Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(374)

100
1168
Low Cost
doobidoo icon
Sec8

A Model Context Protocol (MCP) server providing persistent, semantic memory storage and retrieval capabilities for AI agents. It supports lightweight semantic reasoning (contradiction, causal inference), content chunking, multi-backend storage (SQLite-vec, Cloudflare, Hybrid), autonomous memory consolidation (decay, association, clustering, compression, forgetting), and real-time updates via SSE. It's designed for token-efficient interaction with LLMs.

Setup Requirements

  • ⚠️Requires Python dependencies like PyTorch (or ONNX Runtime & Tokenizers for CPU-only), sentence-transformers, sqlite-vec, mcp, aiohttp, fastapi, and uvicorn. Installation might be complex due to platform-specific PyTorch/GPU setup.
  • ⚠️Initial model downloads (~300MB for 'all-MiniLM-L6-v2') can cause timeouts during first-time startup if network is slow or dependencies are not pre-cached.
  • ⚠️Cloudflare storage backend requires `CLOUDFLARE_API_TOKEN` and `CLOUDFLARE_ACCOUNT_ID` environment variables configured, alongside other D1/Vectorize/R2 specifics.
Verified SafeView Analysis
The server employs good security practices, such as lazy initialization of storage, reliance on environment variables for sensitive data (e.g., Cloudflare API tokens, OAuth keys), and the generation of JWT keys rather than hardcoding. It uses `httpx` and `aiohttp` for external network calls, and `aiosqlite` with parameterized queries for database interactions, mitigating SQL injection risks. Document upload handlers attempt to prevent path traversal. `json.dump` is used for file writing, which is safer than `pickle`. Extensive use of `subprocess.run` occurs in installation and maintenance scripts, which is expected for such operations but could be a vector if those scripts are not carefully managed. Overall, no immediate critical vulnerabilities like `eval()` on untrusted input or hardcoded universal secrets were found in the core server logic, making it reasonably safe for its intended use case.
Updated: 2026-01-19GitHub
100
1589
Medium Cost
agentgateway icon

agentgateway

by agentgateway

Sec8

An API Gateway specialized for agent-to-agent and agent-to-tool communication, providing routing, security, and AI/LLM integration capabilities.

Setup Requirements

  • ⚠️Requires OpenSSL for regenerating test certificates (standard on most Unix-like systems).
  • ⚠️Many examples utilize Docker/Docker Compose for deployment, suggesting it's a common setup. Requires a Rust toolchain to build and run from source.
  • ⚠️For AI/LLM functionalities, external API keys and credentials (e.g., OpenAI, Anthropic, AWS Bedrock, Google Vertex AI) are required, which may incur costs.
Verified SafeView Analysis
The project demonstrates a strong focus on security, implementing TLS/mTLS, JWT, RBAC, and rate-limiting policies. It also includes AI-specific guardrails like prompt guarding and PII recognition. Test certificates are explicitly marked as 'test-only' and not for production use. Configuration often leverages environment variables for sensitive data. The use of Common Expression Language (CEL) for policy evaluation, while involving an 'eval'-like mechanism, is a controlled, sandboxed execution environment and not a general arbitrary code execution risk. Overall, the architecture and implementation suggest a high standard for security, with primary risks stemming from potential misconfigurations rather than inherent vulnerabilities.
Updated: 2026-01-19GitHub
94
133
Medium Cost
gregorydickson icon

memory-graph

by gregorydickson

Sec9

A graph-based MCP server that provides intelligent memory capabilities for Claude Code, enabling persistent knowledge tracking, relationship mapping, and contextual development assistance.

Setup Requirements

  • ⚠️Requires a compatible database backend (SQLite is default, but others like Neo4j, Memgraph, FalkorDB, Turso, LadybugDB, or a Cloud API require specific installations and configurations).
  • ⚠️Persistent storage in remote Claude Code Web environments requires 'MEMORYGRAPH_API_KEY' or 'MEMORYGRAPH_TURSO_URL' and 'MEMORYGRAPH_TURSO_TOKEN' environment variables.
  • ⚠️Optional Python packages (e.g., 'neo4j', 'falkordb', 'redislite', 'libsql-experimental', 'real_ladybug', 'spacy') are needed for specific backends or NLP features.
Verified SafeView Analysis
Input validation is extensively used for memory and relationship data, preventing common injection vulnerabilities (e.g., SQL injection in SQLite/Turso backends) by using parameterized queries. Sensitive information (API keys, passwords, private keys, emails) is actively redacted from memory content before storage, a strong security feature. Subprocess calls for 'git' operations are controlled and generally safe, but always warrant careful review. Authentication for cloud/multi-tenant modes relies on external configuration (API keys, JWT), whose secure management is external to this component but acknowledged.
Updated: 2026-01-13GitHub
91
1918
High Cost
bytebase icon

dbhub

by bytebase

Sec8

A database gateway that exposes SQL data sources via a RESTful API and the Model Context Protocol (MCP), enabling structured interaction with multiple database types.

