Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(84)

96
366
High Cost
alpacahq icon
Sec9

A comprehensive Model Context Protocol (MCP) server for Alpaca's Trading API, enabling natural language trading operations through AI assistants for stocks, options, crypto, portfolio management, and real-time market data.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Requires `uv` (or `uvx`) for streamlined installation and execution.
  • ⚠️Requires Alpaca Trading API keys (free paper trading accounts are available).
  • ⚠️Requires a separate MCP client (e.g., Claude Desktop, Cursor, VS Code) for interaction, which needs its own configuration.
  • ⚠️For live trading, API credentials must be updated in both the `.env` file and the MCP client's configuration JSON.
  • ⚠️Remote hosting for clients like Claude Mobile or ChatGPT involves Docker deployment to a cloud service.
Verified SafeView Analysis
The project demonstrates strong security practices for credential handling. It actively warns against passing API keys via command-line arguments, uses `getpass` for interactive secret input, and attempts to set restrictive file permissions on the `.env` file. The `AuthHeaderMiddleware` correctly extracts and passes OAuth `Authorization` headers, prioritizing them over environment variables, which is a secure pattern for multi-tenant and remote deployments. While binding to `0.0.0.0` for HTTP transport requires external security measures, the documentation explicitly highlights this need. No `eval` or arbitrary code execution from untrusted input was found in the core server logic.
Updated: 2025-11-26GitHub
95
237
Medium Cost
wshobson icon

maverick-mcp

by wshobson

Sec8

Personal-use FastMCP server for professional-grade financial data analysis, technical indicators, and portfolio optimization tools integrated with Claude Desktop.

Setup Requirements

  • ⚠️Requires Python 3.12+
  • ⚠️TA-Lib library is required for technical analysis calculations
  • ⚠️Requires Tiingo API Key (free tier available at tiingo.com, 500 requests/day)
  • ⚠️Optional: PostgreSQL and Redis for enhanced data persistence and caching performance
  • ⚠️Optional: API keys for OpenRouter, Exa AI, Tavily, FRED, OpenAI, Anthropic for advanced AI research features
  • ⚠️For Claude Desktop, requires `npx mcp-remote` bridge tool for stable SSE connection
Verified SafeView Analysis
The server follows good security practices for its intended personal, local-first use. It externalizes API keys via environment variables, uses SQLAlchemy for SQL injection prevention, implements input validation, basic rate limiting, and secure HTTP headers. While `eval` is present in test files, it's not exposed in production-facing code. Development scripts use `subprocess.run`, which is common for developer tools but should be used with caution in other contexts. Overall, a robust security model for its defined scope.
Updated: 2025-11-30GitHub
83
3
Medium Cost
aoutpost2-rgb icon

getoutpost-mcp-server

by aoutpost2-rgb

Sec9

Provides real-time Indian options market data and volatility analytics, including IV, RV, VRP, and Skew, to AI chats for quantitative analysis and trading insights.

Setup Requirements

  • ⚠️Requires manual sign-up and extraction of ACCESS_TOKEN, REFRESH_TOKEN, and EMAIL from GetOutpost.in's browser dev tools to populate a local credentials file.
  • ⚠️Requires a local credentials file (`~/.getoutpost_credentials.json` by default) to be manually created and populated with API tokens.
  • ⚠️Primarily designed for integration with Claude Desktop, requiring specific configuration within Claude's extension settings.
Verified SafeView Analysis
The server stores sensitive API tokens (ACCESS_TOKEN, REFRESH_TOKEN) and email locally in a configurable JSON file, not hardcoded. It includes logic to automatically refresh expired tokens and update the local file, which is a good security practice. The `PRIVACY.md` clearly states no user data is collected, stored, or transmitted to the server itself, and all communication with GetOutpost.in uses HTTPS. The initial acquisition of tokens from `GetOutpost.in` dev tools is a user responsibility, not an inherent server vulnerability.
Updated: 2025-12-03GitHub
81
91
Low Cost
aitrados icon
Sec8

A specialized MCP server for financial analysis and quantitative trading, designed to deploy local financial MCP services with a departmental architecture for LLM integration and algorithmic trading.

