Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(846)

100
4144
Medium Cost
CoplayDev icon

unity-mcp

by CoplayDev

Sec4

MCP for Unity acts as a bridge, allowing AI assistants to interact directly with the Unity Editor to manage assets, control scenes, edit scripts, and automate tasks.

Setup Requirements

  • ⚠️Requires Python 3.10 or newer.
  • ⚠️Requires Unity Hub & Editor 2021.3 LTS or newer, with the 'MCP for Unity Bridge' Unity package installed.
  • ⚠️Requires 'uv' (Python toolchain manager) for local installation and execution, or 'uvx' for direct execution.
Review RequiredView Analysis
The server's core function is to enable AI agents (LLMs) to perform highly privileged operations within the Unity Editor, including editing/creating C# scripts and executing arbitrary Unity menu items or custom C# tools. If the controlling LLM or user input is compromised or malicious, this can lead to arbitrary code execution and significant damage to the Unity project. While the server itself doesn't use dangerous functions like `eval` in Python (it uses `ast.literal_eval` safely) and doesn't contain obvious hardcoded secrets, its design inherently grants powerful capabilities. Binding to `0.0.0.0` (as shown in the Docker example) makes it network-accessible, increasing risk if not properly firewalled or isolated. The `precondition_sha256` for script edits and structured editing aim to mitigate unintended modifications but do not prevent maliciously intended code injection.
Updated: 2025-12-05GitHub
100
7849
Low Cost
modelcontextprotocol icon

inspector

by modelcontextprotocol

Sec1

Inspect, debug, and interact with Model Context Protocol (MCP) servers, including OAuth authentication flows, resource management, and tool execution.

Setup Requirements

  • ⚠️Requires careful management of default ports (6274 for client, 6277 for server) to avoid conflicts.
  • ⚠️Proxy authentication (session token) is enabled by default; the token must be provided from the proxy server's console output for client connection. Can be disabled with `DANGEROUSLY_OMIT_AUTH` (not recommended).
  • ⚠️Direct connection to an MCP server (bypassing the Inspector Proxy) requires the MCP server to have CORS configured to allow requests from the Inspector's origin.
Review RequiredView Analysis
The server component (MCP Inspector Proxy) presents critical security risks. It directly parses untrusted JSON strings from URL query parameters ('query.env') and HTTP headers ('x-custom-auth-headers', 'x-mcp-proxy-auth') using `JSON.parse`. This is a severe JSON injection vulnerability, potentially leading to prototype pollution or remote code execution, depending on the JavaScript runtime. Furthermore, the proxy functionality directly accepts a server URL from query parameters ('query.url') and uses it to initiate connections (`SSEClientTransport`, `StreamableHTTPClientTransport`). This creates a Server-Side Request Forgery (SSRF) vulnerability, allowing an attacker to force the proxy to make requests to arbitrary internal or external systems. The use of `shell-quote` to parse arguments from query parameters (`query.args`) for spawning external commands also adds a potential command injection risk. While a session token is generated on startup for proxy authentication, it can be bypassed using the `DANGEROUSLY_OMIT_AUTH` environment variable, which could lead to unauthorized access if misconfigured. These vulnerabilities make it extremely unsafe to run in any environment where it might be exposed to untrusted users or the public internet.
Updated: 2025-12-06GitHub
100
16052
Medium Cost
ChromeDevTools icon

chrome-devtools-mcp

by ChromeDevTools

Sec5

Enables AI coding agents to control and inspect a live Chrome browser for reliable automation, in-depth debugging, and performance analysis via the Model-Context-Protocol (MCP).

