Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(846)

100
2925
Low Cost
cameroncooke icon

XcodeBuildMCP

by cameroncooke

Sec7

A Model Context Protocol (MCP) server that provides Xcode-related tools for AI assistants, enabling programmatic interaction with Xcode projects, simulators, devices, and Swift packages.

Setup Requirements

  • ⚠️Requires macOS, Node.js (>=18.x), and Xcode 16 to be installed locally.
  • ⚠️Requires an MCP-compatible AI client (e.g., OpenAI Codex CLI, Claude Code CLI, Smithery) for interaction.
  • ⚠️Dynamic tool discovery (`discover_tools`) uses an LLM, implying a connected LLM provider and potential associated API costs for the client.
  • ⚠️Code signing setup is required for deploying apps to physical iOS/iPadOS/visionOS devices.
Verified SafeView Analysis
The server uses `child_process.spawn` and `execSync` for system commands, which is expected for a developer tool. Many calls explicitly use `shell: true` which, while safe for fixed commands, could be a vector for shell injection if user-provided strings are not properly sanitized. Specifically, `stop_mac_app` uses `pkill -f "${params.appName}" || osascript -e 'tell application "${params.appName}" to quit'` with `sh -c`. If `appName` (a Zod `z.string()`) is provided by a malicious MCP client without further shell-specific sanitization, it could lead to arbitrary command execution. Project scaffolding downloads templates from GitHub, introducing a supply chain risk if the template repo is compromised. Sentry integration is present for error reporting, which sends environment information to a third-party (opt-out is available).
Updated: 2025-12-01GitHub
100
2021
Low Cost
davepoon icon
Sec7

Provides a command-line interface to browse, install, manage, and verify Claude Code subagents, commands, and external MCP (Model Context Protocol) servers, facilitating local and project-level configuration for development workflows.

Setup Requirements

  • ⚠️Requires Node.js and npm.
  • ⚠️Requires Docker Desktop and Docker MCP Toolkit for Docker MCP server management.
  • ⚠️Requires Claude Code CLI for full MCP server management and verification.
Verified SafeView Analysis
The bwc-cli itself is a management tool that executes shell commands, reads/writes local configuration files, and fetches content from remote registries. While it doesn't contain obvious hardcoded secrets or malicious patterns, its security posture is highly dependent on the user's trust in the installed subagents, commands, and external MCP servers, as well as the security of the docker and claude CLI tools it invokes. It handles user inputs and configuration that could contain sensitive data, requiring users to be mindful of what they install and how they configure remote MCPs. The project fetches resources from external URLs (GitHub, Docker Hub), which could pose a risk if those sources were compromised.
Updated: 2025-11-25GitHub
100
1692
High Cost
brightdata icon

brightdata-mcp

by brightdata

Sec8

The MCP server enables AI agents to access real-time web data and perform browser automation for tasks like research, e-commerce intelligence, market analysis, and content creation, bypassing bot detection and CAPTCHAs.

Setup Requirements

  • ⚠️Requires a Bright Data API Key (free tier available for basic tools, Pro mode incurs additional charges)
  • ⚠️Requires Node.js installed to run locally
  • ⚠️Requires a stable internet connection to connect to Bright Data's services and browser CDP endpoint
Verified SafeView Analysis
The server primarily acts as a wrapper around Bright Data's secure APIs, passing user-provided URLs and queries. It uses environment variables for sensitive API tokens and zone configurations, which is a good practice. Browser automation relies on ARIA refs, which are more robust and less prone to injection than arbitrary CSS selectors. The `extract` tool sends scraped markdown content along with an optional user prompt to an LLM for structured extraction. While the tool attempts to constrain the LLM's response to JSON, the injection of user-controlled `extraction_prompt` into the LLM's input is a potential vector for prompt injection for the LLM itself, though not a direct code execution vulnerability within the MCP server. No `eval` or blatant direct code injection patterns are observed. Overall, it delegates core web interaction security to Bright Data's infrastructure.
Updated: 2025-12-03GitHub
100
12923
High Cost
triggerdotdev icon

