Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

98
609
Medium Cost
mbailey icon

voicemode

by mbailey

Sec6

Provides robust voice interaction capabilities for Model Context Protocol (MCP) agents, enabling real-time speech-to-text (STT) and text-to-speech (TTS) functionalities, with support for local and cloud-based services. It also includes tools for audio playback (DJ), service management, and diagnostics.

Setup Requirements

  • ⚠️Requires `uv` for Python package management during installation.
  • ⚠️`FFmpeg` is a critical system dependency for audio processing, and must be installed separately.
  • ⚠️`sudo` access is typically needed for system package installation on Linux.
  • ⚠️Requires a functional microphone/audio input device for voice interaction capabilities.
  • ⚠️`webrtcvad` (for silence detection) requires C/C++ build tools (e.g., `gcc`, `python3-dev`) to be installed prior to Python package installation.
  • ⚠️Local Whisper/Kokoro services require manual installation (via `voice-mode whisper install`/`kokoro install`), or an `OPENAI_API_KEY` is needed for cloud-based STT/TTS services.
Verified SafeView Analysis
Extensive use of `subprocess.run`/`Popen` for system integration (package installation, Git cloning, running services) poses a risk for command injection if user-provided input is not rigorously sanitized, though `Path` objects and `shlex.split` offer some protection. The `serve` command exposes the MCP server via HTTP/SSE, requiring explicit configuration of IP allowlisting, secret path, or token authentication to prevent unauthorized access. Trust in external repositories (whisper.cpp, kokoro-fastapi) and their integrity is assumed for installation.
Updated: 2026-01-19GitHub
98
556
Medium Cost
steipete icon
Sec7

Transforms an AI assistant into a macOS automation agent, enabling it to execute AppleScript and JXA commands to control applications and system functions.

Setup Requirements

  • ⚠️Requires macOS (AppleScript/JXA are macOS-specific).
  • ⚠️Requires Node.js (version >=18.0.0).
  • ⚠️CRITICAL: Requires explicit user permission grants for 'Automation' and 'Accessibility' in macOS System Settings for the application running the server (e.g., Terminal, Node).
Review RequiredView Analysis
The server's core functionality is to execute arbitrary AppleScript/JXA code, which by its nature, can be a high-risk operation if misused. While the `placeholderSubstitutor.ts` correctly sanitizes inputs for its specific placeholders, a malicious client could craft scripts that delete files, access sensitive data, or install malware. The README explicitly warns that the application running this server (e.g., Terminal, Node.js) requires manual user grants for macOS 'Automation' and 'Accessibility' permissions, which bestow significant control over the system. Therefore, while the server itself appears to handle its specific input sanitization well, the inherent power of arbitrary code execution makes it a high-privilege target.
Updated: 2026-01-13GitHub
98
584
Low Cost
saidsurucu icon

yargi-mcp

by saidsurucu

Sec2

Provides programmatic access to various Turkish legal databases (e.g., Yargıtay, Danıştay, Constitutional Court) as a Model Context Protocol (MCP) server for integration with Large Language Model (LLM) applications like Claude AI.

Setup Requirements

  • ⚠️Requires Python 3.11 or newer.
  • ⚠️Requires `uv` (Astral's package manager/runner) for local execution.
  • ⚠️Windows users may need Microsoft Visual C++ Redistributable.
  • ⚠️Authentication (if enabled) requires `CLERK_PUBLISHABLE_KEY`, `CLERK_SECRET_KEY`, and `JWT_SECRET_KEY` environment variables. Clerk is a paid service provider.
  • ⚠️Persistent OAuth session storage requires `UPSTASH_REDIS_REST_URL` and `UPSTASH_REDIS_REST_TOKEN` environment variables; otherwise, it falls back to in-memory storage, which is not suitable for multi-machine deployments.
Review RequiredView Analysis
CRITICAL: The API clients (Yargıtay, Danıştay, Emsal, Uyuşmazlık, KIK) use `verify=False` in `httpx.AsyncClient` when making requests to external APIs, disabling SSL/TLS certificate verification. This makes the application highly vulnerable to Man-in-the-Middle (MITM) attacks, allowing an attacker to intercept or modify communication with upstream legal databases. Additionally, a hardcoded AES-256-CBC encryption key (`KikV2ApiClient.DOCUMENT_ID_ENCRYPTION_KEY`) is used for document ID encryption, which is a severe security flaw if intended for any form of protection, as the key is publicly available. There is also a hardcoded fallback API token for Brave Search in `KvkkApiClient`.
Updated: 2026-01-15GitHub
98
674
Low Cost
bgauryy icon

