Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(2280)

100
1286
Medium Cost
MicrosoftDocs icon

mcp

by MicrosoftDocs

Sec9

Provides AI assistants with direct, secure access to the latest official Microsoft documentation to prevent hallucinations and verify code.

Setup Requirements

  • ⚠️The server itself is a remote Microsoft-hosted endpoint and cannot be run locally from this repository.
  • ⚠️Direct browser access to the MCP endpoint (e.g., https://learn.microsoft.com/api/mcp) will result in a '405 Method Not Allowed' error; it must be accessed via a compliant MCP client.
  • ⚠️Custom clients are advised to dynamically discover tools and refresh schemas due to the protocol's dynamic nature, rather than hard-coding definitions.
Verified SafeView Analysis
The provided repository contains documentation and skill definitions for integrating with the Microsoft Learn MCP Server, which is a remote, Microsoft-hosted endpoint (https://learn.microsoft.com/api/mcp). The actual server source code is not provided in this repository. The security score reflects the safety of the repository's content (documentation, skill descriptions) and the strong security claims made in the README regarding the remote service's focus on official, trusted sources and lack of authentication. A full audit of the remote server's implementation is not possible with the provided information. The `SECURITY.md` file outlines a clear vulnerability reporting process.
Updated: 2026-01-12GitHub
100
12501
Low Cost
googleapis icon

genai-toolbox

by googleapis

Sec6

Provides an open-source MCP server to simplify the development and deployment of Gen AI tools that interact with various databases, handling complexities like connection pooling and authentication.

Setup Requirements

  • ⚠️Requires Go (for compiling from source or running directly from source)
  • ⚠️Requires Node.js (for `npx` local run of the server and some client SDKs)
  • ⚠️Requires specific database instances (e.g., PostgreSQL, BigQuery, MongoDB) with connection details and appropriate IAM permissions, which can be complex to configure.
  • ⚠️The use of `templateParameters` in tools introduces SQL injection risks; developers must manually apply `allowedValues` or `escape` for string inputs to mitigate this, or avoid them entirely.
Verified SafeView Analysis
The server incorporates robust security features such as OIDC-based authentication, CORS, and DNS rebinding attack prevention. However, a critical security consideration lies in the 'template parameters' available for SQL-based tools. While standard parameterized queries inherently prevent SQL injection, 'template parameters' are designed to allow direct modification of SQL statements, including identifiers, column names, and table names. The documentation explicitly notes this makes them 'more vulnerable to SQL injections'. Developers are advised to prefer standard parameters or, if using template parameters, to diligently implement `allowedValues`, `escape`, or `minValue`/`maxValue` for validation. Hardcoded secrets are discouraged by the use of environment variables for configuration, which should be managed securely (e.g., via Secret Manager in cloud deployments).
Updated: 2026-01-19GitHub
100
79215
Low Cost
punkpeye icon
Sec9

This repository serves as a curated list of Model Context Protocol (MCP) servers, frameworks, and utilities, providing a comprehensive directory for developers and AI practitioners.

Verified SafeView Analysis
The provided source code consists of README files and a CONTRIBUTING.md. As a static documentation repository, it does not contain executable server code that could pose direct runtime security risks (e.g., 'eval', obfuscation, hardcoded secrets) within its own files. The primary security consideration would be the trustworthiness of the numerous external links to other repositories and websites listed within the documentation, which are outside the scope of this direct source code analysis.
Updated: 2026-01-19GitHub
100
20409
Medium Cost
activepieces icon

activepieces

by activepieces

Sec9

An all-in-one AI automation platform designed to be extensible, serving as an open-source replacement for Zapier. It enables users to build AI-driven workflows and integrations using a type-safe TypeScript framework, and functions as a comprehensive MCP toolkit for connecting LLMs to various services.

