Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(151)

100
1584
Low Cost
modelcontextprotocol icon

mcpb

by modelcontextprotocol

Sec8

A CLI toolchain for developing, validating, packing, and signing MCP (Model Context Protocol) Bundles for AI desktop applications, with experimental UV runtime support for Python.

Setup Requirements

  • ⚠️Requires Node.js (v16.0.0+) to run the CLI tool.
  • ⚠️Python extensions using the traditional 'python' server type have a 'Limitation: Cannot portably bundle compiled dependencies' (e.g., pydantic).
  • ⚠️UV runtime support for Python extensions is experimental and may change in future versions.
  • ⚠️Icon validation warns for remote URLs and errors for absolute paths or '${__dirname}' variables; icons should be local PNG files for optimal Claude Desktop compatibility.
Verified SafeView Analysis
The server code demonstrates good security practices, especially in file unpacking with explicit 'Path traversal attempt detected' checks to prevent zip slip attacks. Uses 'child_process.execFile' for OS-level certificate verification (`openssl`, `security`, `powershell`) and self-signed certificate generation, which is a controlled use of external commands. Variable replacement in `mcp_config` patterns using `new RegExp` is present; while keys are typically simple, arbitrary user input as a key could theoretically pose a regex injection risk if not sufficiently sanitized upstream, though this is a low practical risk given the context of configuration keys. No 'eval' or obvious hardcoded secrets were found.
Updated: 2025-12-04GitHub
100
1534
High Cost
agent-infra icon

sandbox

by agent-infra

Sec6

A comprehensive sandbox environment for AI agents, integrating browser, shell, file system, VSCode server, Jupyter notebooks, and Model Context Protocol (MCP) services within a unified Docker container for agent development and tool evaluation.

Setup Requirements

  • ⚠️Requires Docker to run the sandbox environment.
  • ⚠️The `docker run` command explicitly disables `seccomp` filtering (`--security-opt seccomp=unconfined`), which is a significant security consideration. Users must be aware that the container's security depends heavily on its isolation from the host.
  • ⚠️Specific integrations (e.g., Volcengine provider for cloud sandbox management, OpenAI for agent interactions) require configuring corresponding API keys as environment variables, although these are not mandatory for the base sandbox server to start.
Verified SafeView Analysis
The system is designed as an agent sandbox to execute arbitrary code (shell, Python, Node.js, browser automation) within a Docker container. The provided `docker run` command explicitly uses `--security-opt seccomp=unconfined`, which disables seccomp filtering, allowing the container broader syscall access. This is an intentional design choice for a flexible sandbox but means the Docker container itself is the primary security boundary. Users must ensure robust container isolation and carefully manage agent permissions to prevent unintended execution or privilege escalation outside the sandbox. Environment variables are utilized for credentials in SDK integrations (e.g., Volcengine, OpenAI), mitigating hardcoded secret risks within the core server.
Updated: 2025-12-01GitHub
98
620
Low Cost
featureform icon

enrichmcp

by featureform

Sec4

A Python framework for building semantic APIs for AI agents, allowing them to discover, understand, and navigate structured data models via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires Python 3.11+.
  • ⚠️SQLAlchemy integration requires the `enrichmcp[sqlalchemy]` extra and an async SQLAlchemy driver (e.g., `aiosqlite`).
  • ⚠️Redis caching requires the `redis` package.
  • ⚠️All relationships must have at least one resolver defined before running the application, otherwise `app.run()` will raise a `ValueError`.
Review RequiredView Analysis
The `RedisCache` backend uses `pickle.loads` to deserialize cached values. If an attacker can inject malicious pickled data into the Redis cache (e.g., through compromised Redis access), this can lead to arbitrary code execution on the server. Additionally, `exec()` is used internally in the SQLAlchemy integration for dynamic function generation; while its inputs are intended to be controlled by the framework, dynamic code execution is a high-risk primitive.
Updated: 2025-12-01GitHub
68
668
Medium Cost
Cyfrin icon

aderyn

by Cyfrin

Sec9

A powerful Solidity static analyzer that provides structured access to smart contract code, ASTs, and analysis results via a Model Context Protocol (MCP) server or Language Server Protocol (LSP), primarily intended for AI agents or advanced tooling.

