Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse Directory Why Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:

SORT:

Vetted Servers(8554)

Medium Cost

skilljack-mcp

by olaservo

Sec9

An MCP server that enables LLMs to dynamically discover, load, and use Agent Skills from local directories.

Setup Requirements

⚠️Requires Node.js >= 18.0.0.
⚠️Best experience requires an MCP client supporting `tools/listChanged` notifications (e.g., Claude Code).
⚠️On Windows, forward slashes must be used in paths when configuring skill directories, especially with MCP Inspector.

Verified SafeView Analysis

The server implements strong defenses against common file-related vulnerabilities: - Path traversal is prevented using `fs.realpathSync` and `path.resolve` to ensure all file accesses remain within the configured skill directories. - Symlinks are explicitly checked and rejected (`stat.isSymbolicLink()`) to prevent escape attacks. - File reads are limited by `MAX_FILE_SIZE` (default 1MB, configurable via `MAX_FILE_SIZE_MB` environment variable) to mitigate denial-of-service or memory exhaustion risks. - Directory recursion depth is limited (`MAX_DIRECTORY_DEPTH` = 10) to prevent deep traversal attacks. - Input validation for tool arguments is performed using Zod schemas. The server operates via `StdioServerTransport`, limiting direct external network exposure. Skills themselves are treated as trusted content; the primary risk would be if malicious content were *placed within* a trusted skill directory by an attacker with local access. Overall, well-secured for its intended purpose.

Updated: 2026-01-18GitHub→

Low Cost

Create-MCP

by AnnieBabs

Sec8

Generates Model Context Protocol (MCP) server projects through a command-line interface.

Setup Requirements

⚠️Requires Node.js version 18 or higher.
⚠️Requires a Node.js package manager (npm, yarn, pnpm, or bun).
⚠️Familiarity with the Model Context Protocol (MCP) is essential for developing with the generated server.

Verified SafeView Analysis

The tool utilizes `execSync` and `spawn` to run package manager commands, a common practice for CLI generators but one that carries inherent risks if not rigorously controlled. Robust input validation is applied to project and component names, effectively mitigating direct command injection vulnerabilities. No hardcoded secrets or overt malicious patterns were detected in the provided source code. The use of `shell: true` with `spawn` on Windows is noted, which is a standard but slightly higher-risk execution method compared to non-shell alternatives.

Updated: 2026-01-19GitHub→

Low Cost

domain-mcp

by joachimBrindeau

Sec9

AI-powered natural language domain management for Dynadot via Model Context Protocol (MCP) clients.

Setup Requirements

⚠️Requires a Dynadot API Key.
⚠️Requires Node.js version 18.0.0 or higher.
⚠️Dynadot's sandbox environment has limitations, such as not supporting `create_contact` operations, which means some functional tests may require using existing production contact IDs.
⚠️MCP client configurations may require specifying the absolute path to `dist/index.js` or using `npx` for execution.

Verified SafeView Analysis

API keys are sourced from environment variables, avoiding hardcoding. The core MCP server communicates via standard I/O (stdio), which is secure for local execution. Testing scripts include explicit warnings for destructive operations and recommend sandbox usage. An external `mcp-remote` bridge is noted for remote deployments, which would introduce additional network considerations.

Updated: 2026-01-16GitHub→

Low Cost

quarkus-ai-apps

by piomin

Sec8

Demonstrates integration of AI services with existing data and business logic using Quarkus LangChain4j and the Microservice Communication Protocol (MCP), enabling AI agents to interact with multiple data sources.

Setup Requirements

⚠️Requires PostgreSQL database.
⚠️Requires Java Development Kit (JDK 17+).
⚠️Involves running multiple independent Quarkus applications (two MCP servers and one client) concurrently to function as a complete system.

Verified SafeView Analysis

The project utilizes established frameworks (Quarkus, Panache ORM) which provide built-in security features like parameterized queries (preventing SQL injection). No use of 'eval' or similar dangerous functions is present. No hardcoded credentials or obvious malicious patterns are found in the provided code snippets. Network communication between MCP client and server implies typical microservice security considerations (authentication, authorization, encryption), which are outside the scope of the provided code.

Updated: 2025-11-24GitHub→

High Cost

vcon-mcp

by vcon-dev

Sec9

The vCon MCP Server stores, manages, and provides advanced search and AI/ML analysis capabilities for IETF vCon (Virtual Conversation) objects, supporting multi-tenancy and extensibility via plugins.

Setup Requirements

⚠️Requires a Supabase PostgreSQL instance for data storage, including setting up SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY.
⚠️Embedding generation (for semantic search) requires integration with a third-party AI service (OpenAI, Azure OpenAI, or Hugging Face) which may incur significant costs.
⚠️Optional Redis caching requires a REDIS_URL to be configured and a running Redis instance.
⚠️Optional S3 integration for media externalization and vCon syncing requires AWS credentials and an S3 bucket.