Setup Requirements

  • ⚠️Requires Docker and/or orchestration tools like Docker Compose, Kubernetes (Helm), or cloud providers (AWS ECS with Pulumi) for deployment.
  • ⚠️Requires external PostgreSQL for persistent storage and Redis for queuing in most deployments (SQLite/in-memory options exist for dev/testing).
  • ⚠️Development setup specifically checks for and installs 'bun' for package management, and requires Node.js v18 or v20.
  • ⚠️Optional integrations with S3 for file storage (requires AWS credentials) and SMTP for email notifications (requires SMTP server details).
Verified SafeView Analysis
The project demonstrates strong security practices including dynamic generation of secrets for production deployments (AP_API_KEY, AP_JWT_SECRET, ENCRYPTION_KEY) and the use of `isolated-vm` for sandboxing user-provided code in flow steps, mitigating execution risks. A `SECURITY.md` document outlines a responsible vulnerability disclosure policy. A minor concern is the hardcoded PostgreSQL password in `docker-compose.dev.yml`, though this is specific to a development environment and not intended for production.
Updated: 2026-01-19GitHub
100
2022
Low Cost
lemonade-sdk icon

lemonade

by lemonade-sdk

Sec7

Lemonade Server is a high-performance C++ HTTP server providing local OpenAI-compatible API endpoints for various AI inference tasks including large language models (LLMs), embeddings, reranking, and audio transcription, with a focus on AMD Ryzen AI hardware acceleration.

Setup Requirements

  • ⚠️NPU models specifically require AMD Ryzen AI 300- and 400-series processors with XDNA2 NPUs running Windows 11.
  • ⚠️A working internet connection is required for initial setup to automatically download `ryzenai-server` (for NPU models) and other backend binaries/models from GitHub and Hugging Face releases.
  • ⚠️Building from source requires CMake 3.28+, a C++17 compatible compiler, Git, and platform-specific dependencies (e.g., Visual Studio on Windows, `build-essential` on Linux, Xcode on macOS).
Verified SafeView Analysis
The server binds to `localhost` by default, which is safe; however, if configured to bind to `0.0.0.0`, it would expose the API externally. The API lacks authentication by default if the `LEMONADE_API_KEY` environment variable is not set, posing a risk if exposed. Cross-Origin Resource Sharing (CORS) is enabled for all origins (`*`), a common practice for local development but a potential vulnerability for externally-exposed servers. It automatically downloads model backends and LLM models from trusted GitHub and Hugging Face repositories, which can introduce supply chain risks if these sources are compromised, though it utilizes version pinning and explicit URLs. On Windows, the build incorporates Control Flow Guard, ASLR, and DEP. Linux builds are headless-only and use permissively licensed dependencies.
Updated: 2026-01-19GitHub
100
1147
Medium Cost
hashicorp icon
Sec8

Provides seamless integration with Terraform Registry APIs and HCP Terraform/Terraform Enterprise APIs, enabling AI assistants/LLMs to generate high-quality Terraform code and automate IaC workflows.

Setup Requirements

  • ⚠️Requires Docker to run in a containerized environment.
  • ⚠️Requires an AI assistant/LLM that supports the Model Context Protocol (MCP).
  • ⚠️HCP Terraform/Terraform Enterprise API token (TFE_TOKEN) is required for accessing private registries or TFE/TFC management features.
Verified SafeView Analysis
The server implements CORS, rate limiting, and explicit gating for destructive Terraform operations (ENABLE_TF_OPERATIONS). It warns against using TFE_SKIP_TLS_VERIFY in production and against untrusted MCP clients/LLMs due to potential data exposure. Sensitive variables like TFE_TOKEN are handled securely, preventing their exposure in logs or query parameters. It is currently intended for local use only, and careful configuration of allowed origins is critical for HTTP transport.
Updated: 2026-01-16GitHub
100
3293
Medium Cost
cloudflare icon
Sec8

Centralized platform for Cloudflare's Model Context Protocol (MCP) servers, enabling AI clients to interact with diverse Cloudflare services using natural language for configuration, data analysis, and task automation.

