Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

96
525
Medium Cost
Sec6

This MCP server provides Next.js development tools for AI coding agents, including runtime diagnostics, automated upgrades, Cache Components setup, browser testing, and documentation search.

Setup Requirements

  • ⚠️Requires Node.js v20.9+.
  • ⚠️Requires Next.js 16+ for runtime diagnostics via `nextjs_index` and `nextjs_call` tools.
  • ⚠️`browser_eval` tool automatically installs `@playwright/mcp` globally using `npm`, which may conflict with other package managers or global install policies.
  • ⚠️The `upgrade_nextjs_16` tool's codemod requires a clean Git working directory and must be run from individual Next.js app directories in a monorepo, not the monorepo root.
Verified SafeView Analysis
The `browser_eval` tool, specifically its `evaluate` action, allows executing arbitrary JavaScript code within a browser context. While this is an intended feature for browser automation, it poses a significant security risk if the input script (the `script` argument) is not strictly controlled and validated by the calling AI agent or user. An attacker could potentially craft malicious JavaScript to exfiltrate data, perform unwanted actions, or exploit browser vulnerabilities. Additionally, the server uses `execSync` and `spawn` to run shell commands (e.g., `npm install -g @playwright/mcp`, `ss`, `netstat`). While the arguments for package installation are fixed, the `ss` and `netstat` commands construct parts of their arguments from internally derived PIDs. A theoretical risk exists if the PID derivation or the underlying `find-process` library could be manipulated, potentially leading to command injection. However, this is a less direct risk than the `browser_eval`'s `evaluate` action. No hardcoded secrets or direct obfuscation were found. Telemetry collection is opt-out and clearly documented.
Updated: 2026-01-08GitHub
96
342
High Cost
Shashankss1205 icon

CodeGraphContext

by Shashankss1205

Sec9

An AI pair programmer that provides real-time, accurate, context-aware assistance by indexing and analyzing codebases (local projects and dependencies) using a graph database, facilitating code understanding, writing, and refactoring across multiple programming languages.

Setup Requirements

  • ⚠️Requires Python 3.12+ for the default FalkorDB Lite embedded database. Earlier Python versions will necessitate an external Neo4j setup.
  • ⚠️An external Neo4j database is required if FalkorDB Lite is not used or explicitly configured via environment variables (NEO4J_URI, NEO4J_USERNAME, NEO4J_PASSWORD).
  • ⚠️Language-specific executables (e.g., 'npm', 'go', 'gem', 'pkg-config') must be available in the system PATH for accurate dependency resolution for respective languages.
  • ⚠️Installing 'falkordblite' is recommended for a zero-config embedded database experience.
Verified SafeView Analysis
The server's primary communication method is via stdin/stdout, which limits direct network exposure. It includes robust checks to prevent arbitrary write operations when executing Cypher queries, by filtering forbidden keywords after stripping string literals. While `subprocess.run` is used for language-specific package discovery (e.g., `npm`, `go list`), these calls are generally well-defined with `shell=False`, reducing the risk of command injection.
Updated: 2026-01-16GitHub
96
342
Medium Cost
CodeGraphContext icon

CodeGraphContext

by CodeGraphContext

Sec8

This MCP Server acts as an expert AI pair programmer's backend, providing real-time, accurate code analysis, indexing, and relationship information from a local codebase to assist with understanding, writing, and refactoring code.

Setup Requirements

  • ⚠️Requires Neo4j database (configured via NEO4J_URI, NEO4J_USERNAME, NEO4J_PASSWORD env vars) or Python 3.12+ for embedded FalkorDB Lite.
  • ⚠️Relies on Tree-sitter parsers for various languages; initial setup may involve compiling or downloading these.
  • ⚠️Dependency indexing for some languages (e.g., Go, Ruby, JavaScript/TypeScript, C/C++) requires their respective CLI tools (`go`, `gem`, `npm`, `pkg-config`) to be installed and accessible in the environment.
Verified SafeView Analysis
The server includes robust input validation and keyword filtering for Cypher queries to prevent arbitrary database modifications. It utilizes `subprocess.run` for package path discovery (`npm`, `gem`, `go`, `pkg-config`), which, while standard for this functionality, always carries an inherent risk if inputs were to be maliciously crafted (though package names are generally controlled). No hardcoded secrets or obvious malicious patterns were found; database credentials are expected via environment variables.
Updated: 2026-01-16GitHub
95
258
Low Cost

This server enables LLM agents to execute Python code in a highly secure, isolated container environment, facilitating complex multi-tool orchestration and data analysis with minimal LLM context token usage.