trigger.dev

by triggerdotdev

Sec3

Local development and AI agent interface for Trigger.dev workflows, enabling Python script execution and managing tasks, runs, and deployments.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid)
  • ⚠️Docker / Kubernetes environment required for deployments/workers
  • ⚠️Python 3.x and `uv pip` for dependencies
  • ⚠️PostgreSQL database required
  • ⚠️Redis instance required
  • ⚠️Slack Bot Token & Channel ID required
  • ⚠️S2 Access Token required
  • ⚠️AWS Credentials (for ECR/S3) required for some features
Review RequiredView Analysis
Direct SQL query execution (e.g., `sql.query`) in AI agent tools (e.g., `executeSql`) poses a severe SQL injection risk if the `queryApproval` mechanism is insufficient or bypassed. Execution of AI-generated Python code relies on external sandbox isolation (E2B Code Interpreter). The `deploy` command and related `docker` executions involve running external commands, which can be a security concern. The `install-mcp` command modifies local client configuration files, requiring user trust. `verifySlackRequest` middleware is marked as `TODO`, indicating a potential vulnerability to forged Slack requests. Python scripts executed via `python.runScript` with user-controlled URLs could lead to SSRF or arbitrary file access. OOM test tasks demonstrate potential resource exhaustion if not properly handled.
Updated: 2025-12-05GitHub
100
3520
Medium Cost
CursorTouch icon

Windows-MCP

by CursorTouch

Sec3

Enables AI agents to interact with the Windows operating system for tasks such as file navigation, application control, UI interaction, and QA testing.

Setup Requirements

  • ⚠️Requires Python 3.13+
  • ⚠️Requires UV package manager (installable via pip)
  • ⚠️Primarily designed for Windows 7-11
  • ⚠️English as the default Windows language is highly preferred, or 'App-Tool' functionality may be affected.
Review RequiredView Analysis
The server includes a 'Powershell-Tool' which allows the execution of arbitrary PowerShell commands, posing a critical security risk for remote code execution and system manipulation. Other tools like 'Click-Tool', 'Type-Tool', 'Drag-Tool', and 'Shortcut-Tool' interact directly with the Windows UI, enabling irreversible and potentially destructive actions (e.g., file deletion, data overwrite). The `SECURITY.md` explicitly warns about these risks, recommending deployment in sandboxed environments or VMs.
Updated: 2025-12-01GitHub
100
5020
Medium Cost
wonderwhy-er icon

DesktopCommanderMCP

by wonderwhy-er

Sec5

Enables an AI agent to interact with the local filesystem and terminal, execute commands, analyze data, and perform code editing.

Setup Requirements

  • ⚠️Requires Node.js v18+ to be installed or Docker for isolated execution.
  • ⚠️Requires `ripgrep` (rg) to be installed on the system for search functionality; it may need manual installation if `@vscode/ripgrep` fails.
  • ⚠️The `sharp` library (for image processing) is dynamically imported and may require additional system dependencies or fail if not present.
  • ⚠️Restarting Claude Desktop is frequently required after installation or configuration changes for updates to take effect.
Verified SafeView Analysis
The server allows direct execution of terminal commands via `start_process`. Although it has a `blockedCommands` list and `allowedDirectories` for filesystem operations, the README explicitly states these can be bypassed by terminal commands (e.g., via symlinks, command substitution, or absolute paths). This means an AI agent, if not perfectly aligned or if exploited, could achieve arbitrary code execution and access/modify files outside the intended scope. The `is_safe_to_run` flag is set to true as the tool's core purpose is to provide these capabilities to an AI, implying a controlled environment and a capable agent.
Updated: 2025-12-05GitHub
100
1224
High Cost
withRefresh icon

web-eval-agent

by withRefresh

Sec2

Autonomously evaluates web applications for UX/UI issues using a browser-driving AI agent, providing detailed reports and live browser view from within an IDE.

