRITICAL SSRF VULNERABILITY**: The `/api/crawler` endpoint (in `src/app/api/crawler/route.ts`) directly fetches arbitrary URLs provided in the request body without any validation. This allows an attacker to perform Server-Side Request Forgery (SSRF) to scan internal networks, access sensitive internal services, or trigger actions on other external systems. This is a severe security flaw. **Potential XSS**: `rehypeRaw` is used in `src/components/MagicDown/View.tsx`, which processes raw HTML within markdown. If untrusted input (e.g., from AI models or user edits) contains malicious HTML, it could lead to Cross-Site Scripting (XSS). API key handling via environment variables and signature verification in `middleware.ts` are positive security practices, but do not mitigate the aforementioned critical flaws.
Updated: 2025-12-06GitHub
100
1100
Medium Cost
MicrosoftDocs icon

mcp

by MicrosoftDocs

Sec9

Provides AI assistants with direct, real-time access to official Microsoft Learn documentation to prevent hallucinations and retrieve accurate technical information.

Setup Requirements

  • ⚠️Requires an MCP-compatible IDE or client (e.g., VS Code, Claude Desktop, Cursor) for integration.
  • ⚠️The remote endpoint does not support direct browser access; it returns a '405 Method Not Allowed' error if accessed manually.
Verified SafeView Analysis
The provided source code consists solely of documentation files (`README.md`, `ThirdPartyNotices.md`, `SECURITY.md`) and does not contain server-side implementation details. Therefore, direct code analysis for 'eval', obfuscation, or hardcoded secrets is not possible. The service itself is a remote Microsoft-managed endpoint (https://learn.microsoft.com/api/mcp), which adheres to Microsoft's security policies outlined in `SECURITY.md`. The `README` explicitly states it 'only accesses official 1st-party Microsoft documentation' and is '100% Trusted & Safe,' operating without requiring API keys or authentication. The risk is minimal as the user connects to a trusted remote service, rather than running server code locally from this repository.
Updated: 2025-12-02GitHub
100
11686
Medium Cost
googleapis icon

genai-toolbox

by googleapis

Sec7

MCP Toolbox for Databases is an open-source server enabling AI agents to interact with various databases through defined tools, simplifying development, improving performance, and enhancing security for Gen AI applications.

Setup Requirements

  • ⚠️Requires setup and configuration of specific database instances (e.g., PostgreSQL, MySQL, BigQuery, MongoDB, Neo4j) to be accessible.
  • ⚠️Configuration relies on a 'tools.yaml' file, which can contain sensitive credentials if not managed via secret managers (e.g., Google Cloud Secret Manager for Cloud Run deployments).
  • ⚠️Many tools, especially 'execute-sql' types and those with 'templateParameters', expose direct database interaction that can lead to injection vulnerabilities if not carefully controlled and reviewed.
Verified SafeView Analysis
The server design generally promotes parameterized queries for security. However, several tools, particularly those utilizing 'templateParameters' or 'execute-sql' variants, explicitly allow direct modification of SQL/CQL/Cypher statements, including identifiers, table names, or raw query text. This significantly increases the risk of SQL/CQL/Cypher injection if not used with extreme caution, proper input validation (e.g., 'allowedValues' for template parameters), and human-in-the-loop oversight. Admin-level tools for Cloud SQL and AlloyDB also require careful IAM permission management. The HTTP tool allows arbitrary requests, posing a risk if the LLM is not constrained. It is critical to configure tools and grant IAM roles with the principle of least privilege.
Updated: 2025-12-06GitHub
100
76201
Low Cost
punkpeye icon
Sec10

This repository serves as a curated directory for discovering a wide range of Model Context Protocol (MCP) servers, designed to extend AI capabilities by enabling interaction with local and remote resources.

