Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

38
9
Medium Cost
huangfeng19820712 icon

mcp-mysql-server

by huangfeng19820712

Sec9

Provides an MCP-compliant interface for AI models to securely interact with a MySQL database for CRUD operations, schema inspection, and performance analysis.

Setup Requirements

  • ⚠️Requires Node.js version 18 or higher.
  • ⚠️Requires an active MySQL database server accessible from where this MCP server runs.
  • ⚠️Database connection details (host, user, password, database) must be supplied either as a MySQL connection URL via command-line arguments or through specific environment variables.
Verified SafeView Analysis
The server demonstrates robust security practices by utilizing parameterized queries to prevent SQL injection. Sensitive database credentials are managed via environment variables or a MySQL connection URL passed as a command-line argument, and passwords are explicitly masked in logging output. Input validation ensures that different tools ('query', 'execute', 'show_statement') are used for their intended SQL command types, preventing misuse. Connection pooling and graceful shutdown on process exit contribute to reliable resource management.
Updated: 2025-12-01GitHub
38
12
Medium Cost
seanivore icon
Sec3

Converts Markdown content into gorgeously styled PDF documents using VS Code's markdown styling and Python's ReportLab, integrated as an MCP server.

Setup Requirements

  • ⚠️Requires Python 3.12+ for execution.
  • ⚠️Requires `uv` for installation and running (e.g., `uv sync`, `uv run`).
  • ⚠️Relies on specific font files located in the `fonts/TTF/` directory relative to the package, which must be present and accessible.
Review RequiredView Analysis
Critical risks identified: 1. **Directory Traversal**: The `output_path` argument for the `convert_markdown` tool is directly used to construct file paths for PDF output. An attacker could specify paths like `../../../../evil.pdf` to write files to arbitrary locations outside the intended directory. 2. **SSRF/Malicious Image Download**: The `download_image` function in `converter.py` fetches image URLs directly from markdown `img src` attributes. If markdown input is untrusted, this could lead to Server-Side Request Forgery (SSRF) or downloading large/malicious files, causing resource exhaustion or internal network exposure. 3. **Arbitrary File Read (Potential)**: While less direct, the `read_resource` handler for `pdf://local/` and `markdown://local/` schemes might allow reading arbitrary files if the URI path is not sufficiently sanitized beyond basic scheme replacement, given that `Path()` is used directly with the extracted path component. The `list_resources` also lists all markdown/pdf files in the current working directory, which might expose more than intended. These vulnerabilities make the server unsafe to run with untrusted user input without significant hardening.
Updated: 2025-11-29GitHub
38
9
Medium Cost
habedi icon

omni-lpr

by habedi

Sec3

Provides automatic license plate recognition (ALPR) capabilities via a REST API and the Model Context Protocol (MCP) as a self-hostable microservice or a toolbox for AI agents and LLMs.

Setup Requirements

  • ⚠️Hardware acceleration (CUDA/OpenVINO) requires installing specific `pip` extras AND setting the `EXECUTION_DEVICE` environment variable; mismatch will cause startup failure.
  • ⚠️Using the MCP interface with Docker requires setting `GUNICORN_WORKERS=1` to ensure session consistency, otherwise concurrent requests may fail.
  • ⚠️Initial startup may involve downloading large machine learning models, leading to potential delays and increased disk usage.
Review RequiredView Analysis
Critical security risks identified: 1. Server-Side Request Forgery (SSRF) / Local File Inclusion (LFI): The `recognize_plate_from_path` and `detect_and_recognize_plate_from_path` tools accept a `path` argument (URL or local file path). The application fetches images from these paths using `httpx.get` or `anyio.Path.read_bytes` without apparent validation or sanitization of the path's content. This could allow an attacker to read arbitrary local files, scan internal networks, or trigger denial-of-service by targeting large/slow external resources. 2. Broad CORS Policy: The server's CORS middleware allows origins from `*` (all origins), which is overly permissive and can pose a security risk in browser-based applications if not adequately protected by a stricter reverse proxy. Note: `avg_tokens_per_call` is a placeholder for computational load, as this is not an LLM application.
Updated: 2025-12-02GitHub
38
13
Low Cost
josharsh icon

mcp-jest

by josharsh

Sec9

A testing framework for Model Context Protocol (MCP) servers, allowing automated validation of AI agent tools, resources, and prompts.