Setup Requirements

  • ⚠️Windows users must have WSL installed for installation via installer scripts (curl/Homebrew/npm).
  • ⚠️Building from source requires a Rust toolchain and specific Cargo tools (`cargo-release`) and GitHub CLI (`gh`) for development/release workflows.
  • ⚠️Custom project structures require an `aderyn.toml` configuration file to define source paths, excludes, and includes, otherwise auto-detection for Foundry/Hardhat is used.
Verified SafeView Analysis
The project is implemented in Rust, which inherently provides strong memory safety guarantees. Network interactions are confined to documented functionalities such as update checks (connecting to GitHub API) and serving the MCP/LSP protocols (using `axum` and `tower-lsp`). No 'eval' or other dynamic code execution from untrusted sources, nor obvious hardcoded secrets, were identified. The `xtask` tools are for development/release processes (e.g., git operations, script execution), which, while interacting with the local system, are not exposed as runtime risks to typical end-users of the static analyzer. Overall, the codebase demonstrates a security-conscious design.
Updated: 2025-12-04GitHub
56
91
Medium Cost
hatayama icon

uLoopMCP

by hatayama

Sec6

Acts as a Model Context Protocol (MCP) server to bridge communication between Unity Editor and AI-powered development tools like Cursor, enabling autonomous AI-driven development loops.

Setup Requirements

  • ⚠️Requires Node.js 18 or higher and Unity 2020.3 or higher.
  • ⚠️The Unity MCP Bridge package must be installed in Unity, either via Git URL or OpenUPM.
  • ⚠️To use the `execute-dynamic-code` tool, the `Microsoft.CodeAnalysis.CSharp` NuGet package must be installed in Unity via the OpenUPM scoped registry, which is a multi-step process.
Review RequiredView Analysis
The server's `execute-dynamic-code` tool allows dynamic C# code execution within the Unity Editor, posing a critical security risk. While the feature includes three security levels (Disabled, Restricted, FullAccess) with recommended restrictions (Level 1 blocks file deletion/writing, network communication, process execution, dynamic assembly loading, thread/registry manipulation), it still grants substantial control over the Unity environment. The `README` explicitly warns about using trusted code and recommends sandbox/container environments for AI-driven code generation. Path traversal risks in logging (`VibeLogger`) are mitigated with robust path validation. Overall, the developer has implemented safeguards for a high-risk feature, but the inherent nature of dynamic code execution means a non-zero risk remains.
Updated: 2025-12-06GitHub
55
13
Medium Cost
Eth3rnit3 icon

FerrumMCP

by Eth3rnit3

Sec7

A browser automation server for AI assistants to interact with web pages through a standardized Model Context Protocol (MCP) interface.

Setup Requirements

  • ⚠️Requires Ruby 3.2+ and a local Chrome/Chromium installation if not using Docker.
  • ⚠️Docker deployment requires `--security-opt seccomp=unconfined` and automatically enforces headless browser mode.
  • ⚠️CAPTCHA solving requires `whisper-cli` (an external binary) to be installed separately and configured via `WHISPER_PATH`.
Verified SafeView Analysis
The server's core functionality includes tools for executing arbitrary JavaScript (e.g., `execute_script`, `evaluate_js`) and navigating to any URL (`navigate`). This design relies on a trusted client environment as explicitly stated in the `SECURITY.md`. The `find_by_text` tool's XPath escaping prevents simple injection, but `SECURITY.md` mentions 'Partial escaping' and 'Full XPath sanitization planned for v1.1', indicating potential edge cases. The server implements session limits and HTTP rate limiting, mitigating some resource exhaustion and DoS risks. The Docker images run as a non-root user. Overall, the server is designed for a trusted, agent-controlled environment; exposing it to untrusted users without additional security layers (e.g., authentication, network segmentation) is a significant risk.
Updated: 2025-11-26GitHub
55
1
Medium Cost
ssdeanx icon

ssd-ai

by ssdeanx

Sec8

An AI development assistant implementing the Model Context Protocol (MCP) standard, offering 36 specialized tools for TypeScript, JavaScript, and Python projects, with intelligent memory management, code analysis, reasoning frameworks, and long-running task support.