Setup Requirements

  • ⚠️Requires Node.js v20.19+ (or v22.12+) and a current stable version of Chrome browser.
  • ⚠️Connecting to a running Chrome instance requires launching Chrome with `--remote-debugging-port` and a non-default `--user-data-dir`, which introduces security warnings.
  • ⚠️May be incompatible with MCP clients that enforce strict operating system sandboxing (e.g., macOS Seatbelt, Linux containers) if the server needs to launch Chrome itself.
Verified SafeView Analysis
The `evaluate_script` tool explicitly allows AI agents to execute arbitrary JavaScript within the browser context, enabling inspection, debugging, and modification of any data in the browser or DevTools. This is a core, intended feature for powerful automation but inherently carries a significant security risk if the AI client or its prompts are compromised. The server launches or connects to a full Chrome instance, and users are explicitly warned against sharing sensitive information with MCP clients. If connecting to a manually launched browser, enabling the remote debugging port (`--remote-debugging-port`) opens up a debugging interface that any application on the machine can connect to.
Updated: 2025-12-05GitHub
100
9351
Medium Cost
JoeanAmier icon

XHS-Downloader

by JoeanAmier

Sec3

A tool to extract links and collect watermark-free media (images, videos) from RedNote (XiaoHongShu), offering TUI, CLI, API, and MCP interfaces.

Setup Requirements

  • ⚠️Requires Python 3.12+
  • ⚠️Reading browser cookies on Windows requires running the program with administrator privileges.
  • ⚠️Clipboard monitoring functionality on Linux systems requires `xclip` or `xsel` commands (or `qtpy`/`PyQT5` modules) to be installed.
Review RequiredView Analysis
The presence of an obfuscated JavaScript file (`static/20250619.js`) within the repository is a critical security concern. Obfuscated code significantly reduces transparency and makes security auditing extremely difficult, potentially concealing malicious functionalities. Running the `BrowserCookie` feature on Windows requires administrator privileges, which, while a common pattern for such functionality, is a security consideration for users. The API and MCP servers bind to `0.0.0.0` by default, meaning they are accessible from all network interfaces; users should be aware of this for proper network configuration.
Updated: 2025-12-06GitHub
100
16842
High Cost
oraios icon

serena

by oraios

Sec7

Provides a multi-language Code Analysis and Interaction server for AI Agents using the Language Server Protocol (LSP), enabling agents to understand, navigate, and modify codebases.

Setup Requirements

  • ⚠️Requires `uv` (Python package manager/installer) to be installed and in PATH for running the server.
  • ⚠️Requires project-specific YAML configuration files (`serena_config.yml` and `.serena/project.yml`) for each codebase it interacts with.
  • ⚠️Requires pre-installation of language-specific runtime dependencies (e.g., Node.js for TypeScript, Java JDK for Java/Kotlin/Scala, Go for Go, Rustup for Rust, Nix for Nix, Elixir/Next LS for Elixir, etc.) for each language server used.
  • ⚠️Some language servers have platform restrictions (e.g., Elixir's Next LS and Nixd language server typically do not support Windows).
Review RequiredView Analysis
The system is designed to interact with various external language servers and execute shell commands (`ExecuteShellCommandTool`). While this functionality is core to its operation, it inherently introduces risks. An AI agent using this server could potentially execute arbitrary commands on the host system if not properly constrained or monitored. There are no obvious hardcoded credentials or hidden malicious patterns in the truncated source code, and process management is handled with common utilities like `subprocess` and `psutil`.
Updated: 2025-12-06GitHub
100
8458
High Cost
mcp-use icon

mcp-use

by mcp-use

Sec6

A full-stack framework for building Model Context Protocol (MCP) servers, MCP clients, and AI agents in both Python and TypeScript, supporting interactive UI widgets and robust debugging.

Setup Requirements

  • ⚠️Requires Node.js 20+ and Python 3.11+ for full development experience.
  • ⚠️Requires external API keys (e.g., OpenAI, Anthropic, E2B) for most agent functionalities, incurring usage costs.
  • ⚠️The VM-based code executor is Node.js specific; non-Node.js environments (like Deno) will require an E2B API key for code execution.
Verified SafeView Analysis
The framework allows AI agents to generate and execute code within sandboxed environments (Node.js `vm` module or E2B remote sandboxes). While safeguards like `vm.Script.runInNewContext` and external sandboxes (E2B) are used, `vm` isolation is explicitly noted as 'not perfect for untrusted code'. Running AI-generated code, even sandboxed, carries inherent risks. Content Security Policies (CSP) are applied to UI widgets to mitigate XSS, and DNS rebinding protection is available for production deployments. The CLI includes input validation to prevent path traversal and protected directory name usage during project scaffolding. No hardcoded secrets were found; environment variables are used for sensitive configurations.
Updated: 2025-12-06GitHub
100
5495
High Cost
Klavis-AI icon

klavis

by Klavis-AI

Sec8

Creates an AI agent that uses Klavis Strata to interact with Gmail and YouTube through MCP, demonstrating how to summarize a YouTube video and email the summary.