Setup Requirements

  • ⚠️Requires AITRADOS_SECRET_KEY obtained via free registration at https://www.aitrados.com/.
  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Broker integration (if enabled via `ENABLE_RPC_PUBSUB_SERVICE` and `auto_run_brokers`) requires the `aitrados-broker` package and specific configuration in `config.toml`.
Verified SafeView Analysis
The server dynamically loads user-defined MCP Python files using `importlib.util` and `exec_module`, which can pose a risk if untrusted code is loaded. It interacts with external financial data APIs and can integrate with brokerage services (`aitrados-broker`), requiring careful handling of API keys and broker configurations. Sensitive keys are expected to be set as environment variables and validated in request headers, which is good practice. Overall, well-designed for its intended extensibility but requires user vigilance regarding custom code and sensitive financial integrations.
Updated: 2025-11-19GitHub
55
1
High Cost

ai-trading-mcp-server

by FajarArrizki

Sec7

AI-powered cryptocurrency trading assistant for real-time market analysis, signal generation, and trade execution.

Setup Requirements

  • ⚠️Requires API Key for AI Provider (e.g., OpenRouter), which is a paid service.
  • ⚠️Requires Hyperliquid Wallet API Key and Account Address for live trading (sensitive credentials).
  • ⚠️Requires Node.js 20+ and pnpm for local development and execution.
Verified SafeView Analysis
The project uses Zod for input validation and explicitly warns about production hardening (HTTPS, authentication, rate limiting) for the streaming server. Private keys are expected via environment variables or tool parameters, which is generally good practice. However, there are hardcoded default API keys (e.g., OpenRouter, CoinMarketCap in a test script) which reduce the security score. The nature of financial trading inherently carries high risk if not deployed and managed securely, especially with explicit warnings for 'Local Development Only' without further hardening for production.
Updated: 2025-11-25GitHub
55
1
Medium Cost
openSVM icon

dflow-mcp

by openSVM

Sec9

Provides a Model Context Protocol (MCP) interface to access real-time and historical prediction market data from Kalshi/DFlow.

Setup Requirements

  • ⚠️Requires Bun (recommended) or Node.js 18+ to run.
  • ⚠️Manual MCP client integration requires specific JSON configuration for `command` and `args` pointing to the server's executable.
  • ⚠️Network requests are made to an external prediction market API (`https://prediction-markets-api.dflow.net` or `https://api.llm.dflow.org`), incurring data transfer and external API usage costs.
Verified SafeView Analysis
The server acts as a proxy for an external API. It utilizes robust JSON schema validation for all tool inputs, preventing common injection vulnerabilities. URL construction in the API client is safe, concatenating a fixed base URL with validated paths, mitigating SSRF risks. There are no direct usages of dangerous functions like `eval` or `child_process.exec` with user-controlled input in the main server logic. CORS headers are configured for public access in the Netlify deployment. The `generateCandlestickChart` function (present in the Netlify function but not `src/index.ts`) is safe, transforming numeric data into ASCII art within bounded dimensions. Overall, the implementation is solid for its purpose as a data proxy.
Updated: 2025-12-02GitHub
54
36
Medium Cost
huweihua123 icon

stock-mcp

by huweihua123

Sec7

A financial data and analysis server providing specialized tools for AI agents via Model Context Protocol (MCP) and RESTful API.

Setup Requirements

  • ⚠️Requires API keys for premium data sources (Tushare, Finnhub) and/or LLM integration (Google, Tavily) for full functionality.
  • ⚠️Requires a running Redis instance for caching (optional but recommended for performance).
  • ⚠️Requires a running MinIO instance if document processing (FilingsService) is to be utilized.
  • ⚠️Python 3.10+ is a strict requirement.
Verified SafeView Analysis
Default MinIO credentials (`minioadmin`) in `MinioClient` are weak and should be changed for production. The `CORSMiddleware` is configured with `allow_origins=["*"]`, which is insecure for production and should be restricted. `NewsService` makes external LLM calls (Google Gemini) if configured, incurring token costs and relying on external service security. No direct `eval` or `exec` vulnerabilities observed.
Updated: 2025-12-01GitHub
52
81
High Cost
imbenrabi icon
Sec8

Enables AI assistants to fetch and analyze comprehensive financial market data, company fundamentals, and economic indicators from Financial Modeling Prep.

Setup Requirements

  • ⚠️Requires a Financial Modeling Prep (FMP) API access token (usage might incur costs based on FMP's pricing tiers).
  • ⚠️Requires Node.js (v18+) and npm/npx installed, or Docker.
  • ⚠️Requires active internet access to communicate with the Financial Modeling Prep API.
Verified SafeView Analysis
The server correctly uses environment variables or CLI arguments for API token management, avoiding hardcoded secrets. It relies on standard `axios` for HTTP requests. Client-level caching is implemented with LRU and TTL, a common pattern, but could be a vector for denial-of-service if `maxSize` or `ttl` are inadequately configured for high-traffic or untrusted environments. No direct `eval` or obfuscation observed.
Updated: 2025-12-06GitHub
52
96
Medium Cost
kukapay icon

freqtrade-mcp

by kukapay

Sec8

Integrates an AI agent with the Freqtrade cryptocurrency trading bot to enable automated trading operations via its REST API.

