Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(184)

100
1655
Low Cost
modelcontextprotocol icon

mcpb

by modelcontextprotocol

Sec8

This repository provides a CLI tool and library for building, validating, packing, signing, and verifying MCP (Model Context Protocol) Bundles, which are zip archives containing local MCP servers and their metadata for distribution.

Setup Requirements

  • ⚠️Requires Node.js runtime to execute the CLI tool itself.
  • ⚠️Certificate signing and verification functionalities (`mcpb sign`, `mcpb verify`) rely on system tools such as `openssl` (Linux/macOS), `security` (macOS), or `powershell.exe` (Windows) being available.
Verified SafeView Analysis
The CLI tool itself appears generally safe to run, with standard file system operations and proper zip slip prevention during unpacking. Cryptographic operations for signing use `node-forge` and rely on external OS tools (`openssl`, `security`, `powershell.exe`) for certificate chain validation. While `execSync` is used for generating self-signed certificates, it's for an optional developer utility with controlled inputs. The primary security consideration for the ecosystem is that the `mcp_config` field in the manifest allows extension developers to specify arbitrary commands and arguments, including variable substitutions. A malicious extension could craft dangerous commands, which the host application (e.g., Claude Desktop) would execute. This highlights the importance of robust sandboxing and validation by the host application that consumes MCPB files from untrusted sources, rather than a direct vulnerability within the `mcpb` tool itself.
Updated: 2026-01-12GitHub
100
2088
Low Cost
agent-infra icon

sandbox

by agent-infra

Sec3

An all-in-one agent sandbox environment offering unified browser, shell, file, Jupyter, VSCode, and MCP operations for AI agents and developers.

Setup Requirements

  • ⚠️Requires Docker, specifically with `--security-opt seccomp=unconfined`, which disables a host security feature and increases risk.
  • ⚠️Python >= 3.13 is required for the evaluation framework (though SDK might support older).
  • ⚠️The evaluation framework relies on `uv` package manager.
  • ⚠️An OpenAI API Key (a paid service) is needed if using the Azure OpenAI Agent Loop for evaluation.
Review RequiredView Analysis
The server is designed to execute arbitrary code (Python, Node.js, shell commands, browser automation), which is inherently high-risk. The recommended Docker run command uses `--security-opt seccomp=unconfined`, disabling a critical host security feature. This removes a layer of defense against container escapes and makes the host system less secure if the container is exploited. Running untrusted AI agent code within such an environment, especially with disabled seccomp, poses a significant security risk to the underlying host.
Updated: 2026-01-19GitHub
88
639
Medium Cost
featureform icon

enrichmcp

by featureform

Sec8

Exposes structured data models as a semantic, discoverable API for AI agents.

Setup Requirements

  • ⚠️Requires Python 3.11+
  • ⚠️LLM-enabled examples require an OpenAI API Key (OPENAI_API_KEY environment variable) or a locally running Ollama server with a model like 'llama3.2' (OLLAMA_MODEL environment variable).
  • ⚠️Optional SQLAlchemy integration requires `pip install enrichmcp[sqlalchemy]`.
Verified SafeView Analysis
The code uses `exec` in `src/enrichmcp/sqlalchemy/auto.py` to dynamically generate resolver functions. While the generated code string appears to be constructed from controlled internal logic (not directly from untrusted user input), `exec` is a powerful primitive that, in general, requires careful scrutiny due to potential for arbitrary code execution if inputs or context are not perfectly contained. No other critical security risks like hardcoded production secrets, obfuscation, or arbitrary command execution are apparent.
Updated: 2026-01-01GitHub
72
207
Low Cost
Vvkmnn icon
Sec9

Provides an MCP server for Claude Code to search and retrieve insights from conversation history, including past solutions, file changes, and tool usage patterns.