Verified SafeView Analysis

The server demonstrates strong security practices including reliance on environment variables for sensitive credentials (e.g., Supabase keys, API keys, AWS credentials), robust Row Level Security (RLS) for multi-tenant isolation, and parameterized database queries to prevent SQL injection. It also provides API key authentication for its REST API. Network exposure via HTTP is configurable with CORS and allowed hosts/origins. Deno Edge Functions also securely manage their environment variables.

Updated: 2026-01-19GitHub→

Medium Cost

DeepBoner

by The-Obstacle-Is-The-Way

Sec9

AI-powered deep research agent specializing in sexual health, synthesizing evidence from biomedical literature across multiple public databases.

Setup Requirements

⚠️At least one of OPENAI_API_KEY (for premium tier) or HF_TOKEN (for HuggingFace free tier) is required for AI functionality.
⚠️Requires Python 3.11 or higher.
⚠️HuggingFace free tier models larger than 30B parameters are unreliable and may lead to 500/401 errors, use Qwen/Qwen2.5-7B-Instruct or similar smaller models for stability.

Verified SafeView Analysis

The server's security practices appear robust for its function. It leverages Pydantic for strong input validation, mitigating common injection risks. External API calls (PubMed, ClinicalTrials.gov, etc.) are managed with HTTPX/requests, timeouts, and retry middleware. Docker deployments run as a non-root user (`appuser`), enhancing container security. There are no obvious hardcoded secrets in the provided source code, with API keys explicitly managed via environment variables and `.env` files. No usage of `eval` or similar dangerous functions was detected, and the code is clear and well-structured, not obfuscated. The MCP server exposes specific, well-defined tools, which is its intended functionality.

Updated: 2025-12-14GitHub→

High Cost

agentic-browser

by tashifkhan

Sec3

An adaptive, model-agnostic browser extension that enables AI agents to understand complex web content and perform interactive automation tasks like form filling, navigation, and data extraction.

Setup Requirements

⚠️Requires API keys for chosen LLM providers (e.g., Google, OpenAI, Anthropic) if not using a local Ollama instance.
⚠️Requires a running Python backend server for core AI logic and tool execution, in addition to the browser extension.
⚠️The Python backend needs `yt-dlp`, `faster-whisper`, `gitingest`, and `TavilySearch` (requiring `TAVILY_API_KEY`) for full functionality.
⚠️The extension frontend needs its `VITE_API_URL` configured to connect to the Python backend server.

Review RequiredView Analysis

The browser extension uses `new Function(action.script)` in its `EXECUTE_SCRIPT` handler (in `extension/entrypoints/background.ts`). This allows arbitrary JavaScript code, generated by the AI agent, to be executed directly within the context of any web page visited by the user. Given that the extension has `<all_urls>` host permissions, this presents a critical security vulnerability. A compromised or misaligned AI model could inject malicious scripts, leading to cross-site scripting (XSS), data exfiltration, or other severe attacks on any website the user is browsing. Additionally, sensitive credentials (like PyJIIT login information) are stored in browser local storage, which, while segregated by extension, is not as secure as dedicated secrets management and could be compromised if the browser profile is breached. A Google OAuth client ID is hardcoded, which is a minor issue as it's typically public, but still less flexible than configuration.

Updated: 2025-12-14GitHub→

Medium Cost

HelloMCP

by below

Sec9

A simple MCP server in Swift for prompt evaluation using Apple Foundation Models, serving as a reference for MCP tool development and demonstrating tool-augmented prompt evolution.

Setup Requirements

⚠️Requires macOS 15 (Sequoia) or later for compilation and execution.
⚠️Requires macOS 26.0 (a future version beyond Sequoia) for full `applechat` tool functionality and Apple Foundation Models, as explicitly checked in the code.
⚠️Requires Swift toolchain and Xcode developer tools for building.

Verified SafeView Analysis

The `evaluateExpression` function is a placeholder that currently returns a fixed string "42" and does not actually evaluate arbitrary expressions. If it were to be implemented with actual evaluation, it would pose a severe security risk (arbitrary code execution) and require robust input sanitization. The server primarily uses `StdioTransport`, which limits direct network exposure for the MCP protocol itself, relying on stdin/stdout for communication. No hardcoded secrets or malicious patterns observed. The code responsibly checks for macOS version and model availability before attempting to use Apple Foundation Models.

Updated: 2025-12-10GitHub→

Low Cost

mcp-server-llmling

by phil65

Sec3

mcp-server-llmling serves as a Machine Chat Protocol (MCP) server, providing a YAML-based system to configure and manage LLM applications, including resources, prompts, and tools.