Setup Requirements

  • ⚠️Requires Python 3.13+.
  • ⚠️A running Freqtrade instance with its REST API enabled and properly configured (e.g., `api_server` section enabled, correct username/password).
  • ⚠️Requires environment variables `FREQTRADE_API_URL`, `FREQTRADE_USERNAME`, `FREQTRADE_PASSWORD` to be set with Freqtrade API credentials.
Verified SafeView Analysis
The server relies on environment variables for sensitive Freqtrade API credentials (URL, username, password), which is a good practice. It directly passes user-provided parameters to the `freqtrade-client` library without obvious direct code injection vulnerabilities (e.g., `eval`, `exec`). The `place_trade` function includes basic input validation for the 'side' parameter. The primary security risks would stem from vulnerabilities within the `freqtrade-client` library, the Freqtrade REST API itself, or improper handling of environment variables in the deployment environment. There are no clear indications of malicious patterns or severe code-level security flaws in the provided source.
Updated: 2025-12-06GitHub
52
97
Low Cost
kukapay icon
Sec8

Provides an MCP server with over 50 cryptocurrency technical analysis indicators and strategies to empower AI trading agents in analyzing market trends and developing quantitative strategies.

Setup Requirements

  • ⚠️Requires Node.js v18.x or higher and npm v8.x or higher.
  • ⚠️Requires configuration within an MCP client (e.g., Claude Desktop) to define the `command`, `args`, and `env` for the server.
  • ⚠️The `EXCHANGE_NAME` environment variable determines the data source (defaults to Binance, but can be configured to any ccxt-supported exchange).
Verified SafeView Analysis
The server fetches public OHLCV data from cryptocurrency exchanges using `ccxt`. While it uses an environment variable for the exchange name, no hardcoded API keys or sensitive credentials were found. The tool functions execute calculations on fetched data and return JSON, with no apparent 'eval' or other highly dangerous patterns. Network risks are limited to fetching market data from a configured exchange, which is standard for this type of application.
Updated: 2025-12-06GitHub
49
46
Low Cost
alphavantage icon

alpha_vantage_mcp

by alphavantage

Sec6

Enables LLMs and agentic workflows to seamlessly interact with real-time and historical stock market data through the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Alpha Vantage API Key (free but must be obtained).
  • ⚠️Requires `uv` (modern Python package manager) for local development and deployment scripts.
  • ⚠️Full deployment to AWS Lambda requires AWS CLI, SAM CLI, an AWS account, and appropriate IAM permissions for S3, CloudFront, Lambda, and optionally Cloudflare R2.
  • ⚠️The provided OAuth 2.1 implementation is explicitly noted as not production-ready due to insecure handling of API keys as access tokens and simple encoding; it is suitable for specific trusted client integrations.
Verified SafeView Analysis
The OAuth 2.1 implementation (server/src/oauth.py) explicitly states it uses 'simple encoding' (base64) for authorization codes and passes the Alpha Vantage API key directly as the OAuth access token. This is not secure for a general-purpose OAuth provider and is noted as unsuitable for production without further security measures (e.g., JWT, encryption). The client-side 'Artifacts Editor' (web/app/artifacts/page.tsx) uses `new Function()` for executing user-provided React/HTML code, which is a feature for a code editor but poses a risk if untrusted code is executed in an un-sandboxed environment. However, this is client-side execution, not a server-side vulnerability. The server itself manages API keys passed from clients in headers/query params, which assumes secure client-side handling.
Updated: 2025-12-05GitHub
49
71
Medium Cost
zwldarren icon

akshare-one-mcp

by zwldarren

Sec8

This MCP server provides comprehensive access to China's stock market data, including historical, real-time, news, financial statements, and technical analysis indicators.

Setup Requirements

  • ⚠️Requires Python 3.12 or newer.
  • ⚠️The 'uv' package installer and runner is recommended/required for setup and execution.
  • ⚠️Relies on external, potentially rate-limited, public data sources (e.g., Eastmoney, Sina, Xueqiu) via the 'akshare' and 'akshare-one' libraries.
Verified SafeView Analysis
The server implements Pydantic for input validation, which is a good practice. No 'eval' or 'exec' are present in the provided source code. CORS is set to allow all origins ('*'), which is common for MCP servers but allows access from any domain. The server relies on 'akshare' and 'akshare-one' as upstream dependencies; their security profiles are assumed to be maintained for data retrieval from public financial sources. No hardcoded secrets are evident.
Updated: 2025-12-04GitHub
PreviousPage 1 of 7Next