Setup Requirements

  • ⚠️Requires Podman or Docker (rootless configuration is the default and recommended).
  • ⚠️Requires Python 3.11+ (Python 3.14-slim is the default container image).
  • ⚠️Requires `uv` or `pip` for dependency management (`uv` recommended for installation).
  • ⚠️Pydantic >= 2.12.0 is needed for Python 3.14+ to avoid `TypeError: _eval_type() got an unexpected keyword argument 'prefer_fwd_module'`.
Verified SafeView Analysis
The server executes user-provided Python code using `eval(compile(code, ...), ...)` within a highly restricted, rootless container sandbox. This sandbox enforces strict isolation: no network, read-only rootfs, all capabilities dropped, no new privileges, unprivileged user (65534:65534), and resource limits (memory, PIDs, CPU, timeout). All MCP traffic is mediated by the host, providing an audit trail and preventing direct access to the host or external networks. While `eval` is used, it is the core function of the isolated sandbox, not a direct vulnerability in this hardened setup. The project's history explicitly details lessons from failed insecure prototypes, indicating a strong architectural commitment to security.
Updated: 2025-12-05GitHub
95
223
Medium Cost
AIDotNet icon

Windows-MCP.Net

by AIDotNet

Sec3

Enabling AI assistants to automate tasks and interact with the Windows desktop environment.

Setup Requirements

  • ⚠️Requires Windows Operating System
  • ⚠️Requires .NET 10.0 Runtime or higher
  • ⚠️Requires appropriate Windows administrative permissions to perform desktop automation operations
Review RequiredView Analysis
The server grants broad access to Windows desktop operations, including PowerShell execution, file system manipulation, and UI control. While intended for AI automation, this poses significant security risks if the AI agent or server itself is compromised or misused, potentially leading to data loss, system compromise, or unauthorized actions. There is no visible sandboxing or fine-grained permission control for AI actions described, and the tool requires appropriate Windows permissions (potentially administrative) to function, making it a high-risk component if its inputs are not strictly controlled.
Updated: 2025-11-27GitHub
95
204
Low Cost
intellectronica icon

skillz

by intellectronica

Sec8

Acts as an MCP server to expose Claude-style skills and their resources as callable tools for AI agents.

Setup Requirements

  • ⚠️Requires Python 3.12+
  • ⚠️Skills must be placed in a designated directory (defaults to `~/.skillz` or specified path)
  • ⚠️Potentially unsafe; skills should be treated as untrusted code and run in sandboxes/containers (as advised by the README)
  • ⚠️Requires an MCP-compatible client to consume the skills
Review RequiredView Analysis
The server uses `yaml.safe_load` for parsing skill metadata, mitigating direct YAML injection risks. It explicitly implements path traversal prevention in resource URIs (e.g., checks for '..') to restrict access. The core functionality is to discover and expose skill definitions and resources; the execution of any bundled helper scripts or code is deferred to the consuming AI client. The README explicitly warns users to treat skills as untrusted code and run in sandboxes/containers, indicating that while the server implements some hardening, the overall system design involves a critical security boundary at the client's execution of skill content.
Updated: 2025-11-26GitHub
95
255
High Cost
homeassistant-ai icon

ha-mcp

by homeassistant-ai

Sec8

Provides AI agents with complete control over Home Assistant via REST and WebSocket APIs, offering a comprehensive suite of tools for smart home management, automation, and debugging.