Setup Requirements

  • ⚠️Requires a Cloudflare account. Local development can use either Cloudflare OAuth client ID/secret or a global Cloudflare API token. Production deployment relies on securely configured Cloudflare API tokens/OAuth credentials.
  • ⚠️Requires creating and configuring a KV namespace named 'OAUTH_KV' for OAuth state management.
  • ⚠️Some advanced features exposed by the MCP servers may require a paid Cloudflare Workers plan.
  • ⚠️Each server application within the monorepo requires specific Cloudflare Workers bindings (e.g., Durable Objects, KV, R2, AI, Analytics Engine) to be configured via 'wrangler' for deployment.
Verified SafeView Analysis
The project uses standard Cloudflare OAuth for authentication and properly manages secrets via environment variables, demonstrating good security practices. Input validation is extensively handled with 'zod'. The 'apps/sandbox-container' application offers shell execution and file system interactions; while this is a critical security capability, it is designed as a specialized development/evaluation tool with an implied need for controlled, isolated environments. This specific use case is justified for a sandbox but requires stringent deployment and isolation considerations. No obvious malicious patterns or obfuscation were found.
Updated: 2026-01-15GitHub
100
1693
High Cost
ravitemer icon

mcphub.nvim

by ravitemer

Sec2

Integrates Model Context Protocol (MCP) servers with Neovim to enable AI agent interaction for tools, resources, and prompts within the editing workflow.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0.0 for the mcp-hub backend.
  • ⚠️Requires `mcp-hub` binary installation (globally via npm, locally bundled, or custom path).
  • ⚠️Requires `plenary.nvim` Neovim plugin.
  • ⚠️Potential high token usage due to large file reads, LSP diagnostics, and verbose prompt contexts sent to LLMs.
  • ⚠️Using function-based auto-approval for critical tools (like file system operations) is highly recommended over boolean auto-approval to mitigate risks.
Review RequiredView Analysis
CRITICAL: The server exposes highly dangerous built-in tools callable by LLMs, including `execute_command` (arbitrary shell command execution), `execute_lua` (arbitrary Lua code execution within Neovim), and `loadstring` (arbitrary Lua expression evaluation). If an LLM or user input is compromised (e.g., via prompt injection) or misaligned, these tools could be exploited to execute malicious code or commands on the user's system with Neovim's permissions. The 'auto_approve' feature, if enabled, further bypasses user confirmation for these operations, significantly increasing the risk. While intended for powerful automation, these capabilities represent a severe security vulnerability. The `SECURITY.md` outlines general considerations but does not specifically address the inherent risks of these built-in powerful execution tools being directly exposed to LLMs.
Updated: 2026-01-18GitHub
100
12409
Low Cost
ruvnet icon

claude-flow

by ruvnet

Sec9

AI Agent Orchestration and Development Platform for Claude Code

Setup Requirements

  • ⚠️Requires Node.js >= 20.0.0 or Bun >= 1.0.
  • ⚠️Requires global installation of @anthropic-ai/claude-code CLI.
  • ⚠️ANTHROPIC_API_KEY is mandatory for interaction with Claude models (paid service).
  • ⚠️Full RuVector capabilities (advanced vector database) require a running PostgreSQL instance, ideally the ruvnet/ruvector-postgres Docker image.
  • ⚠️Default MCP server port (3000) might be in use by other services.
  • ⚠️Docker knowledge may be required for managing the RuVector PostgreSQL database for full features.
Verified SafeView Analysis
The project demonstrates a very strong focus on security, incorporating multiple layers of protection. This includes comprehensive input validation (Zod-based), robust path traversal prevention, and command sandboxing with allowlisted commands to prevent injection attacks. Credential handling utilizes bcrypt for password hashing and generates cryptographically secure API keys. A dedicated AI-powered system (AIDefence) is in place for real-time threat detection, including prompt injection, jailbreak attempts, and PII scanning. The project also claims active CVE monitoring and remediation. While no system is entirely impervious, the explicit and multi-faceted security measures outlined in the documentation and confirmed by code structure suggest a high level of security design.
Updated: 2026-01-18GitHub
100
2443
High Cost
OpenBMB icon

UltraRAG

by OpenBMB

Sec7

An open-source RAG framework for building, experimenting, and evaluating complex Retrieval-Augmented Generation (RAG) pipelines with low-code YAML configurations and native multimodal support.