Setup Requirements

  • ⚠️Requires a Klavis API Key (available from klavis.io)
  • ⚠️Requires an OpenAI API Key (available from platform.openai.com)
  • ⚠️The email address 'golden-kpop@example.com' in the example code must be replaced with your actual email address
  • ⚠️Will open a browser window for OAuth authorization with Gmail and YouTube on first use
Verified SafeView Analysis
The example code itself primarily delegates credential handling and OAuth flows to the Klavis platform and standard libraries (LangChain, OpenAI SDK). It uses environment variables (KLAVIS_API_KEY, OPENAI_API_KEY) for authentication, which is standard practice for development but requires secure management in production. OAuth for integrated services (Gmail, YouTube) is handled by the Klavis platform, abstracting away complex, sensitive flows from the example application. The underlying MCP servers within the monorepo generally show good practices for secret handling (ContextVars, base64-decoded `x-auth-data` headers) and API interaction. No direct 'eval' or obvious malicious patterns were found in the provided code snippets.
Updated: 2025-12-06GitHub
100
3346
High Cost
exa-labs icon

exa-mcp-server

by exa-labs

Sec9

Provides AI agents with real-time web search, code context, and deep research capabilities via the Exa AI platform to enhance coding and information retrieval tasks.

Setup Requirements

  • ⚠️Requires an Exa AI API Key, which must be obtained from dashboard.exa.ai/api-keys and provided via environment variable (EXA_API_KEY) or configuration.
  • ⚠️Most tools (e.g., deep_search_exa, crawling_exa, company_research_exa, linkedin_search_exa, deep_researcher_start, deep_researcher_check) are disabled by default and must be explicitly enabled using the `tools` parameter in the server configuration.
  • ⚠️The deep research workflow (`deep_researcher_start` followed by `deep_researcher_check`) requires a multi-turn, polling interaction pattern where the AI agent must repeatedly call `deep_researcher_check` until the task status is 'completed'.
Verified SafeView Analysis
The server correctly handles the Exa AI API key, prioritizing a configuration parameter over an environment variable, and uses secure `axios` calls with timeouts for external API interactions. There is no usage of `eval` or intentional obfuscation. The main security consideration is the secure management of the `EXA_API_KEY` by the user, as the server itself does not introduce direct vulnerabilities.
Updated: 2025-12-05GitHub
100
38704
Medium Cost
upstash icon

context7

by upstash

Sec8

Context7 MCP enhances LLM prompts by injecting up-to-date, version-specific documentation and code examples directly from source code, enabling more accurate and relevant code generation.

Setup Requirements

  • ⚠️Requires Node.js v18.0.0 or higher.
  • ⚠️Context7 API Key is highly recommended for higher rate limits and private repository access; basic usage might be rate-limited without it.
  • ⚠️Relies on an external API (`https://mcp.context7.com/mcp` or `https://context7.com/api`) for documentation content, requiring an active internet connection.
Verified SafeView Analysis
The `mcp/src/lib/encryption.ts` file contains a hardcoded `DEFAULT_ENCRYPTION_KEY` for AES-256-CBC encryption of client IPs. While this is primarily for internal hashing/rate limiting and can be overridden by the `CLIENT_IP_ENCRYPTION_KEY` environment variable, hardcoded default keys are generally not best practice for cryptographic operations. The server relies on an external API (`https://context7.com/api` or `https://mcp.context7.com/mcp`), so the overall security posture depends on the trustworthiness and security of this external service. No `eval` or other directly malicious patterns were found in the provided source code.
Updated: 2025-12-05GitHub
100
1291
Medium Cost
isaacphi icon
Sec7

Proxies a Language Server Protocol (LSP) server to provide semantic code intelligence tools to Model Context Protocol (MCP) clients, enabling LLMs to interact with codebases.