Setup Requirements

  • ⚠️Requires Node.js version 18 or higher to run.
  • ⚠️An external MCP-compliant server must be running or specified for testing.
  • ⚠️For HTTP-based transports (streamable-http, sse), the target MCP server must be pre-running and accessible via a specified URL.
Verified SafeView Analysis
The core `mcp-jest` framework carefully parses string-based expectations without using unsafe `eval()` or `new Function()` for user-provided input, significantly reducing injection risks. It is designed to spawn and interact with user-defined server commands and URLs, which is its intended function and not a vulnerability of the framework itself. While some example test servers within the repository (e.g., `e2e/test-server.js`) might use `Function()` for controlled dynamic execution within their own logic, this does not reflect a security flaw in the `mcp-jest` framework's handling of external input.
Updated: 2026-01-16GitHub
38
1
Medium Cost
sankalp0412 icon

stockfish-mcp

by sankalp0412

Sec7

Integrate the Stockfish chess engine with Claude Desktop for AI-assisted chess gameplay via natural language.

Setup Requirements

  • ⚠️Requires Python 3.13+
  • ⚠️Requires Stockfish chess engine (external installation)
  • ⚠️Requires Redis server (external installation and management)
Verified SafeView Analysis
Uses `pickle` for object serialization to Redis, which can be a security risk if an attacker can inject arbitrary pickled data into Redis. However, in this local context, data is self-generated and stored/retrieved by the application itself, mitigating immediate danger. Relies on an external API (fen2image.chessvision.ai) for board visuals, introducing a dependency and potential external service risks, though a timeout is implemented.
Updated: 2025-11-28GitHub
38
4
Medium Cost
zircote icon

subcog

by zircote

Sec9

Subcog acts as a persistent subconscious memory system for AI coding assistants, capturing decisions, patterns, learnings, and context from coding sessions, and surfacing them through semantic search and MCP server integration.

Setup Requirements

  • ⚠️Requires an LLM provider: OpenAI/Anthropic (paid API keys) or a locally running Ollama/LM Studio instance.
  • ⚠️First use requires downloading the `fastembed` embedding model (~100-500ms startup delay).
  • ⚠️Group management features require `SUBCOG_USER_ID` and `SUBCOG_ORG_ID` environment variables for authentication.
Verified SafeView Analysis
The project uses Rust's `forbid(unsafe_code)` for memory safety. It implements robust input validation, LLM prompt injection mitigation (XML escaping, strong system prompts), secrets and PII detection/redaction, JWT authentication with entropy validation, request rate limiting, and circuit breakers for external calls. File I/O operations include path traversal protection. Audit logging is also integrated. Score is 9, not 10, due to the inherent complexity of LLM integrations and local file storage, which always carry a residual risk, however well mitigated.
Updated: 2026-01-19GitHub
38
11
Low Cost
RadCod3 icon