Setup Requirements

  • ⚠️Requires Operative API Key (may require paid subscription if free tier limits are reached).
  • ⚠️Requires `uv` (a Python package installer/manager) to be installed.
  • ⚠️Requires Playwright and its browser dependencies (e.g., Chromium) to be installed via `npm` and `uvx`.
  • ⚠️Designed for integration into specific IDEs (Cursor/Cline/Windsurf) via JSON configuration.
Review RequiredView Analysis
Multiple critical security vulnerabilities exist: 1. Cross-Origin Resource Sharing (CORS) is explicitly set to `*` for the Flask-SocketIO server (`cors_allowed_origins='*'`), allowing any website to connect to the local server running on `127.0.0.1:5009`. This allows a malicious website visited by the agent to send arbitrary `agent_control` or `browser_input` events, potentially taking full control of the agent's actions (clicks, keypresses, pause/stop). 2. The browser is launched with `BrowserConfig(disable_security=True)` when using `browser-use` library (`browser_utils.py`), and `launch_persistent_context` is launched with `--no-sandbox` argument (`tool_handlers.py`). Disabling browser security and running without a sandbox exposes the host system to significant risks if the agent navigates to a malicious or compromised web application. 3. A hardcoded, weak `SECRET_KEY` ('secret!') is used for Flask sessions in `log_server.py`, making session-based attacks trivial. 4. Suppressing `stdout` and `stderr` in `log_server.py` hinders auditing and makes it harder to detect anomalous behavior.
Updated: 2025-12-06GitHub
99
820
Low Cost
steipete icon

Peekaboo

by steipete

Sec3

The server acts as a wrapper for a Swift-based macOS automation tool that integrates with multiple AI providers (OpenAI, Anthropic, Grok, Ollama) for screen capture, UI interaction, and AI analysis, functioning as a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires macOS Screen Recording and Accessibility permissions.
  • ⚠️Requires API keys for cloud AI providers (OpenAI, Anthropic, Grok), which incur costs.
  • ⚠️For local AI, requires a running Ollama server with specific models (e.g., llama3.3, llava) pulled.
Review RequiredView Analysis
The primary security risk is the 'shell' tool capability exposed to the AI agent. If an attacker can manipulate the agent's prompts to call the 'shell' tool with arbitrary commands, it could lead to remote code execution on the host machine. This is an inherent risk for AI agents designed for system automation and requires extreme caution, strict input filtering, and/or sandboxing if exposed to untrusted input. The system also requires high-privilege macOS permissions (Screen Recording, Accessibility) to function.
Updated: 2025-12-03GitHub
99
935
High Cost
steipete icon

claude-code-mcp

by steipete

Sec6

Provides an MCP server to allow LLMs to directly invoke Claude Code CLI for complex coding, file system, and Git operations, bypassing interactive permission prompts.

Setup Requirements

  • ⚠️Requires Node.js v20 or later.
  • ⚠️Requires Claude CLI to be installed locally.
  • ⚠️Crucial one-time setup: Must manually run 'claude --dangerously-skip-permissions' and accept terms before server use.
  • ⚠️macOS may require folder permissions on first use, causing initial failure.
Review RequiredView Analysis
The server's core function involves executing the Claude CLI with '--dangerously-skip-permissions', explicitly granting broad system access to the underlying LLM. While this is a documented feature and intended behavior, it inherently poses a significant security risk if not deployed in a controlled environment or if untrusted prompts are allowed. The `spawnAsync` function uses `shell: false`, mitigating direct shell injection vulnerabilities from command arguments. Input validation for `CLAUDE_CLI_NAME` prevents relative path execution, which is a good safeguard. However, a malicious prompt targeting the Claude CLI itself or the broader system via Claude's capabilities remains a possibility. Users must be fully aware of the elevated permissions granted.
Updated: 2025-11-25GitHub
99
772
High Cost
inkeep icon

agents

by inkeep

Sec6

The Inkeep Agents project is a comprehensive framework and SDK for building, managing, and running AI agents. This specific 'MCP Server' component (integrated within the Management API) provides a machine-readable API for managing agent configurations, tools, data components, and other project resources.