Setup Requirements

  • ⚠️Requires Claude Code application for conversation history data.
  • ⚠️Node.js version must be >=20.0.0 and npm >=10.0.0.
Verified SafeView Analysis
The server's primary function involves reading local `.jsonl` conversation files. It utilizes `fs/promises` and `readline` for file access, which are standard for local file operations. It does not perform outbound network requests for its core search functionality. The `UniversalHistorySearchEngine` attempts to access Claude Desktop data (e.g., LevelDB, SQLite) via temporary file copying to prevent locks, with temporary directories created using `mkdtemp` with secure permissions (`0o700`) and subsequently cleaned up. The `child_process` module is used for internal build/test scripts or controlled local execution in `testMCPServer`, not for executing arbitrary user input. No hardcoded secrets or 'eval' are observed in the runtime code. Desktop support for directly reading LevelDB/SQLite is explicitly marked as 'TEMPORARILY DISABLED' in the code, further reducing potential attack surface related to complex database interactions, and simplifying its runtime behavior to primarily local Claude Code files.
Updated: 2026-01-19GitHub
68
705
Medium Cost
Cyfrin icon

aderyn

by Cyfrin

Sec9

A Rust-based Solidity static analyzer that identifies vulnerabilities in smart contracts and provides developer tooling such as LSP and an MCP server for integration with other development environments and AI agents.

Setup Requirements

  • ⚠️Windows users must have WSL installed.
  • ⚠️Requires Rust toolchain for development/compilation.
  • ⚠️Development/release tooling like `cargo-release`, `gh` CLI, and `bacon` require separate installation.
Verified SafeView Analysis
The project is implemented in Rust, which inherently reduces many common memory-related vulnerabilities. It serves as a local development tool with capabilities for static analysis, LSP, and an MCP server. The `xtask` commands can perform sensitive operations like Git pushes and cargo releases, but these are intended for developer/CI environments and not directly exposed by the runtime servers. The MCP server binds to `127.0.0.1` by default for HTTP streaming, limiting network exposure. No obvious malicious patterns, hardcoded secrets, or `eval`-like constructs were found for arbitrary code execution in the server components.
Updated: 2026-01-19GitHub
56
114
Medium Cost
hatayama icon

uLoopMCP

by hatayama

Sec8

Acts as a Model Context Protocol (MCP) server to bridge Unity Editor operations with AI coding tools like Cursor and Claude Code, enabling autonomous development loops for compiling, testing, logging, and scene automation.

Setup Requirements

  • ⚠️Requires Node.js 22 or higher.
  • ⚠️The `execute-dynamic-code` tool requires manual installation of the `Microsoft.CodeAnalysis.CSharp` package via OpenUPM NuGet, which involves adding a scoped registry.
  • ⚠️Cursor has a known bug where MCP connection may fail after `.cursor/mcp.json` is updated; manual toggle off/on or Cursor restart is required.
  • ⚠️Claude Code's sandbox mode requires enabling `network.allowLocalBinding: true` in `.claude/settings.local.json`, which broadly allows localhost connections to all services, not just uLoopMCP.
  • ⚠️Several powerful tools (`run-tests`, `execute-menu-item`, custom tools, `execute-dynamic-code`) are disabled by default for security reasons and must be explicitly enabled in Unity's uLoopMCP window's Security Settings.
Verified SafeView Analysis
The project includes a `execute-dynamic-code` tool that allows dynamic C# code execution within Unity, which is inherently high-risk. However, it implements a 3-tier security model (Disabled, Restricted, FullAccess) for this tool, with 'Restricted' being the recommended default, blocking file/network/process operations. Other potentially dangerous tools like `run-tests` and `execute-menu-item`, as well as third-party tools, are disabled by default. The `SECURITY.md` outlines a clear vulnerability reporting process. Overall, the project demonstrates strong security awareness and mitigations, making it safe to run with recommended (default) settings. FullAccess mode for dynamic code execution should only be used with trusted code.
Updated: 2026-01-19GitHub
51
56
Medium Cost
vasylenko icon
Sec9

Manage Bear Notes (search, read, create, update) directly through AI conversations, offering local-only data processing and privacy.