Setup Requirements

  • ⚠️To inform an LLM about the Model Context Protocol and how to utilize the servers listed, users must manually provide external documentation (e.g., `https://modelcontextprotocol.io/llms-full.txt`) to their AI client.
Verified SafeView Analysis
The repository itself is a collection of Markdown files (documentation) and does not contain executable server code, direct vulnerabilities, or hardcoded secrets. Any security implications would arise from interacting with the *linked* third-party MCP server implementations, each requiring its own security assessment, which is beyond the scope of this repository's source code.
Updated: 2025-12-05GitHub
100
19378
Medium Cost
activepieces icon

activepieces

by activepieces

Sec3

An open-source, extensible AI automation platform designed as a Zapier alternative, supporting low-code/no-code workflows and integration with Large Language Models (LLMs) through a type-safe TypeScript framework.

Setup Requirements

  • ⚠️Requires Docker for production deployment, or Node.js v18/v20 and Bun for local development.
  • ⚠️Production deployments (e.g., via Pulumi) require an AWS account, configured Route 53 for custom domains, and familiarity with AWS ECS Fargate, RDS (PostgreSQL), and ElastiCache (Redis).
  • ⚠️CRITICAL: The default `AP_EXECUTION_MODE` in Pulumi deployment is `UNSANDBOXED`, enabling arbitrary code execution in user flows. For secure operation, it MUST be explicitly set to `SANDBOX_CODE_ONLY` or `SANDBOX_PROCESS`.
  • ⚠️A hardcoded `POSTGRES_PASSWORD` exists in `docker-compose.dev.yml`; this should be replaced with a secure environment variable for any shared development setup.
Review RequiredView Analysis
The project uses Docker for deployment and provides development scripts. Critical security concerns include: 1. Hardcoded password `A79Vm5D4p2VQHOp2gd5` in `docker-compose.dev.yml` for PostgreSQL, which is a major vulnerability in any shared or exposed development environment. 2. The `tools/scripts/utils/piece-script-utils.ts` script executes `bun install` within the worker environment when loading pieces. If the `AP_EXECUTION_MODE` is set to `UNSANDBOXED` (which is the default in the `deploy/pulumi/index.ts` for AWS deployments), this allows for **arbitrary code execution (RCE)** from malicious or compromised piece packages during runtime. Even in `SANDBOX_CODE_ONLY` mode, arbitrary JavaScript can run within the `isolated-vm` sandbox, which still poses a risk if not carefully managed. 3. The default `AP_EXECUTION_MODE` of `UNSANDBOXED` in the Pulumi deployment is a severe misconfiguration for production, as it removes critical isolation for user-provided code in flows. 4. Sensitive information like `AP_API_KEY`, `AP_JWT_SECRET`, and `ENCRYPTION_KEY` are meant to be loaded from environment variables and `deploy.sh` generates them securely. However, the hardcoded dev password indicates a lack of consistent security practice.
Updated: 2025-12-06GitHub
100
1822
Low Cost
lemonade-sdk icon

lemonade

by lemonade-sdk

Sec8

The Lemonade C++ Server provides a lightweight, high-performance HTTP API for local Large Language Model (LLM) inference and model management, leveraging hardware accelerators like AMD Ryzen AI NPU, integrated GPUs, and discrete GPUs.

Setup Requirements

  • ⚠️Requires a C++ development environment (e.g., Visual Studio 2019+ on Windows, build-essential on Linux, Xcode tools on macOS) and CMake to build from source.
  • ⚠️Initial setup requires an active internet connection to download build dependencies, `ryzenai-server`, `llama.cpp` binaries, `whisper.cpp` binaries, and LLM models from GitHub/Hugging Face.
  • ⚠️Optimal performance, especially for NPU acceleration with Ryzen AI, depends on having up-to-date and compatible GPU/NPU drivers installed on the host system.
Verified SafeView Analysis
The server utilizes `system()` calls for external tool checks (e.g., `where flm`, `vulkaninfo`) and for installing/extracting binaries (e.g., `unzip`, PowerShell `Expand-Archive`). While the commands and paths are largely constructed internally or derived from trusted sources (GitHub/Hugging Face releases), and some user input is validated (e.g., custom llama-server args), any interaction with external processes carries inherent risk. The HTTP server defaults to binding on `localhost`, which mitigates the impact of its permissive CORS policy (`Access-Control-Allow-Origin: *`). Single-instance protection is implemented via system-wide mutexes or file locks.
Updated: 2025-12-05GitHub
100
1086
Medium Cost
hashicorp icon
Sec8

The Terraform MCP Server provides seamless integration with Terraform Registry APIs and HCP Terraform/Terraform Enterprise, enabling AI assistants (LLMs) to generate high-quality Terraform code and automate IaC workflows.