Setup Requirements

  • ⚠️Requires OpenAI, Anthropic, or Google Generative AI API Keys (Paid services).
  • ⚠️Requires a PostgreSQL database (Docker Compose includes a default).
  • ⚠️Node.js runtime version >= 22.0.0 is required.
  • ⚠️Docker is recommended for local development setup of the full microservice stack.
  • ⚠️Nango integration (for OAuth) requires configuration with `NANGO_SECRET_KEY` and `NANGO_SERVER_URL`.
  • ⚠️Signoz (for observability) requires `SIGNOZ_URL` and `SIGNOZ_API_KEY` configuration.
Review RequiredView Analysis
The project extensively uses Zod for input validation, which is a strong positive. However, it incorporates direct execution of user-provided JavaScript code within sandboxed environments (Vercel Sandbox, Native Sandbox for function tools), which is an inherently high-risk operation. While efforts for isolation are present (e.g., Vercel Sandbox, child_process isolation attempts in NativeSandboxExecutor), any flaw in this sandbox could lead to severe compromise. Development environment defaults include hardcoded weak passwords (e.g., 'password' for Postgres) and explicitly insecure JWT secrets, which are critical risks if deployed to production without modification. Extensive use of environment variables requires careful secret management in deployment to prevent leakage.
Updated: 2025-12-06GitHub
99
822
Medium Cost
arabold icon

docs-mcp-server

by arabold

Sec8

The Documentation MCP Server indexes documentation from various sources (web, local files, registries) and makes it semantically searchable via vector embeddings, primarily for AI coding assistants.

Setup Requirements

  • ⚠️Requires an API key for an external embedding provider (e.g., OpenAI, Google, AWS, Azure), which may incur paid usage costs.
  • ⚠️Requires Playwright-supported browser binaries (e.g., Chromium) to be installed on the system for dynamic content rendering.
  • ⚠️Requires Node.js version 22.x.
Verified SafeView Analysis
The project uses `node:vm`'s `createContext` and `runInContext` within `HtmlJsExecutorMiddleware` for sandboxed JavaScript execution embedded in scraped HTML content. While sandboxed, `node:vm` requires careful isolation to prevent subtle bypasses, and this is explicitly noted as a warning in the code regarding browser API replication. However, it is used for content processing, not arbitrary user command execution. The system also fetches arbitrary external URLs as part of its core function; this is mitigated by scope controls, rate limiting, and robust error handling. SQL database interactions use prepared statements to prevent injection. HTML output is sanitized using DOMPurify where appropriate (e.g., search results). Custom headers propagation and basic auth handling are implemented for network requests, indicating an awareness of secure communication. Overall, security concerns related to its core function of processing untrusted external content appear to be handled with diligence.
Updated: 2025-12-06GitHub
99
1071
Medium Cost
microsoft icon

azure-devops-mcp

by microsoft

Sec9

Provides a local Model Context Protocol (MCP) server to interact with Azure DevOps Services, enabling users to perform various tasks directly from their code editor via an agent (like GitHub Copilot).

Setup Requirements

  • ⚠️Requires Node.js 20+.
  • ⚠️Requires an Azure DevOps organization name as a mandatory argument.
  • ⚠️Authentication involves either interactive OAuth login (browser-based), Azure CLI (`az login` command), or a Personal Access Token (PAT) via the `ADO_MCP_AUTH_TOKEN` environment variable. Multi-tenant scenarios may require explicit tenant ID configuration.
  • ⚠️For optimal experience, integration with Visual Studio Code or Visual Studio 2022 with GitHub Copilot is recommended, along with specific MCP client configuration (e.g., `.vscode/mcp.json` file).
Verified SafeView Analysis
The server leverages `@azure/identity` and `@azure/msal-node` for secure token acquisition, and uses `process.env` for `ADO_MCP_AUTH_TOKEN` which is a standard practice for secrets. There are no obvious 'eval' calls, obfuscation, or malicious patterns. Robust input validation is in place via Zod schemas and a custom build-time validation script. Authentication via browser-based OAuth or Azure CLI ensures secure credential handling, though multi-tenant configurations can introduce setup complexity. The project actively maintains a SECURITY.md and follows Microsoft's Code of Conduct.
Updated: 2025-12-05GitHub
PreviousPage 2 of 71Next