Setup Requirements

  • ⚠️Requires an existing and running Home Assistant instance.
  • ⚠️Mandates `HOMEASSISTANT_URL` and `HOMEASSISTANT_TOKEN` environment variables for connection.
  • ⚠️Advanced features like filesystem access or the custom component installer require enabling specific feature flags (`HAMCP_ENABLE_FILESYSTEM_TOOLS`, `HAMCP_ENABLE_CUSTOM_COMPONENT_INTEGRATION`) and potentially installing a custom Home Assistant component via HACS.
Verified SafeView Analysis
The server securely handles Home Assistant API tokens via environment variables and uses encryption for OAuth credentials. Filesystem access tools are explicitly feature-flagged and operate within a well-defined sandbox, blocking path traversal. Jinja2 template evaluation is delegated to Home Assistant's core, offloading potential security risks. The primary 'risk' is the extensive control granted to AI agents over a smart home environment, which is the intended functionality.
Updated: 2026-01-19GitHub
95
258
Low Cost
Sec7

Generates baseline AWS IAM identity-based policies from application source code (Python, Go, TypeScript) and helps fix AccessDenied errors, primarily for AI coding assistants.

Setup Requirements

  • ⚠️Requires AWS CLI configured with credentials (for policy application actions).
  • ⚠️Requires Rust toolchain for building from source.
  • ⚠️Python uv or pip is the recommended installation method, or curl/wget for direct install script.
  • ⚠️MCP server configuration requires setting AWS_PROFILE and AWS_REGION environment variables.
Verified SafeView Analysis
The tool directly modifies AWS IAM policies in an account via the `apply` command. While it includes guardrails (e.g., account mismatch checks, rejection of root users/service-linked roles, and default confirmation prompts for `fix-access-denied` in CLI), its core function is a high-privilege operation. Policies generated and applied should always be carefully reviewed by a human before deployment to ensure they align with security requirements and the principle of least privilege. The `install.sh` script downloads and executes a binary from GitHub releases, which is a common pattern but presents a supply chain risk if the repository or distribution channel were compromised.
Updated: 2026-01-18GitHub
95
225
Medium Cost
vishalveerareddy123 icon

Lynkr

by vishalveerareddy123

Sec9

Lynkr is an AI orchestration layer that acts as an LLM gateway, routing language model requests to various providers (Ollama, Databricks, OpenAI, etc.). It provides an OpenAI-compatible API and enables AI-driven coding tasks via a rich set of tools and a multi-agent framework, with a strong focus on security, performance, and token efficiency. It allows AI agents to interact with a defined workspace (reading/writing files, executing shell commands, performing Git operations) and leverages long-term memory and agent learning to enhance task execution.

Setup Requirements

  • ⚠️Requires API keys for chosen LLM providers (e.g., DATABRICKS_API_KEY, OPENAI_API_KEY, OPENROUTER_API_KEY, AWS_BEDROCK_API_KEY), many of which are paid services.
  • ⚠️If using a local model (`MODEL_PROVIDER=ollama`, `llamacpp`, or `lmstudio`), the respective local server must be running and accessible.
  • ⚠️If `MCP_SANDBOX_ENABLED=true` (default) and `MCP_SANDBOX_RUNTIME=docker` (default), Docker must be installed and running for sandboxed command execution.
Verified SafeView Analysis
The project demonstrates a robust focus on security. It includes explicit `SHELL_BLOCKLIST_PATTERNS` and `PYTHON_BLOCKLIST_PATTERNS`, and a `SafeCommandDSL` to evaluate shell commands against allowed flags and blocked patterns, specifically disallowing dangerous commands like `rm`, `mv`, `cp`, `chmod`, `sudo`, `reboot`, `shutdown`, and `killall`. The `evaluateToolCall` policy enforces controls on tool usage, including file access (allowed/blocked paths) and Git operations (configurable push/pull/commit permissions). Sensitive content is sanitized using `sanitiseText`. For process execution, a Docker-based sandbox (`src/mcp/sandbox.js`) is configurable to provide isolation, resource limits, and network control. Configuration management (`src/config/index.js`) relies on environment variables, preventing hardcoded secrets. While designed with strong safeguards, any system allowing dynamic code execution by an AI carries inherent residual risk.
Updated: 2026-01-18GitHub
94
9980
Medium Cost
hangwin icon

mcp-chrome

by hangwin

Sec6

Transforms the Chrome browser into an AI-controlled automation tool, enabling large language models to interact with web pages, analyze content, and manage browser functions.