Setup Requirements

  • ⚠️Requires Bear app installed on macOS.
  • ⚠️Requires Node.js 22.13.0+ to run the MCP server.
  • ⚠️Claude Desktop's security warning "Installing will grant access to everything on your computer." is a general message; the extension's code explicitly only accesses the Bear Notes SQLite database (~/Library/Group Containers/9K33E3U3T4.net.shinyfrog.bear/Application Data/database.sqlite).
Verified SafeView Analysis
The server is explicitly designed as 'local-only', with no external network connections, ensuring data privacy. It directly accesses the Bear Notes SQLite database at a fixed, application-specific path for read operations, using parameterized SQL queries to prevent injection. Write operations leverage Bear's X-callback-URL API, invoked via macOS's 'open -g' command, which safely passes the URL as a single argument. No 'eval' or other obfuscation techniques are used, and there are no hardcoded secrets in the provided source code. The primary security 'gotcha' is Claude Desktop's general warning about file system access, which in this case is restricted to the specific Bear database.
Updated: 2026-01-18GitHub
51
64
High Cost
manykarim icon

rf-mcp

by manykarim

Sec8

Facilitates AI agents to perform end-to-end test automation using Robot Framework, supporting tool discovery, step-by-step execution, and test suite generation through a natural language interface.

Setup Requirements

  • ⚠️Requires OpenAI API Key (OPENAI_API_KEY) for full AI agent functionality (paid service).
  • ⚠️Requires 'uvicorn' and 'django' for the optional frontend (install with `pip install rf-mcp[frontend]`).
  • ⚠️Web automation with Browser Library or SeleniumLibrary requires installation of respective Python packages (`robotframework-browser` / `robotframework-seleniumlibrary`) and their underlying browser drivers/Node.js dependencies (`rfbrowser init` for Browser Library).
Verified SafeView Analysis
The 'attach' mode HTTP server uses a default token ('change-me') which is a critical security risk if not changed and the server is exposed. The frontend development server (Django) uses ALLOWED_HOSTS=['*'] in debug mode, which is insecure for production. While internal variable evaluation is carefully implemented to avoid direct 'eval()' of user input, the ability to execute arbitrary Robot Framework keywords via the attach bridge (if compromised) is powerful.
Updated: 2026-01-12GitHub
51
141
Low Cost
weibaohui icon

kom

by weibaohui

Sec4

Manages Kubernetes clusters and resources through an SDK-level wrapper and an MCP (Multi-Cluster Platform) server, offering features like CRUD, file operations, log fetching, and SQL-like querying.

Setup Requirements

  • ⚠️Requires a Kubernetes cluster for operation (either in-cluster or via kubeconfig).
  • ⚠️Requires `aws cli` installed and configured on the host machine for managing AWS EKS clusters.
  • ⚠️Requires secure management of Kubernetes and AWS credentials (e.g., environment variables, secret management systems), as examples show direct string assignment which is insecure for production.
  • ⚠️Authentication and authorization logic for the MCP server must be implemented externally or via provided hooks, as the default `authKey` mechanism is basic and not a complete security solution.
Review RequiredView Analysis
The project allows powerful Kubernetes operations, including creating privileged pods (`CreateNodeShell`, `CreateKubectlShell` functions in `kom/ctl_node.go`) with `privileged: true`, `hostNetwork: true`, `hostPID: true`, and broad tolerations. This constitutes a significant privilege escalation vector if access to the MCP server is not rigorously controlled. The basic HTTP header-based `authKey` mechanism in `main.go` is illustrative and implies that robust external authentication and authorization are required, but not built-in. Kubeconfig handling (loading from paths, strings, or generated from AWS credentials) is a critical component that can be exploited if sources are untrusted. AWS credentials, if hardcoded in examples and used verbatim by users, pose a severe risk. File operations within pods and SQL-like querying of Kubernetes resources introduce additional attack surfaces that need careful validation and authorization checks to prevent unintended data exposure or manipulation.
Updated: 2026-01-18GitHub
50
51
Medium Cost
zhongweili icon
Sec9

Provides AI-powered image generation and editing capabilities through Google's Gemini models with intelligent model selection.