Setup Requirements

  • ⚠️Requires database configuration via DSN environment variable, --dsn flag, or a dbhub.toml file. No default database is configured without --demo mode.
  • ⚠️SSH tunneling requires --ssh-host and --ssh-user (and either --ssh-password or --ssh-key) CLI arguments or environment variables, necessitating proper SSH setup and key management.
  • ⚠️The HTTP transport operates in a stateless mode where the entire MCP server and its tools are re-initialized for every incoming /mcp request. This incurs significant overhead and impacts efficiency, especially for deployments with many configured sources and tools.
Verified SafeView Analysis
The server employs several good security practices, including explicit redaction of sensitive credentials (passwords, SSH keys) from API responses and the use of parameterized queries in database connectors to mitigate SQL injection risks. It also includes SDK-level read-only mode enforcement for PostgreSQL and SQLite. CORS is configured to allow requests only from localhost origins. Potential areas for further tightening include a more explicit whitelist for CORS origins beyond simple localhost checks. The server relies on user-provided DSNs and SSH configurations, requiring careful handling of these inputs by the deployment environment.
Updated: 2026-01-02GitHub
85
556
High Cost
mark3labs icon
Sec9

Provides secure and controlled access to the local filesystem via the Model Context Protocol (MCP) for AI agents and other applications.

Setup Requirements

  • ⚠️Requires explicit specification of allowed directories at startup for security.
  • ⚠️If not using Docker, requires a Go development environment for installation or compilation.
  • ⚠️When using Docker with host filesystem interaction, proper volume mounting is necessary.
Verified SafeView Analysis
The server implements robust path validation including absolute path resolution, explicit allowed directories, and comprehensive symlink resolution with security checks to prevent directory traversal attacks. All file operations leverage this validation. The 'modify_file' tool uses regex, which could theoretically be vulnerable to ReDoS if patterns are untrusted, but this is mitigated by the overall path restrictions. No hardcoded secrets or arbitrary code execution mechanisms ('eval') were found. The server operates with the privileges of its running user, which is standard for local tools.
Updated: 2025-11-24GitHub
72
10
Medium Cost
iceener icon
Sec9

Provides sandboxed filesystem access for AI agents to explore directories, read/search file content, and safely edit text files with checksum verification.

Setup Requirements

  • ⚠️Requires `Bun` runtime for the primary `dev` and `start` scripts.
  • ⚠️User MUST configure accessible directories via `FS_ROOTS` or `FS_ROOT` environment variables, otherwise the filesystem tools will be non-functional or report 'OUT_OF_SCOPE' errors.
  • ⚠️When connecting to clients (e.g., Claude Desktop), the `args` parameter often requires the absolute path to the server's entry point (e.g., `/absolute/path/to/files-mcp/src/index.ts`).
Verified SafeView Analysis
The server implements strong sandboxing by preventing absolute paths and directory traversal (`..`) outside configured mount points (`FS_ROOTS`). All file operations are routed through a robust path resolution layer (`src/lib/paths.ts`). Input validation is performed using Zod, mitigating common injection risks. File write operations (`fs_write`) strongly recommend checksum verification to prevent stale or unintended overwrites, enhancing data integrity. There is no apparent use of `eval` or direct arbitrary command execution. Glob patterns for searching are converted to safe regular expressions, not shell commands. Communication is via stdin/stdout, reducing network attack surface.
Updated: 2025-12-09GitHub
66
326
Medium Cost
CheMiguel23 icon

MemoryMesh

by CheMiguel23

Sec9

A local knowledge graph server for AI models, focusing on structured memory for text-based RPGs and interactive storytelling.

Setup Requirements

  • ⚠️Requires Node.js version 18 or higher.
  • ⚠️Requires manually configuring an absolute path to 'dist/index.js' in Claude Desktop's 'claude_desktop_config.json'.
Verified SafeView Analysis
The server primarily uses standard I/O (stdio) for communication with the MCP client, which inherently limits direct network attack surfaces. No usage of 'eval' or other highly dangerous functions was found. Configuration paths are dynamic or hardcoded to the local build directory. The SDK ('@modelcontextprotocol/sdk') does include dependencies like 'express' and 'cors', which are typically for HTTP servers, but this specific implementation leverages its 'StdioServerTransport' for the core MCP interaction, mitigating common web-based vulnerabilities for the MemoryMesh application itself. No hardcoded sensitive credentials detected.
Updated: 2026-01-17GitHub
55
83
Medium Cost
timescale icon

tiger-cli

by timescale

Sec5

Tiger CLI provides a Model Context Protocol (MCP) server that enables AI assistants to interact with Tiger Cloud database services, manage service lifecycles, execute SQL queries, and access documentation via proxied tools.

