Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(84)

47
69
High Cost
narumiruna icon

yfinance-mcp

by narumiruna

Sec9

Fetch stock data, news, and financial charts from Yahoo Finance for analysis.

Setup Requirements

  • ⚠️Requires Python 3.12+
  • ⚠️Requires `uv` package installer
  • ⚠️Requires internet access to Yahoo Finance
Verified SafeView Analysis
The server uses well-established and maintained libraries like `yfinance` and `mplfinance`. There are no explicit uses of `eval`, `exec`, or direct system calls. Input validation is primarily handled by Pydantic types and explicit checks for numeric inputs (`top_n > 0`). Image generation is done using a non-interactive matplotlib backend, saving to an in-memory buffer.
Updated: 2025-11-22GitHub
42
1
Low Cost
kukapay icon

backtrader-mcp

by kukapay

Sec2

An AI-accessible MCP server for Backtrader, enabling agents to run, analyze, and optimize trading strategies through natural language prompts.

Setup Requirements

  • ⚠️Requires Python 3.10+
  • ⚠️Requires 'uv' for dependency management (recommended)
  • ⚠️Requires MCP CLI installation (`uv run mcp install main.py`)
Review RequiredView Analysis
The `run_backtest` tool uses `exec(strategy_code, {}, local_ns)` to execute user-provided Python code directly. This is a critical security vulnerability as it allows arbitrary code execution. An attacker could inject malicious Python code (e.g., `import os; os.system('rm -rf /')`) leading to severe system compromise, data theft, or denial of service if the server is exposed to untrusted input. While the `exec` call uses empty globals, core built-ins and module imports are still accessible.
Updated: 2025-11-27GitHub
41
23
Medium Cost
shuizhengqi1 icon

futu-stock-mcp-server

by shuizhengqi1

Sec9

A Model Context Protocol (MCP) server for accessing Futu OpenAPI functionality, providing standardized MCP protocol to AI models for market data subscription and querying, including trading capabilities.

Setup Requirements

  • ⚠️Requires a Futu Securities account with OpenAPI permissions.
  • ⚠️Requires Futu OpenD gateway installed and running on a specified host/port.
  • ⚠️Requires Python 3.10+.
Verified SafeView Analysis
No obvious hardcoded secrets. Employs robust stdout/stderr protection for MCP communication. Uses process locking and cleanup for self-management, which is generally safe but relies on `psutil`. Relies on a local `Futu OpenD` gateway for actual market data and trading, so the security of that external dependency is critical.
Updated: 2025-11-28GitHub
38
17
Medium Cost
surajrimal07 icon

NepseAPI-Unofficial

by surajrimal07

Sec3

An unofficial API service for Nepal Stock Exchange (NEPSE) providing real-time market data through REST, WebSocket, and Model Context Protocol (MCP) endpoints for educational and research purposes.

Setup Requirements

  • ⚠️Requires Python 3.11+
  • ⚠️Requires `uv` to be installed globally for Claude Desktop integration (if using local integration)
  • ⚠️Relies on an unofficial upstream NEPSE data source, which may be unstable, change its API, or be inaccurate without notice.
Verified SafeView Analysis
The API explicitly disables TLS/SSL certificate verification (`nepseAsync.setTLSVerification(False)`) when fetching data from external unofficial NEPSE sources. This makes the data fetching susceptible to Man-in-the-Middle (MITM) attacks, where an attacker could intercept or alter the data being retrieved, compromising data integrity and authenticity. While the project is for educational use and disclaims liability, this is a significant security vulnerability. The server also binds to `0.0.0.0` for all services (FastAPI, WebSocket, MCP), meaning it's externally accessible and requires proper firewall configuration for production deployments.
Updated: 2025-12-04GitHub
37
9
Medium Cost
RohanAnandPandit icon

trading212-mcp-server

by RohanAnandPandit

Sec9

This server provides a Model Context Protocol (MCP) interface for seamless data connectivity and advanced interaction capabilities with the Trading212 trading platform.