Setup Requirements

  • ⚠️Requires Node.js 18.0 or higher.
  • ⚠️Requires Python 3.x for Python code analysis capabilities.
  • ⚠️Requires Chrome/Chromium/Edge/Brave browser installed for browser automation tools, or the CHROME_PATH environment variable set.
  • ⚠️Needs write access to `process.cwd()/memories` for SQLite database and `os.tmpdir()` for temporary Python scripts.
Verified SafeView Analysis
The server uses `child_process.spawn` for Python AST analysis, but the Python script is hardcoded within the `PythonParser.ts` file, limiting arbitrary code execution. Puppeteer, used for browser automation, is launched with `--no-sandbox` and `--disable-setuid-sandbox` flags, which can reduce isolation. The HTTP transport implements basic CORS and validates the `mcp-protocol-version` header. No hardcoded secrets or arbitrary `eval` usage were identified. The uses of external processes are justified by the features.
Updated: 2025-11-30GitHub
50
134
Medium Cost
weibaohui icon

kom

by weibaohui

Sec2

Manages Kubernetes clusters and resources, providing an SDK-level wrapper for kubectl/client-go with Multi-Cluster Proxy (MCP) server capabilities.

Setup Requirements

  • ⚠️Requires access to a Kubernetes cluster (via kubeconfig or in-cluster setup).
  • ⚠️AWS CLI must be installed and configured on the host running the server for EKS cluster integration.
  • ⚠️The default server setup uses a weak 'username' header for client identification; users MUST implement robust authentication and authorization logic via callbacks to secure privileged Kubernetes operations.
  • ⚠️Directly accepts AWS credentials (AccessKey/SecretAccessKey) in EKSAuthConfig, which are then used as environment variables for AWS CLI calls by child processes.
Review RequiredView Analysis
Critical security risks identified: 1. Weak default authentication: The 'main.go' example's MCP server uses 'username' from HTTP headers as an identifier, providing no actual authentication or authorization mechanism. This means any client can spoof a user. 2. Direct handling of AWS Access Keys/Secret Access Keys: EKS configuration directly accepts these sensitive credentials, which are then passed as environment variables to the 'aws' CLI for execution. 3. Highly privileged Kubernetes operations: The server exposes a wide range of powerful K8s operations (e.g., arbitrary file operations within Pods, node cordon/drain, creating privileged node/kubectl shells) via its API. Without a custom callback implementation for proper authorization (which is explicitly left to the user), these operations are unsecured. 4. SQL-like query capability: While useful, if not properly secured by authorization callbacks, this could allow unauthorized users to perform broad or sensitive queries/manipulations on K8s resources.
Updated: 2025-11-22GitHub
47
258
Medium Cost
tinystruct icon

tinystruct

by tinystruct

Sec8

Implements the Model Context Protocol (MCP) for interacting with AI models, tools, resources, and prompts, offering both client and server functionalities.

Setup Requirements

  • ⚠️Requires Java Development Kit (JDK) 8+ to build and run.
  • ⚠️For production, a strong `mcp.auth.token` should be explicitly configured.
  • ⚠️Optional: A Redis server is required for distributed locking and potentially other distributed features; defaults to `127.0.0.1:6379` if not configured.
Verified SafeView Analysis
The code utilizes `eval` for executing pre-defined Lua scripts on Redis for distributed locking, which is a controlled and acceptable use case. Authentication is implemented using a configurable `AUTH_TOKEN`, with a new token generated if none is provided, which is good practice. Configuration allows for securing network connections (e.g., Redis password, proxy settings). Main risks would stem from misconfiguration (weak auth tokens, publicly exposed Redis without authentication).
Updated: 2025-12-06GitHub
47
30
Medium Cost
vasylenko icon
Sec9

Enables AI assistants like Claude to search, create, read, and modify notes in the local Bear Notes application on macOS, enhancing personal knowledge management workflows with complete privacy.