Setup Requirements

  • ⚠️Requires authentication via `tiger auth login` or environment variables `TIGER_PUBLIC_KEY` and `TIGER_SECRET_KEY`.
  • ⚠️Database services created by MCP tools will incur costs on the Tiger Cloud platform.
  • ⚠️The MCP server runs in the foreground when started with `tiger mcp start`.
  • ⚠️Setting up the MCP client (e.g., AI assistant, IDE) is required after `tiger mcp install`.
Review RequiredView Analysis
The codebase demonstrates secure credential handling practices, using system keyrings, .pgpass files, or PGPASSWORD environment variables. Critical issues around credential exposure and resource leaks have been fixed. However, a high-severity concern remains regarding insufficient input validation for user-provided psql arguments, which could lead to command injection vulnerabilities if malicious arguments are crafted. This issue is marked 'UNDER REVIEW' in the internal code review. The server also proxies tools from a remote documentation MCP server, introducing a dependency on an external service that should be considered for supply chain risk.
Updated: 2026-01-17GitHub
55
1
High Cost
txn2 icon

mcp-s3

by txn2

Sec9

The mcp-s3 server enables AI assistants to interact with Amazon S3 and S3-compatible object storage for tasks like browsing buckets, reading/writing objects, and generating presigned URLs.

Setup Requirements

  • ⚠️Requires AWS/S3-compatible credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) and an S3 service endpoint (e.g., AWS S3, SeaweedFS, LocalStack).
  • ⚠️Write operations (put, delete, copy) are disabled by default (`MCP_S3_EXT_READONLY=true`) for safety; must be explicitly enabled for full functionality.
  • ⚠️Object retrieval (GET) is limited to 10MB by default (`MCP_S3_MAX_GET_SIZE=10MB`), and uploads (PUT) to 100MB (`MCP_S3_MAX_PUT_SIZE=100MB`), potentially affecting large file transfers for AI assistants.
Verified SafeView Analysis
The project demonstrates a strong focus on security, with defaults like read-only mode, size limits, and configurable prefix-based ACLs. It leverages the AWS SDK's credential chain for secure access and explicitly warns against committing credentials. Audit logging is available. No 'eval' or malicious patterns were found in the provided source. The `SECURITY.md` file comprehensively covers best practices and verification methods, contributing to a high security posture.
Updated: 2026-01-18GitHub
55
1
Medium Cost
NocturnLabs icon
Sec9

A personal knowledge base and session memory system for AI agents, enabling semantic search and persistent local storage.

Setup Requirements

  • ⚠️Requires Bun runtime environment to be installed (`bun:sqlite` is used).
  • ⚠️Requires initial download of a local embedding model (BGE-small-en-v1.5) on first use, which may take time and disk space.
Verified SafeView Analysis
Input validation is handled by Zod schemas for all tool arguments. All data is stored locally in SQLite and LanceDB (vector database) within the user's local share directory, or a custom path via environment variable. The server uses StdioServerTransport, meaning it communicates via standard input/output streams, which is inherently safer than opening network ports. Embedding models are downloaded locally by `fastembed` from trusted sources, without arbitrary code execution. No direct `eval` or `child_process.exec` calls were found. The primary risk would be overly permissive data access if the `OPENCODE_PK_DATA_DIR` is set to an insecure location.
Updated: 2025-12-15GitHub
55
5
Medium Cost
EllaFerreira icon
Sec8

Builds an AI-powered file assistant server using Model Context Protocol for intelligent interaction with local files.

Setup Requirements

  • ⚠️Requires Claude Desktop to be installed and manually configured via its JSON settings file.
  • ⚠️Requires editing a configuration file with absolute paths, which can be prone to errors for new users.
  • ⚠️Requires Python 3.11+.
Verified SafeView Analysis
The server skeleton code itself is generally safe, as critical file operation logic (list_resources, read_resource, search_files) is left as TODOs for workshop participants. The 'read_resource' TODO explicitly guides for a security measure ('ensure file is in FILES_DIR'), indicating awareness of path traversal risks. However, the actual security depends on how these TODOs are implemented by attendees. The provided code does not use 'eval' or contain hardcoded secrets. Its scope is limited to a 'test_files' directory by default.
Updated: 2025-12-15GitHub
55
1
Low Cost
pand40x icon

crypto-mcp

by pand40x

Sec9

Provides real-time and historical cryptocurrency data to LLM applications, using Binance as the primary source and CoinMarketCap as a fallback.

Setup Requirements

  • ⚠️Requires CoinMarketCap API keys for fallback functionality, which must be obtained and configured in a .env file.
  • ⚠️The MCP client configuration requires the absolute path to the 'build/index.js' file, which can be a common point of error.
  • ⚠️Node.js v20.0.0 or higher is required.
Verified SafeView Analysis
The server uses environment variables for API keys and `zod` for input validation, which are good security practices. It avoids hardcoding secrets and utilizes public API endpoints where possible. No 'eval' or other directly dangerous functions are used. Symbol normalization helps prevent injection. The overall design prioritizes robustness and security within its operational scope.
Updated: 2025-11-29GitHub
PreviousPage 1 of 32Next