Setup Requirements

  • ⚠️Requires Trading212 API Key (TRADING212_API_KEY environment variable).
  • ⚠️Requires Python >= 3.11.
  • ⚠️Environment variable 'ENVIRONMENT' must be set to 'demo' or 'live' depending on the API key type.
Verified SafeView Analysis
The server primarily uses `os.getenv` for sensitive information like API keys, which is a good security practice. HTTP requests are handled by `httpx` with `hishel` for caching, standard and generally safe libraries. No 'eval' or direct un-sanitized shell command execution is observed. A minor concern is the generic `Exception` raised on HTTP errors in `_make_requests`, which might expose internal error details, though this is less critical in an MCP server context than a public API.
Updated: 2025-11-29GitHub
35
1
Medium Cost
clumsynonono icon

aave-liquidation-mcp

by clumsynonono

Sec9

Analyzes Aave V3 liquidation opportunities on Ethereum mainnet, providing data and insights to AI assistants.

Setup Requirements

  • ⚠️Requires Node.js 18 or higher.
  • ⚠️Requires an Ethereum RPC endpoint (e.g., Alchemy, Infura) with sufficient rate limits, configured via ETHEREUM_RPC_URL environment variable.
  • ⚠️A build step (`npm run build`) is necessary after installing dependencies before running the server.
  • ⚠️MCP configuration requires the absolute path to the compiled `index.js` file.
Verified SafeView Analysis
The server operates in a read-only mode, interacting with public Aave V3 smart contracts on Ethereum mainnet. It explicitly focuses on analysis rather than transaction execution, significantly reducing financial risk. Input validation for Ethereum addresses is performed. Required RPC URL is supplied via environment variables, preventing hardcoded secrets. The code appears well-structured and free from obvious malicious patterns or obfuscation. Reliance on external RPC endpoints introduces inherent external risks (e.g., uptime, rate limits) but these are generally understood for blockchain applications and mitigated by user warnings in the README.
Updated: 2025-11-25GitHub
35
5
Low Cost
anirbanbasu icon

frankfurtermcp

by anirbanbasu

Sec9

Provides currency exchange rates and conversion functionalities from the Frankfurter API for language model agents.

Setup Requirements

  • ⚠️Requires Python 3.12+
  • ⚠️Relies on an external Frankfurter API (https://api.frankfurter.dev/v1 by default), which can be self-hosted.
  • ⚠️The `uv` tool is recommended for project management, though `pip` is also supported.
Verified SafeView Analysis
The server uses `httpx` for external API calls, with SSL verification enabled by default (`HTTPX_VERIFY_SSL=True`), which is good practice. Environment variables are used for configuration, preventing hardcoded secrets. Error handling for API requests is present, converting `httpx.RequestError` to `ValueError`. The use of `CORSMiddleware` with `allow_origins=["*"]` is noted as a potential security concern for general web applications, but for an MCP server designed for broad client access and exposing non-sensitive public data, it's often a pragmatic choice. No `eval` or obviously dangerous patterns are observed.
Updated: 2025-12-02GitHub
34
4
Medium Cost
LerianStudio icon

lerian-mcp-server

by LerianStudio

Sec9

Provides AI assistants with unified access to Lerian product documentation, learning resources, and SDK code generation via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires Node.js 18.0.0 or higher.
  • ⚠️Operates in 'documentation-only' mode; it does NOT connect to Lerian backend APIs or provide live data query capabilities. Users expecting API access will need to use Lerian SDKs directly in their applications.
  • ⚠️While cryptographic secrets are auto-generated and stored securely, understanding their location (`~/.lerian/secrets.json`) and how to rotate/customize them (via environment variables) is important for advanced/production use cases.
Verified SafeView Analysis
The server operates in a 'documentation-only' mode (v4.0.0 and above), explicitly removing all backend API connectivity, which significantly reduces the attack surface. It employs robust input validation using Zod, comprehensive output sanitization to prevent injection attacks (e.g., script, HTML, markdown), and secure secrets management with auto-generation and restricted file permissions. Audit logging, rate limiting, and secure environment setup are also implemented. Dependency updates are automated with security checks. No 'eval' or obfuscation is present in the provided source code.
Updated: 2025-12-01GitHub
34
1
Medium Cost
N-lia icon

MonteWalk

by N-lia

Sec9

MonteWalk transforms AI assistants into institutional-grade quantitative trading terminals for real-time market analysis, risk management, and strategy backtesting using paper trading.