LamPyrid

by RadCod3

Sec9

Automate personal finance workflows and analysis by integrating with Firefly III personal finance software via a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires a running Firefly III instance and a Personal Access Token configured for API access.
  • ⚠️Python 3.14+ and the `uv` package manager are required for local installation.
  • ⚠️Optional Google OAuth authentication requires prior setup in Google Cloud Console (Client ID, Client Secret, Server Base URL) and local generation of `JWT_SIGNING_KEY` and `OAUTH_STORAGE_ENCRYPTION_KEY`.
Verified SafeView Analysis
The server correctly uses environment variables for sensitive API tokens (`FIREFLY_TOKEN`). Google OAuth is an optional feature with secure token persistence using Fernet encryption and JWT signing keys, which are generated externally. Input sanitization (`FireflyClient._sanitize_value`) is implemented for search queries to mitigate potential injection risks into the Firefly III API query string. There are no obvious hardcoded secrets or direct command execution vulnerabilities in the provided source code. Relying on custom sanitization always carries a slight risk if edge cases are missed, but the current implementation appears robust for its intended purpose.
Updated: 2026-01-18GitHub
38
10
Medium Cost
bugzy-ai icon
Sec9

Cloud Run service for executing Claude Code AI agent tasks with secure credential handling and flexible configuration, ideal for GitOps and CI/CD workflows.

Setup Requirements

  • ⚠️Requires a Google Cloud Project with billing enabled and various GCP services (Cloud Run, Cloud KMS, Cloud Storage, Artifact Registry, Secret Manager) to be enabled and configured through `setup-project.sh`.
  • ⚠️Requires extensive IAM permissions setup (e.g., roles/run.invoker, roles/storage.objectAdmin, roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/run.developer) across multiple GCP services for both the Cloud Run service and the Cloud Run Job. These are managed by `grant-job-permissions.sh` and `setup-service-account.sh`.
  • ⚠️Requires setting up Cloud KMS with a specific key ring and key (`KMS_KEY_RING`, `KMS_KEY_NAME`) for secure payload encryption. This setup is performed by the `setup-kms.sh` script.
Verified SafeView Analysis
The server demonstrates a strong focus on security, especially regarding sensitive data. Credentials (Anthropic API keys, OAuth tokens, SSH private keys, environment variables) are passed in the request payload and handled securely. They are encrypted using Google Cloud KMS before being temporarily stored in Google Cloud Storage, then decrypted in isolated Cloud Run Job workers. A local proxy prevents the Claude CLI from directly accessing real credentials. Webhook callbacks are HMAC-SHA256-signed for authenticity, using a secret retrieved from Secret Manager. Ephemeral workspaces, user isolation within Docker, and explicit environment variable control further enhance security boundaries. The use of `StrictHostKeyChecking=no` in the GitService is noted, but within the context of ephemeral, single-use workspaces, it mitigates typical man-in-the-middle concerns by preventing interactive prompts.
Updated: 2026-01-19GitHub
38
33
Medium Cost
groq icon
Sec6

Provides a Model Context Protocol (MCP) server to access Groq's AI capabilities, including ultra-fast LLM chat, vision, text-to-speech, speech-to-text, agentic tooling, and batch processing, from clients like Claude Desktop and Cursor.

Setup Requirements

  • ⚠️Requires a Groq API Key (Paid service, obtain at console.groq.com).
  • ⚠️Requires `uv` (Python package manager) or `pip` for dependency installation; Python 3.11+ is specified.
  • ⚠️Requires specific configuration within the MCP client (e.g., modifying `claude_desktop_config.json` for Claude Desktop).
  • ⚠️The designated output directory (`BASE_OUTPUT_PATH`, defaults to `~/Desktop`) must be writeable by the server process.
Review RequiredView Analysis
The server exposes agentic tooling (`compound_tool`) which explicitly enables dynamic code execution and web searches via the Groq API. While this functionality is delegated to Groq's service, it represents an inherent risk of powerful AI agents if prompts are maliciously crafted. The use of string interpolation for constructing Python commands within shell scripts (`python3 -c "..."`) is a moderate risk point, as improper sanitization of user-controlled inputs (`$AUDIO_FILE`, `$OUTPUT_DIR`, etc.) could potentially lead to command injection. Arbitrary file writes are possible if the `output_directory` parameter is controlled by a malicious client and the server process has broad file permissions. Additionally, the vision module can fetch images from arbitrary URLs, introducing potential Server-Side Request Forgery (SSRF) risks.
Updated: 2025-11-19GitHub
38
11
Low Cost
Code4Delphi icon

ia-na-pratica

by Code4Delphi

Sec5

Enables Large Language Models (LLMs) to interact with Delphi applications by exposing application functionalities as fine-grained tools, effectively creating an embedded Model Context Protocol (MCP) Server.