Setup Requirements

  • ⚠️Requires Docker to be installed and running.
  • ⚠️Requires an AI assistant (LLM) that supports the Model Context Protocol (MCP) to interact with the server.
  • ⚠️Full functionality, especially with HCP Terraform/Terraform Enterprise, requires a valid TFE_TOKEN and TFE_ADDRESS to be configured (typically via environment variables).
Verified SafeView Analysis
The project implements good security practices including CORS configuration with allowed origins, TLS support for HTTP transport (required for non-localhost), and clear warnings against using with untrusted clients/LLMs. Sensitive values like TFE_TOKEN are expected via environment variables and are explicitly prevented from being passed via URL query parameters. Rate limiting is also implemented. The default Docker base image uses 'scratch' for a smaller attack surface. Some tools are marked as 'destructive' but require explicit enablement via `ENABLE_TF_OPERATIONS` environment variable and user confirmation for critical actions, but the overall security relies on the calling LLM's adherence to these confirmations.
Updated: 2025-12-05GitHub
100
3175
High Cost
cloudflare icon
Sec7

Enable Large Language Models (LLMs) to interact with and automate tasks across various Cloudflare services through a standardized Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires a Cloudflare account for deployment and API access.
  • ⚠️Requires `wrangler` CLI for deployment and local development.
  • ⚠️Setting up OAuth involves creating Cloudflare API tokens with specific scopes, KV namespaces, and secrets.
  • ⚠️Some advanced features may require a paid Cloudflare Workers plan.
  • ⚠️Local development for external contributors requires setting `DEV_DISABLE_OAUTH=true` and providing a `DEV_CLOUDFLARE_API_TOKEN` (global API token with broad permissions, which is sensitive) or setting up OAuth credentials.
  • ⚠️The project is a monorepo; each 'server' (app) is a distinct deployable unit, and there is no single command to run 'this server' (the entire monorepo) as a monolithic application.
Review RequiredView Analysis
The repository is a monorepo containing multiple distinct MCP servers, each leveraging Cloudflare services. Authentication is handled via Cloudflare OAuth or API tokens, with granular scopes defined per server to limit access. Sensitive credentials like `MCP_COOKIE_ENCRYPTION_KEY`, `CLOUDFLARE_CLIENT_ID`, and `CLOUDFLARE_CLIENT_SECRET` are expected to be provided via environment variables, not hardcoded. Logging and error tracking (via Sentry and Analytics Engine) are integrated for observability. A significant security consideration is the `apps/sandbox-container` server, which is explicitly designed to allow arbitrary code execution (`exec`) and file system operations within its environment. While this is its intended function as a sandbox, it introduces an inherent risk if not deployed and managed with robust isolation (e.g., secure containerization) and strict access controls. An LLM interacting with this tool could potentially be prompted to perform harmful actions within the sandboxed environment. The documentation indicates per-user Durable Object instances for containers and a user blocklist mechanism, which improves isolation and access control. However, the presence of direct `child_process.exec` calls in a server component requires careful consideration of the execution environment's isolation from the host system.
Updated: 2025-12-02GitHub
100
10371
Medium Cost
ruvnet icon

claude-flow

by ruvnet

Sec6

Orchestrates AI agents (Claude) for development workflows, including code generation, testing, analysis, research, and project migration, with MLOps capabilities.

Setup Requirements

  • ⚠️Requires Node.js (>=14.0.0) and npm for core system and CLI.
  • ⚠️Requires Python (3.x) with ML libraries (e.g., pandas, numpy, scikit-learn, torch) for MLE-STAR agents.
  • ⚠️Requires Claude Code CLI (`claude`) to be installed and configured with an Anthropic API Key (Paid service).
  • ⚠️Requires GitHub CLI (`gh`) for GitHub integration features.
  • ⚠️Utilizes SQLite database, often requiring specific `better-sqlite3` native bindings.
  • ⚠️Relies heavily on environment variables (e.g., `ANTHROPIC_API_KEY`, `CLAUDE_FLOW_ENV`, `GITHUB_TOKEN`).
Review RequiredView Analysis
Architecturally includes security features like authentication, permissions, and audit trails. However, default configurations (e.g., hardcoded admin/service credentials in `auth-service.ts`, default unconfigured JWT_SECRET, potential for unsafe `subprocess.run` calls in Python agents) are insecure for production without explicit hardening. CORS policies might be too permissive by default in API routes.
Updated: 2025-12-04GitHub
100
2280
High Cost
OpenBMB icon