Setup Requirements

  • ⚠️Requires GPUs for optimal performance, especially for vLLM, FAISS-GPU, and certain embedding models; `gpu_ids` is frequently configured.
  • ⚠️Requires various API keys (e.g., OPENAI_API_KEY, EXA_API_KEY, TAVILY_API_KEY, ZHIPUAI_API_KEY) for accessing external LLM and search services, which are typically paid.
  • ⚠️External system dependencies include Node.js (version >=20 is checked) for remote MCP servers and the `mineru` executable for advanced document parsing.
  • ⚠️FAISS (faiss-cpu or faiss-gpu-cu12, specific to CUDA version) is an optional dependency for the retriever backend.
Verified SafeView Analysis
The server uses `ast.literal_eval` for parsing configuration values like list delimiters, which is generally safer than `eval` but still processes string input as Python literals. Subprocess execution (`subprocess.Popen`, `asyncio.create_subprocess_exec`) is used for launching MCP servers and external tools like `mineru`, which is inherent to its architecture; parameters appear to be sanitized or derived from trusted sources. Network risks include making API calls to external LLM providers (OpenAI, ZhipuAI) and web search services (Exa, Tavily), and also supports deploying a remote retriever via a configurable URL (`retriever_url`). If `retriever_url` is user-controlled in a non-isolated environment, it could pose a Server-Side Request Forgery (SSRF) risk. Hardcoded secrets are avoided by relying on environment variables (e.g., `LLM_API_KEY`, `EXA_API_KEY`). The framework's overall security depends significantly on how users configure and deploy individual MCP servers and pipelines.
Updated: 2026-01-19GitHub
100
7905
Medium Cost
awslabs icon

mcp

by awslabs

Sec3

Enables AI assistants to interact with AWS DocumentDB databases, providing tools for connection management, database/collection operations, document querying, aggregation pipelines, query planning, and schema analysis. It acts as a bridge for safe and efficient database operations through the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires network access to the DocumentDB cluster (e.g., via VPC peering, security group rules).
  • ⚠️Requires an SSL/TLS certificate (typically `global-bundle.pem`) for TLS-enabled DocumentDB clusters.
  • ⚠️The DocumentDB connection string must explicitly include `retryWrites=false`.
  • ⚠️Requires the `uv` Python package manager for installation (`uvx` command in examples).
Review RequiredView Analysis
Critical: Database connection strings (containing credentials) are stored in memory for the `_idle_timeout` duration (default 30 minutes). If the server process is compromised, these credentials could be exposed. High: The server lacks inherent authentication and fine-grained authorization for incoming MCP requests, assuming the calling agent is fully trusted. It provides a `--allow-write` flag for a binary read-only/read-write mode, but not granular access control per operation or user. Medium: Queries and aggregation pipelines are passed directly to `pymongo`, which protects against classic SQL injection but allows trusted (or compromised) agents to perform potentially resource-intensive or data-exposing operations. Error logging might inadvertently expose sensitive connection details depending on `pymongo`'s exception messages.
Updated: 2026-01-19GitHub
100
3056
Low Cost
dinoki-ai icon

osaurus

by dinoki-ai

Sec9

Osaurus is an AI edge runtime for macOS, enabling users to run local and cloud AI models, orchestrate tools via the Model Context Protocol (MCP), and power AI applications and workflows on Apple Silicon.

Setup Requirements

  • ⚠️Requires macOS 15.5+ and Apple Silicon (M1 or newer) due to MLX Runtime optimization.
  • ⚠️Initial setup involves downloading Whisper models for voice input and LLM models from Hugging Face, requiring internet connection and several gigabytes of disk space.
  • ⚠️Voice input (WhisperKit) and Transcription Mode require granting specific macOS permissions: Microphone, Screen Recording (for system audio), and Accessibility (for global dictation).
Verified SafeView Analysis
The project demonstrates strong security practices for user data and application integrity. API keys for remote providers are securely stored in the macOS Keychain. The plugin system incorporates explicit permission policies (e.g., 'ask', 'auto', 'deny') for tools, including granular macOS system permissions (Automation, Accessibility, Full Disk Access), giving users control over tool capabilities. All distributed plugins (dylibs) are required to be code-signed with a Developer ID Application certificate. The server runs locally by default and network exposure is a configurable user option. No obvious malicious patterns like obfuscation or direct `eval` usage are found in the core application logic. CI/CD scripts handle sensitive environment variables (e.g., GitHub tokens, Apple certificates) for release processes, which is standard but relies on the security of the CI environment itself.
Updated: 2026-01-19GitHub
PreviousPage 1 of 190Next