Setup Requirements

  • ⚠️Requires Python 3.12+.
  • ⚠️Requires an Alpaca Paper Trading Account (free) and associated API keys.
  • ⚠️Sentiment analysis (via FinBERT) requires a Modal endpoint URL, implying deployment of the Modal application or using the author's public endpoint.
Verified SafeView Analysis
The project emphasizes paper trading only, preventing real money risk. API keys are loaded from environment variables (.env file) and are not hardcoded. Pre-trade risk checks are implemented to prevent excessive portfolio concentration. No 'eval' or obvious obfuscation was found. Relies on external APIs (Alpaca, CoinGecko, NewsAPI, Modal) which introduce third-party dependency risks.
Updated: 2025-11-29GitHub
34
2
Medium Cost
BhavyaJethwa icon

Kotak_Neo_MCP_Server

by BhavyaJethwa

Sec2

Enables natural language trading on the Kotak Neo platform via an LLM client such as Claude Desktop.

Setup Requirements

  • ⚠️Docker is required to run the Neo Worker service due to dependency conflicts.
  • ⚠️A Redis server is required for the Neo Worker service to store and retrieve user session data (although not explicitly started in the provided run steps, it's configured as 'redis' host).
  • ⚠️Kotak Neo API credentials (mobile number, UCC, consumer key, TOTP, MPIN) are required for initial authentication via the validate endpoint to establish a trading session.
  • ⚠️The MCP server (trade.py) uses a hardcoded session ID, overriding the dynamic session IDs generated by the worker's /validate endpoint. This needs to be addressed for secure, multi-user operation.
Review RequiredView Analysis
CRITICAL: The `mcp_server.py` hardcodes a single `session_id` ('2c5f8ebf-1ade-4746-bded-c4502a9f5d2e') for all trading operations (get holdings, limits, positions, buy, sell). This means all users interacting with the MCP server would be performing actions on the same, shared Kotak Neo account. There is no individual user session management or authentication at the MCP server level for trading actions. This is a severe vulnerability, making the system unsafe for real-world trading without significant modifications to dynamically manage user sessions.
Updated: 2025-11-25GitHub
32
1
Medium Cost
viney-123 icon

tradingview-mcp

by viney-123

Sec9

This server fetches TradingView chart snapshots using browser automation for financial analysis and visualization.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires Playwright browser binaries to be installed (e.g., 'playwright install chromium').
  • ⚠️Requires obtaining and setting TRADINGVIEW_SESSION_ID and TRADINGVIEW_SESSION_ID_SIGN environment variables, which involves extracting session cookies from an active TradingView login.
Verified SafeView Analysis
The server uses environment variables (TRADINGVIEW_SESSION_ID, TRADINGVIEW_SESSION_ID_SIGN) for authentication, which is a good practice for handling sensitive data. It relies on Playwright for headless browser automation, a standard and generally secure method for web interactions. No 'eval', code obfuscation, or other immediately apparent malicious patterns were found in the provided source code.
Updated: 2025-12-06GitHub
32
2
Low Cost
mk965 icon
Sec9

Retrieves real-time price information for various assets (precious metals, cryptocurrencies) to be used by large language models.

Setup Requirements

  • ⚠️Potential requirement for API keys for services (e.g., Gold API) not explicitly configured via environment variables in the provided code/documentation.
  • ⚠️Requires Node.js version 18 or higher.
Verified SafeView Analysis
The code appears to be generally safe. It uses Zod for input validation and standard network fetching with timeouts. No 'eval' or obvious obfuscation was found. It relies on external APIs (Gold API, CoinGecko, GoldPriceOrg, exchange rates). A potential concern is the lack of explicit environment variable configuration for API keys, especially for services like 'Gold API' which typically require one. This might lead to runtime failures if a free tier is not sufficient or if a key is implicitly expected but not provided.
Updated: 2025-11-30GitHub
PreviousPage 2 of 7Next