octocode-mcp

by bgauryy

Sec9

The Octocode Research server enables AI agents to perform expert code forensics and deep-dive research across local filesystems (LSP, ripgrep, file I/O) and external GitHub repositories (code search, repo structure, pull requests, package search). It's optimized for architectural analysis, pattern discovery, and implementation planning.

Setup Requirements

  • ⚠️Requires Node.js v20 or higher.
  • ⚠️GitHub API tools require authentication (GitHub token via OAuth, gh CLI, or PAT). Without it, rate limits will be hit quickly.
  • ⚠️Local tools (`ripgrep`, `ls`, `find`) depend on these commands being installed and available in the system's PATH. LSP tools require a compatible LSP server (e.g., `typescript-language-server`).
  • ⚠️Uses port 1987 by default; a conflict will prevent the server from starting.
Verified SafeView Analysis
The server implements strong security measures including Zod-based input validation, explicit path traversal protection, and command injection prevention for spawned child processes (e.g., `ripgrep`, `ls`). Sensitive data is redacted from logs and output. Authentication tokens are handled securely via environment variables, GitHub CLI, or an encrypted local store. The server binds to `localhost` by default. External exposure would require additional security layers.
Updated: 2026-01-18GitHub
98
541
Low Cost
vercel icon

mcp-handler

by vercel

Sec8

Provides a Vercel adapter for the Model Context Protocol (MCP), enabling real-time communication between applications and AI models through Next.js or Nuxt.

Setup Requirements

  • ⚠️Requires @modelcontextprotocol/sdk@1.25.2 or later due to a known security vulnerability in prior versions (as explicitly stated in the README).
  • ⚠️Requires a Next.js 13+ or Nuxt 3+ project as a host framework.
  • ⚠️Requires Node.js 18+.
  • ⚠️While Redis integration is optional for the Streamable HTTP transport, it is mandatory if the Server-Sent Events (SSE) transport is enabled. If SSE is used without a `REDIS_URL` or `KV_URL` environment variable, the server will fail to initialize SSE functionality.
Verified SafeView Analysis
The code correctly handles proxy headers (X-Forwarded-Host, X-Forwarded-Proto, Forwarded) to prevent URL spoofing and ensure accurate public-facing URLs. It implements Bearer token authentication following MCP Authorization Specification, including checks for required tokens, scopes, and token expiration, and returns appropriate WWW-Authenticate headers. Explicit CORS headers are set for OAuth metadata endpoints. For Server-Sent Events (SSE), it integrates with Redis for messaging, relying on secure external configuration of the Redis URL via environment variables. Comprehensive cleanup logic for SSE connections helps prevent resource leaks and potential denial-of-service issues. No instances of 'eval', code obfuscation, hardcoded secrets, or overtly malicious patterns were identified. Security heavily depends on the secure configuration of its host environment (e.g., Next.js/Nuxt) and Redis.
Updated: 2026-01-09GitHub
98
552
Medium Cost
xing5 icon
Sec9

Acts as an AI assistant's gateway to Google Sheets for automation and data manipulation.