Setup Requirements

  • ⚠️Requires Bear Notes app to be installed (macOS only).
  • ⚠️Requires Claude Desktop to be installed.
  • ⚠️Requires Node.js runtime version >= 22.5.0.
  • ⚠️Node.js must be run with the `--experimental-sqlite` flag enabled.
Verified SafeView Analysis
The server is explicitly designed for local-only operations, with no external network connections for data transfer, significantly reducing data leakage risks. It interacts with the Bear Notes local SQLite database for read operations and uses Bear's X-callback-URL API for write operations, both of which are local inter-application communication mechanisms. SQL queries use parameterized statements to prevent SQL injection, and user inputs for X-callback-URL are properly URL-encoded to mitigate command injection. No 'eval' or intentional obfuscation is present. The use of `--experimental-sqlite` directly from Node.js avoids third-party binaries, addressing a specific supply chain risk. While no system is entirely foolproof, the architecture and implementation demonstrate a strong focus on security and privacy.
Updated: 2025-12-04GitHub
46
51
Medium Cost
hloiseau icon

mcp-gopls

by hloiseau

Sec9

An MCP server that enables AI assistants to utilize Go's Language Server Protocol (gopls) for advanced code analysis, navigation, refactoring, and execution of Go tooling within Go workspaces.

Setup Requirements

  • ⚠️Requires Go 1.25+ to be installed.
  • ⚠️Requires 'gopls' to be installed (go install golang.org/x/tools/gopls@latest).
  • ⚠️Requires the '--workspace' flag or MCP_GOPLS_WORKSPACE environment variable to specify the absolute path to the Go project root.
  • ⚠️Requires specific JSON configuration within the AI client (e.g., Cursor, Claude Desktop, GitHub Copilot) to connect to the MCP server.
Verified SafeView Analysis
The project's core functionality involves executing external Go development tools (go, gopls, govulncheck). While this introduces a reliance on the security of these external binaries, the project itself does not show signs of direct 'eval' usage, obfuscation, or hardcoded secrets. It manages environment variables like GOTOOLCHAIN for its subprocesses to ensure consistent behavior. Users should be aware that granting AI access to this tool allows it to execute Go commands within the specified workspace.
Updated: 2025-11-25GitHub
45
50
Medium Cost
gleanwork icon

mcp-server

by gleanwork

Sec7

This server acts as a local backend for Model Context Protocol (MCP) clients, enabling AI assistants and other tools to interact with Glean's enterprise search, chat, and document retrieval capabilities.

Setup Requirements

  • ⚠️Requires Glean API Token (`GLEAN_API_TOKEN`) and Glean instance name (`GLEAN_INSTANCE` or `GLEAN_URL`) configured via environment variables or CLI flags.
  • ⚠️Uses `pnpm` as the package manager; `pnpm install` is required for setup.
  • ⚠️Requires Node.js version 20 or higher, as specified in `engines.node` and `mise.toml`.
Verified SafeView Analysis
The server uses `stdio` for communication, limiting direct network exposure for the server itself. However, it makes outbound network requests to the Glean API using credentials (GLEAN_API_TOKEN) sourced from environment variables or CLI arguments, which is good practice. A potential, though mitigated, risk exists in the `instance` parameter used to construct API URLs: if a malicious `instance` value (e.g., containing special characters or other domains) were provided by a compromised local AI client, it could potentially lead to Server-Side Request Forgery (SSRF) against internal network resources. Currently, the server primarily runs locally and expects a simple string for the instance name. The project uses pnpm-lock.yaml for dependency integrity and sets limited permissions for log files (0o600).
Updated: 2025-12-01GitHub
PreviousPage 1 of 13Next