Setup Requirements

  • ⚠️Requires a Google Gemini API Key (can be free tier, but usage may incur costs).
  • ⚠️Requires Python 3.11+.
  • ⚠️For Google Cloud deployments, Vertex AI Application Default Credentials (ADC) with the `roles/aiplatform.user` IAM role are needed if not using an API key.
  • ⚠️Recommends `uv` for easy installation and management, which needs to be installed separately.
Verified SafeView Analysis
API keys are loaded from environment variables (GEMINI_API_KEY or GOOGLE_API_KEY), not hardcoded. Input validation is present for prompts and file paths, including basic path traversal protection. Error details can be masked in production. Logging of sensitive data is sanitized. Build scripts use `subprocess` for `uv` and `twine` commands, which is standard for packaging but should be run in a trusted environment. No obvious 'eval' or other highly dangerous patterns were found in the core server logic.
Updated: 2026-01-17GitHub
48
303
Medium Cost
tinystruct icon

tinystruct

by tinystruct

Sec3

Provides a framework for building and interacting with AI models, managing tools, data resources, and prompts via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Java Runtime Environment (JRE/JDK).
  • ⚠️Requires careful management of the `mcp.auth.token` for secure server access.
  • ⚠️Potential dependency on Redis for distributed locking (`DistributedRedisLock.java`) or other data storage (`tinystruct.data`) which may need to be running and configured.
Review RequiredView Analysis
CRITICAL: The framework includes functionality for arbitrary code execution via `ScriptEngine.eval()` in `DefaultTemplate.java` and command injection via `Runtime.getRuntime().exec()` in `Dispatcher.java`. If user-controlled input reaches these functions, it can lead to severe security vulnerabilities. The MCP server component itself implements an authentication token mechanism (`mcp.auth.token`), which is a good practice, but the underlying framework elements present significant risks if not carefully managed or disabled in production environments. Default Redis URI is localhost:6379, which is safe for local development but risky if exposed publicly without authentication.
Updated: 2026-01-15GitHub
45
54
Medium Cost
gleanwork icon

mcp-server

by gleanwork

Sec8

The Glean MCP Server facilitates integration between AI clients (like LLMs or coding assistants) and Glean's enterprise knowledge base, providing tools for company search, people profile search, chat with Glean AI, and document retrieval.

Setup Requirements

  • ⚠️Requires `mise` for environment setup (Node.js and pnpm).
  • ⚠️Mandatory environment variables: `GLEAN_INSTANCE` and `GLEAN_API_TOKEN` for authentication with the Glean API.
  • ⚠️Recommended to use Glean's remote MCP server for better performance and updates, indicating this local server is primarily for experimental/testing use.
Verified SafeView Analysis
The server uses environment variables for sensitive API tokens (GLEAN_API_TOKEN), which is a good practice. Input validation for tool arguments is enforced using Zod schemas, significantly mitigating injection risks. Communication is via stdio, reducing external network attack surface. Docker deployment options suggest good security practices like dropping privileges and read-only filesystems. A direct `fetch` is used in `read_documents.ts` (noted as a workaround for an SDK bug) for Glean API calls, manually constructing headers, but the values for `Authorization` and `X-Glean-ActAs` still originate from controlled environment variables, so no immediate user-controlled injection is apparent. The `open` utility is used to display launch warnings, but the URLs are hardcoded to a Glean-controlled domain and package version, minimizing the risk of opening arbitrary malicious links.
Updated: 2026-01-15GitHub
PreviousPage 1 of 16Next