Setup Requirements

  • ⚠️Requires prior setup in Google Cloud Platform (creating a project, enabling Google Sheets and Drive APIs).
  • ⚠️Authentication is critical and involves choosing one of four methods (Service Account, OAuth 2.0, Direct Credential Injection, Application Default Credentials), each with specific environment variables and setup steps.
  • ⚠️Requires 'uv' (specifically 'uvx') to be installed for the recommended quick start method.
Verified SafeView Analysis
The server uses standard Google API client libraries for authentication and API interaction. It relies on environment variables for sensitive configurations like credential paths, folder IDs, or base64-encoded credential content, avoiding hardcoded secrets. The default binding to '0.0.0.0' means it listens on all interfaces, requiring proper host-level firewalling. The broad Google Sheets and Drive API scopes are necessary for its functionality, and the README clearly advises users on appropriate permissions for service accounts, indicating that the primary security responsibility lies with the user's Google Cloud credential management.
Updated: 2025-12-06GitHub
98
548
Medium Cost
Kymo-MCP icon

mcpcan

by Kymo-MCP

Sec4

MCPCan is an open-source integration platform for managing and orchestrating MCP (Model Context Protocol) services, providing a web-based interface for service lifecycle management, multi-protocol compatibility, monitoring, security, and one-stop deployment on containerized environments.

Setup Requirements

  • ⚠️Requires Go 1.21+, Node.js 18+ and pnpm for development.
  • ⚠️Requires Docker and Docker Compose (or Kubernetes) for containerized deployment.
  • ⚠️Default database passwords and application secrets in example configurations MUST be changed for production use.
Verified SafeView Analysis
The project exhibits mixed security practices. Positive aspects include explicit path traversal prevention during archive extraction, robust CORS handling, and HMAC-SHA256 for internal API security middleware. However, several critical issues lower the overall score: 1. A hardcoded JWT token in `backend/pkg/mcpcansaas/client.go` is used for accessing an external SaaS platform (`mcpcan.com`), posing a significant risk if compromised. 2. The `backend/pkg/qm/signature.go` file contains a function for signature generation using MD5, a cryptographically broken hash function, though its usage appears commented out in the `client.go`. If enabled, this would be a severe vulnerability. 3. The `backend/pkg/dify` package (Go port of a Python module) uses SHA-1 for OAEP padding, which is an outdated cryptographic hash function. 4. Example configuration files (`backend/config-example/*.yaml`) contain default passwords and a generic `dev-app-secret` which, if not changed in production deployments, can easily lead to compromise. The `init` service also contains default admin credentials.
Updated: 2026-01-14GitHub
98
605
Low Cost
Puliczek icon
Sec10

This repository serves as a curated list of resources, including papers, videos, articles, tools, and servers, focusing on Model Context Protocol (MCP) security.

Verified SafeView Analysis
The provided 'SOURCE CODE' consists of the `README.md` and `CONTRIBUTING.md` files, which are static documentation. These files themselves do not contain executable code, 'eval' calls, obfuscation, network risks, or hardcoded secrets. Therefore, the repository content itself is inherently safe to run/view. It is important to note that the repository *lists* various external tools and servers, some of which are explicitly labeled as 'Damn Vulnerable MCP Server' or discuss known vulnerabilities within the broader MCP ecosystem. Users should exercise caution and perform their own due diligence when interacting with any external links or tools referenced in the list.
Updated: 2025-12-12GitHub
98
675
Medium Cost
worryzyy icon

HowToCook-mcp

by worryzyy

Sec9

Provides an AI assistant with tools for recipe lookup, meal planning, and food recommendations.