Setup Requirements

  • ⚠️Requires a separately installed Language Server Protocol (LSP) executable (e.g., gopls, rust-analyzer).
  • ⚠️Requires a specific JSON configuration in the MCP client (e.g., Claude Desktop) to define the server command, arguments, and environment variables.
  • ⚠️C/C++ projects using clangd require a `compile_commands.json` file, typically generated by build tools like `bear`.
Verified SafeView Analysis
The server's core function involves executing an external, user-configured Language Server Protocol (LSP) binary as a child process. This LSP child process is granted extensive file system access (read, write, create, rename, delete) within the specified workspace directory to fulfill its duties. While this is inherent to LSP functionality, it means the server's security heavily relies on the trustworthiness of the *user-selected* LSP executable. If a malicious LSP server is configured, it could potentially compromise the workspace or (less directly) the host system. The server itself does not expose network ports, employ `eval`, or contain hardcoded secrets, and validates LSP command existence with `exec.LookPath` and workspace path validity. The risk is primarily in the user's choice of external LSP.
Updated: 2025-12-02GitHub
100
1100
High Cost
NPC-Worldwide icon

npcpy

by NPC-Worldwide

Sec1

A comprehensive Python library and framework for building, evaluating, and serving LLM-powered agents and multi-agent systems, integrating fine-tuning capabilities, knowledge graphs, and scalable model operations, with a built-in Flask API server for deployment.

Setup Requirements

  • ⚠️Requires Ollama for local LLM inference (e.g., `ollama pull llama3.2`).
  • ⚠️Requires external API keys for non-Ollama LLM providers (e.g., `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, `GEMINI_API_KEY`, `DEEPSEEK_API_KEY`, `PERPLEXITY_API_KEY`, `ELEVENLABS_API_KEY`).
  • ⚠️FFmpeg is required for audio/video processing capabilities.
  • ⚠️PyAudio/PortAudio are required for audio (TTS/STT) functionalities.
  • ⚠️GPU (CUDA) highly recommended for fine-tuning and diffusion models for performance.
  • ⚠️Inotify-tools is required for filesystem triggers.
  • ⚠️Python 3.10+ is a requirement (specified in setup.py).
Review RequiredView Analysis
The server exposes `execute_llm_command` and Jinx `python` engine steps, which can execute arbitrary shell commands (`subprocess.run(..., shell=True)`) and Python code (`eval(...)`) respectively, based on LLM output. This is a critical remote code execution vulnerability if not rigorously sandboxed and input-validated. The example server setup uses `cors_origins=['*']`, which is insecure for production. Direct LLM-to-bash execution without user confirmation or strong sandboxing is extremely dangerous.
Updated: 2025-12-04GitHub
100
24949
Medium Cost
github icon
Sec9

Connects AI tools (agents, assistants, chatbots) directly to GitHub's platform, enabling natural language interactions for repository management, issue/PR automation, code analysis, and workflow automation.

Setup Requirements

  • ⚠️GitHub Personal Access Token (PAT) required for authentication
  • ⚠️Docker required for containerized deployment (recommended method)
  • ⚠️Requires a compatible MCP host application (e.g., VS Code, Claude, Cursor) to interact with the server
Verified SafeView Analysis
The project explicitly addresses secure handling of GitHub Personal Access Tokens (PATs), recommending environment variables and `.env` files to avoid hardcoding or committing tokens. It uses standard Go libraries and does not show signs of 'eval' or obfuscation. Network communication is expected to be with the GitHub API via HTTPS. Overall, it follows good security practices for handling secrets, placing the responsibility on the user to manage their PAT securely.
Updated: 2025-12-05GitHub
PreviousPage 1 of 71Next