UltraRAG

by OpenBMB

Sec7

A low-code RAG framework for researchers to build and iterate on complex multi-stage, multimodal Retrieval-Augmented Generation (RAG) pipelines using a Model Context Protocol (MCP) architecture.

Setup Requirements

  • ⚠️Requires Node.js (version 20+) for launching remote MCP servers (`npx mcp-remote`).
  • ⚠️Many functionalities (e.g., web search, OpenAI LLMs) require external API keys (Exa, Tavily, ZhipuAI, OpenAI) which incur usage costs.
  • ⚠️Leverages GPU hardware extensively for performance (e.g., vLLM, FAISS-GPU, sentence-transformers, infinity-emb); specific CUDA versions (e.g., CUDA 12.x) may be required depending on chosen dependencies.
Verified SafeView Analysis
The framework relies on user-provided YAML configurations for pipeline and server definitions, which, if untrusted, could lead to unexpected behavior. Running external servers or APIs (e.g., Exa, Tavily, ZhipuAI, OpenAI) requires careful security consideration for API key management and network exposure. The `/api/system/shutdown` endpoint in the UI should not be exposed publicly without strict access controls.
Updated: 2025-12-06GitHub
100
7564
Medium Cost
awslabs icon

mcp

by awslabs

Sec9

Enables AI assistants to interact with AWS DocumentDB databases by providing tools for connection management, database/collection operations, document CRUD, aggregation, schema analysis, and query planning.

Setup Requirements

  • ⚠️Requires Python 3.10+ and 'uv' package manager for installation and local development.
  • ⚠️Requires network access to an AWS DocumentDB cluster.
  • ⚠️Requires a valid SSL/TLS certificate ('global-bundle.pem') for DocumentDB connections if TLS is enabled.
  • ⚠️Requires AWS credentials with appropriate permissions to access DocumentDB.
  • ⚠️Manual configuration of the MCP client's JSON settings file is needed for local server or 'uvx' package usage.
Verified SafeView Analysis
The server defaults to read-only mode, blocking write operations unless explicitly enabled with the `--allow-write` flag, significantly enhancing security for sensitive database operations. Input parameters are rigorously validated using Pydantic, preventing common injection vulnerabilities. Connection strings are validated to enforce DocumentDB-specific security requirements (e.g., `retryWrites=false`). Logging is handled by `loguru` for robust auditing. No hardcoded sensitive credentials or direct evaluation of user-provided code were identified.
Updated: 2025-12-06GitHub
100
1613
Low Cost
dinoki-ai icon

osaurus

by dinoki-ai

Sec8

Osaurus is a native macOS LLM server running local language models with OpenAI and Ollama compatible APIs, enabling tool calling and a plugin ecosystem for AI agents.

Setup Requirements

  • ⚠️Requires macOS 15.5+ and Apple Silicon (M1 or newer) for native execution and optimized performance.
  • ⚠️Users must manually download LLM models via the application's UI or CLI after installation.
  • ⚠️Integration with external MCP clients (e.g., Cursor) requires adding specific JSON configuration to the client.
Verified SafeView Analysis
The project demonstrates strong security practices including mandated code signing for plugins, explicit user consent for tool execution (e.g., via ToolPermissionView), and secure handling of sensitive credentials (Keychain integration for MCP tokens, environment variables for CI/CD secrets). The plugin system, while powerful, inherently introduces a surface for potential vulnerabilities if malicious plugins are installed, though this is mitigated by strict signing and permission models. Configuration details shared for inter-app communication do not include sensitive data.
Updated: 2025-12-05GitHub
PreviousPage 1 of 129Next