Setup Requirements

  • ⚠️Requires TMS AI Studio (commercial Delphi component suite).
  • ⚠️Requires Delphi development environment.
  • ⚠️Requires API Keys for chosen LLM providers (e.g., OpenAI, Google Gemini, Anthropic Claude).
  • ⚠️Specific samples may require WebView2Loader_x86.dll and WebView2Loader_x64.dll for map interaction (Edge Chromium) or Ollama for local AI.
Review RequiredView Analysis
The project describes a framework that allows LLMs to interact with application features such as file system, database manipulation, email sending/retrieval, and logging. While the documentation mentions 'structured and restricted manner' for these functionalities, granting AI such powerful access inherently carries significant security risks if not implemented with extreme caution. The potential to expose arbitrary methods via RTTI (mentioned in linked videos) also increases the attack surface. Proper sandboxing, strict access control, and thorough validation of AI-generated actions are crucial, and their implementation quality depends heavily on the developer using the framework. Without direct visibility into these safeguards, the potential for misuse or vulnerabilities is moderate to high.
Updated: 2025-12-14GitHub
38
2
High Cost
advance-group icon

jar-wise

by advance-group

Sec8

JarWise is a Java code analysis tool providing an MCP server to understand method call hierarchies, dependencies, and REST API endpoints in Java projects.

Setup Requirements

  • ⚠️Requires Java 21 or higher.
  • ⚠️Requires Gradle 8.0 or higher for building.
  • ⚠️Requires `JAR_WISE_PROJECT_PATH` environment variable set to the Java project root or root directory for scanning.
Verified SafeView Analysis
The server's primary function is to read and parse Java source code and JAR files. It does not execute arbitrary user-provided code strings. Inputs for tools like `signature` or `query` are used for lookups and pattern matching (with `Pattern.quote` for regex, mitigating injection). The `project-path` or `root-path` configuration can point to any directory, which means sensitive data could be indexed if misconfigured, but this is an intended function. Resource exhaustion (CPU/memory) is possible with extremely large codebases during indexing or complex traversals, though an LRU cache is used for multiple projects. Temporary files are created during Spring Boot JAR extraction but are configured to be deleted on exit.
Updated: 2025-12-03GitHub
38
9
Medium Cost
n0zer0d4y icon

vulcan-file-ops

by n0zer0d4y

Sec9

Transforms desktop AI assistants into powerful development partners by providing secure, user-controlled filesystem operations and code manipulation capabilities.

Setup Requirements

  • ⚠️Requires Node.js for execution.
  • ⚠️Requires explicit configuration of '--approved-folders' (CLI) or 'register_directory' tool for filesystem access.
  • ⚠️Requires explicit configuration of '--approved-commands' (CLI) or 'APPROVED_COMMANDS' (.env) for shell command execution.
Verified SafeView Analysis
The server demonstrates a very strong focus on security, actively mitigating several common vulnerabilities. It rigorously validates all file paths against a whitelist of 'allowed directories' using canonical path resolution and symlink dereferencing to prevent directory traversal (CWE-23) and symlink attacks (CVE-2025-53109). A recent 'SECURITY FIX' explicitly blocks all unapproved shell commands (CVE-2025-54795) and validates the working directory, even when unspecified, preventing execution bypasses. It also includes checks for dangerous command patterns (e.g., 'rm -rf', 'sudo') and command substitution. Write operations use atomic renames to prevent race conditions. The overall architecture is designed for secure, user-controlled access to local resources.
Updated: 2026-01-17GitHub
PreviousPage 102 of 713Next