Setup Requirements

  • ⚠️Requires Node.js >= 20.0.0 and pnpm/npm for installation.
  • ⚠️Requires Chrome/Chromium browser.
  • ⚠️Native Messaging Host registration may require administrator/sudo privileges (`mcp-chrome-bridge register --system` or `sudo mcp-chrome-bridge register`).
  • ⚠️pnpm users may need to enable pre/post scripts (`pnpm config set enable-pre-post-scripts true`) if automatic registration fails.
Verified SafeView Analysis
The core functionality involves executing AI-generated or user-provided JavaScript code within the browser (via chrome.scripting.executeScript and `new Function`) and manipulating DOM/network. This inherently carries security risks, as it allows arbitrary code execution and browser control. The `FileHandler` can download files from URLs, which could pose an SSRF risk if the input URL is controlled by a malicious agent, although it generates new filenames and restricts cleanup to a temporary directory. The system offers system-level installation of its native messaging host, requiring administrator/sudo privileges, which is a common but significant permission grant. No obvious hardcoded sensitive secrets were found. The security model relies heavily on the trustworthiness of the AI agent and the inputs it processes, rather than a sandboxed execution environment.
Updated: 2026-01-06GitHub
94
641
Medium Cost
hyperbrowserai icon

mcp

by hyperbrowserai

Sec9

This server provides Hyperbrowser's Model Context Protocol (MCP) interface, offering tools for web scraping, structured data extraction, crawling, and general-purpose browser automation using AI agents like OpenAI's CUA and Anthropic's Claude Computer Use.

Setup Requirements

  • ⚠️Requires a Hyperbrowser API Key (HYPERBROWSER_API_KEY or HB_API_KEY environment variable).
  • ⚠️Certain advanced features (e.g., CAPTCHA solving, Proxies, Batch Scrape, Static IPs) require a paid Hyperbrowser plan.
  • ⚠️Requires Node.js (v18.0.0 or higher).
  • ⚠️An OpenAI API Key (OPENAI_API_KEY environment variable) is required for some features like documentation summarization scripts and AI function calling integrations with OpenAI models.
Verified SafeView Analysis
The server correctly retrieves API keys from environment variables (HYPERBROWSER_API_KEY or HB_API_KEY), preventing hardcoded secrets. External network calls (to Hyperbrowser backend, Bing, OpenAI) are a core part of its functionality and appear well-defined and controlled, not arbitrary. JSON schema compilation via AJV is used for validation and does not pose a direct code execution risk. Relying on external cloud services for browser automation introduces external dependency risks inherent to the architecture, but the server's code itself follows good security practices.
Updated: 2025-11-20GitHub
94
133
Medium Cost
gregorydickson icon

memory-graph

by gregorydickson

Sec9

A graph-based MCP server that provides intelligent memory capabilities for Claude Code, enabling persistent knowledge tracking, relationship mapping, and contextual development assistance.

Setup Requirements

  • ⚠️Requires a compatible database backend (SQLite is default, but others like Neo4j, Memgraph, FalkorDB, Turso, LadybugDB, or a Cloud API require specific installations and configurations).
  • ⚠️Persistent storage in remote Claude Code Web environments requires 'MEMORYGRAPH_API_KEY' or 'MEMORYGRAPH_TURSO_URL' and 'MEMORYGRAPH_TURSO_TOKEN' environment variables.
  • ⚠️Optional Python packages (e.g., 'neo4j', 'falkordb', 'redislite', 'libsql-experimental', 'real_ladybug', 'spacy') are needed for specific backends or NLP features.
Verified SafeView Analysis
Input validation is extensively used for memory and relationship data, preventing common injection vulnerabilities (e.g., SQL injection in SQLite/Turso backends) by using parameterized queries. Sensitive information (API keys, passwords, private keys, emails) is actively redacted from memory content before storage, a strong security feature. Subprocess calls for 'git' operations are controlled and generally safe, but always warrant careful review. Authentication for cloud/multi-tenant modes relies on external configuration (API keys, JWT), whose secure management is external to this component but acknowledged.
Updated: 2026-01-13GitHub
PreviousPage 13 of 713Next