Setup Requirements

⚠️Requires Python 3.13 or higher.
⚠️Dependency management relies on 'uv', requiring users to install 'uv' and use its commands (e.g., 'uvx').
⚠️The 'config injection server' for hot-reloading configurations enables remote code execution if activated and exposed to untrusted networks or users.

Verified SafeView Analysis

The server includes a 'config injection server' (FastAPI/WebSocket API) that, if enabled and exposed, allows for arbitrary code execution. This includes registering Python code as tools, importing functions from specified paths, and installing Python packages via pip. While disabled by default and restricted to 'stdio' transport by default, enabling this feature (e.g., via `--enable-injection`) requires extreme caution and robust access controls as it presents a severe Remote Code Execution (RCE) vulnerability. Additionally, example configurations may load external scripts from untrusted sources (e.g., Gist URLs), posing a supply chain risk if used.

Updated: 2025-11-25GitHub→

Medium Cost

mcp-remote-access

by RFingAdam

Sec6

Provides SSH and Serial port access for MCP-compatible AI clients to control remote devices like Raspberry Pi, embedded systems, and IoT devices.

Setup Requirements

⚠️Requires `uv` or `pip` for installation.
⚠️For serial port access on Linux, the user often needs to be part of the `dialout` group (e.g., `sudo usermod -a -G dialout $USER`).
⚠️Requires a compatible MCP client (e.g., Codex CLI, Claude Code) to interface with the server.

Verified SafeView Analysis

The server uses `paramiko.AutoAddPolicy()` for SSH connections. This automatically adds unknown host keys to `~/.ssh/known_hosts` without verification, making the client susceptible to Man-in-the-Middle (MITM) attacks on the first connection to a new host. For production or sensitive environments, manual host key verification or pre-populating `known_hosts` is recommended. SSH passwords are passed in memory only and not stored. The MCP server itself communicates via standard I/O and is not directly exposed to network connections.

Updated: 2026-01-17GitHub→

Low Cost

thought-chain-mcp

by cbuntingde

Sec9

Transforms any AI model into an advanced reasoning engine by providing structured, step-by-step thinking with persistent memory across sessions.

Setup Requirements

⚠️Requires Node.js version 20.0.0 or higher.
⚠️Requires configuration within an MCP-compatible AI assistant (e.g., Claude Desktop, Cursor, VS Code with MCP extensions).
⚠️The SQLite database is automatically created in the user's home directory (`~/.thought-chain-mcp/thoughts.db`) and requires write permissions.

Verified SafeView Analysis

The server demonstrates strong security practices: it communicates via standard I/O (stdio) with no direct network exposure, mitigating network attack vectors. All user inputs are rigorously validated against XSS, SQL injection, control characters, and path traversal patterns using explicit regex. Database operations exclusively use parameterized queries to prevent SQL injection. IDs are generated using cryptographically secure random bytes. Data storage is confined to a user's local directory with secure file permissions, and internal error messages are sanitized to prevent information leakage. A rate limiter is also implemented to prevent abuse. No 'eval' or obfuscation is present.

Updated: 2026-01-11GitHub→

High Cost

MCP-Client-Host-Java

by Explorerlowi

Sec4

An MCP (Model Context Protocol) client that acts as a server to the MCP host, managing connections to various external MCP servers (tools) and orchestrating tool discovery and execution for AI assistants.

Setup Requirements

⚠️Requires Docker and Docker Compose for simplified deployment, or Java 17+, Maven, Node.js, and MySQL for local component-based setup.
⚠️Requires LLM API keys (e.g., Qianwen, OpenAI) to be configured in `.env` or `application.yml` for `mcp-host` to interact with LLMs (when used with the full stack).
⚠️Initial startup of `mcp-client` might be slow due to `uvx`/`npx` downloading tool packages.
⚠️The `mcp-client-1.0.0.jar` file must be manually built and copied into the `mcp-client-simple` directory before deployment.

Review RequiredView Analysis

1. Arbitrary Command Execution (Critical): The `MCPStdioClient` executes arbitrary shell commands (`spec.getCommand()`, `spec.getArgs()`) configured for an MCP Server. If a malicious server configuration is registered (e.g., via the exposed `/api/mcp/servers` endpoint), it can lead to remote code execution on the `mcp-client` host. This is a severe vulnerability. 2. Plaintext gRPC Communication (High): The `GrpcClientConfig` uses `usePlaintext()` for gRPC communication between `mcp-host` and `mcp-client`. While noted for development, this is a significant security risk in production as it exposes sensitive data and is vulnerable to Man-in-the-Middle attacks. 3. Sensitive Information Exposure (Medium): Environment variables for API keys (e.g., `TAVILY_API_KEY`) can be passed to container environments for tool execution. While standard for Docker, these should be carefully managed (e.g., using Docker Secrets) and the `.env` file secured, especially given the arbitrary command execution risk.

Updated: 2025-11-28GitHub→

PreviousPage 141 of 713Next