Setup Requirements

  • ⚠️Requires Node.js 16.0.0+.
  • ⚠️Needs an MCP-compatible AI client (e.g., Claude Desktop, Cursor) to function.
  • ⚠️The 'all_recipes.json' file must be present in the project root for data loading. The 'Query All Recipes' tool can generate a very large response, potentially incurring high token costs for the AI.
Verified SafeView Analysis
The server uses standard Node.js and MCP SDK practices. It reads data from a local JSON file and does not appear to make outbound network requests to user-controlled URLs, mitigating SSRF risks. Input validation is handled via Zod. The HTTP/SSE transport sets 'Access-Control-Allow-Origin: *', which is permissive but typical for public APIs or development, and less critical for non-sensitive recipe data. No 'eval', obfuscation, or hardcoded secrets were found.
Updated: 2026-01-19GitHub
97
405
Medium Cost
alpacahq icon
Sec9

Enables natural language trading operations for Alpaca's Trading API via AI assistants, supporting stocks, options, crypto, portfolio management, and real-time market data.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️`uv` package manager is recommended and often required for smooth installation and dependency management.
  • ⚠️Mandatory Alpaca Trading API keys are required for operation (free paper trading accounts are available).
  • ⚠️Requires a separate Model Context Protocol (MCP) client (e.g., Claude Desktop, Cursor, VS Code, PyCharm, Gemini CLI) for interaction.
Verified SafeView Analysis
Uses environment variables and `.env` files for sensitive API keys, with explicit warnings against command-line arguments in `cli.py`. Implements DNS rebinding protection for HTTP transport with configurable `allowed-hosts`. `.env` file permissions are set restrictively (0o600) on non-Windows systems. Kubernetes secrets are leveraged in Helm chart deployments for credentials. The primary inherent risk is financial loss from actual trading, which is clearly disclosed to the user.
Updated: 2025-12-15GitHub
97
388
Low Cost
kagent-dev icon

kmcp

by kagent-dev

Sec9

KMCP is a Kubernetes controller and CLI tool that provides a declarative way to deploy, manage, and scale Model Context Protocol (MCP) servers in Kubernetes environments.

Setup Requirements

  • ⚠️Requires a Kubernetes cluster (1.11.3+) and Helm (3.0+) for controller deployment.
  • ⚠️Docker is required locally for building custom MCP server images.
  • ⚠️Node.js and npm (for npx) are required for local development when using the MCP Inspector.
  • ⚠️Specific language runtimes (e.g., 'uv' for Python, 'go' for Go, 'mvn' for Java) are required locally depending on the chosen MCP server framework for local execution.
Verified SafeView Analysis
The project uses standard Kubernetes practices for deployment and secret management. It explicitly disables HTTP/2 by default in the controller due to known vulnerabilities (CVEs mentioned) and validates image versions via regex to prevent injection attacks in the transport adapter. A dedicated sanitizer is included to redact common secret patterns (e.g., API keys, tokens, database credentials) from output and logs. Secrets are expected to be provided by the user via Kubernetes secrets or .env files, not hardcoded within the application logic.
Updated: 2025-12-08GitHub
97
400
Medium Cost
jtang613 icon

GhidrAssistMCP

by jtang613

Sec2

This Ghidra extension provides an MCP server, enabling AI assistants and other tools to interact with Ghidra's reverse engineering capabilities through a standardized API, supporting program analysis, modification, and navigation.

Setup Requirements

  • ⚠️Requires Ghidra 11.4+ to function as an extension.
  • ⚠️Requires an MCP Client (like GhidrAssist) to interact with the server.
  • ⚠️Building from source requires setting the GHIDRA_INSTALL_DIR environment variable.
Review RequiredView Analysis
CRITICAL: The server lacks any explicit authentication or authorization mechanisms for incoming MCP requests. While it defaults to binding to `localhost:8080`, the configuration allows changing the host and port, potentially exposing the unauthenticated API to the network. Any process on the host machine (or a remote attacker if misconfigured) can execute any enabled tool, including those that modify the Ghidra database (e.g., `rename_function`, `set_data_type`, `create_struct`, `modify_struct`). This presents a significant security risk for data integrity and system compromise within the Ghidra environment. Relying on internal Ghidra APIs via reflection also introduces potential fragility and unhandled edge cases if inputs are crafted maliciously.
Updated: 2026-01-12GitHub
PreviousPage 11 of 713Next