Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

34
3
Medium Cost
jhomen368 icon

overseerr-mcp

by jhomen368

Sec9

Provides AI assistants with direct integration to Overseerr for automated media discovery, requests, and management within a Plex ecosystem.

Setup Requirements

  • ⚠️Requires a running Overseerr instance (self-hosted or managed).
  • ⚠️Requires Node.js 18.0 or higher.
  • ⚠️Mandatory environment variables: OVERSEERR_URL and OVERSEERR_API_KEY must be configured.
Verified SafeView Analysis
The project demonstrates a very strong security posture. It uses environment variables for sensitive data (API keys) and implements robust input validation for both the Overseerr URL and API key format. Automated security scanning (Dependabot, CodeQL, Trivy) is integrated into the CI/CD pipeline, and Docker images are hardened (non-root user, multi-stage builds, Alpine base, dumb-init). No 'eval' or other obviously dangerous patterns were found in the provided source code. Error handling for API calls is structured.
Updated: 2026-01-14GitHub
34
4
Low Cost
jacopoc icon
Sec4

Serves as a Model Context Protocol (MCP) gateway, enabling generative AI applications to interact with backend systems like Apache OFBiz through dynamically loaded tools and RESTful APIs.

Setup Requirements

  • ⚠️Requires an Apache OFBiz instance (or similar REST API backend) with the `rest-api` plugin installed.
  • ⚠️Sensitive configuration details and access tokens are stored directly in `config.json` by default, which is not ideal for production secret management.
  • ⚠️Requires Node.js and npm for building and running the server.
Review RequiredView Analysis
The server dynamically loads tools from a configurable `toolsFolderPath` using `await import(toolPath)`, which poses a significant Remote Code Execution (RCE) risk if an attacker can write to this directory or if the folder is not strictly controlled. The default CORS origin in `config.json` is set to `*`, which should be restricted for production. Sensitive tokens and client secrets (`BACKEND_ACCESS_TOKEN`, `MCP_SERVER_CLIENT_ID`, `MCP_SERVER_CLIENT_SECRET`) are stored in `config.json` (as updated by `update_token.sh`), which is less secure than using environment variables or a dedicated secrets manager. Additionally, the `openid-client` library uses `allowInsecureRequests` for discovery, which could introduce a risk if the configured authorization server URL is not HTTPS.
Updated: 2026-01-19GitHub
34
4
Medium Cost
klappy icon
Sec9

An AI-powered platform for Bible study and translation assistance, leveraging a multi-agent system to aggregate and query diverse translation resources via a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires Cloudflare Workers AI, KV Namespace, and R2 Bucket bindings to be configured in the Cloudflare environment.
  • ⚠️Requires a Cloudflare AI Search index (`translation-helps-search`) to be provisioned and populated, typically by a dedicated Indexer Worker.
  • ⚠️Designed for deployment on Cloudflare Pages/Workers; local setup for full production-like functionality, including AI and storage bindings, is complex.
Verified SafeView Analysis
The codebase demonstrates strong security practices including extensive input validation (Zod, `parseParams`), environment variable usage for secrets, circuit breakers and timeouts for external API calls, and consistent error handling. Cross-Origin Resource Sharing (CORS) is broadly enabled (`Access-Control-Allow-Origin: '*'`), which is a design choice suitable for public APIs but requires careful consideration in restricted contexts. No 'eval' or obvious obfuscation detected.
Updated: 2025-12-13GitHub
34
4
Medium Cost
aj-geddes icon

sailor

by aj-geddes

Sec8

AI-powered generation, validation, rendering, and manipulation of Mermaid diagrams for documentation, design, and analysis tasks.

Setup Requirements

  • ⚠️Requires Docker Desktop for local setup and Claude Desktop integration (for building and running Docker images).
  • ⚠️Requires an OpenAI or Anthropic API key for AI-powered diagram generation features (these are paid services).
  • ⚠️Manual configuration of `claude_desktop_config.json` is necessary for Claude Desktop integration.
  • ⚠️The `SECRET_KEY` environment variable for Flask must be set to a secure, random value in production; the server will raise an error if the default is used.
Verified SafeView Analysis
The project demonstrates strong security awareness: explicit SECRET_KEY validation for production, dynamic CORS configuration, `flask_limiter` for API rate limiting, `flask_talisman` for security headers, input sanitization of Mermaid code, and filtering of sensitive data (API keys) in Sentry logs. Docker containers run as non-root users with resource limits and read-only mounts. The use of Playwright's `--no-sandbox` flag is noted but is a common practice for headless browsers in well-isolated containerized environments.
Updated: 2025-12-07GitHub
34
3
Low Cost
portel-dev icon

photons

by portel-dev

Sec9

A comprehensive demonstration MCP server showcasing various functionalities of the Photon runtime, including basic data handling, streaming responses, progress reporting, in-memory state management, and interactive UI elements. It serves as a reference for developers building new photons.

Setup Requirements

  • ⚠️Requires Photon CLI to be installed globally (npm install -g @portel/photon) to run by name, or locally to run by file path.
Verified SafeView Analysis
The kitchen-sink photon itself is designed as a demonstration and does not directly expose significant security vulnerabilities like 'eval' or direct filesystem access. It uses the @portel/photon-core library for io.emit functions and PhotonMCP inheritance, implying a secure execution environment provided by the 'photon' CLI. Constructor parameters are placeholders or defaults intended to be overridden, and no network calls are initiated directly by this specific photon. It's considered safe for its intended purpose as a learning and demonstration tool.
Updated: 2026-01-12GitHub
34
3
Low Cost
faxioman icon

code-sage

by faxioman

Sec9

A high-performance MCP server for semantic code search, analyzing codebases using AST-based chunking and providing hybrid keyword and vector embeddings search capabilities for AI clients.

Setup Requirements

  • ⚠️Requires Rust 1.70+ to build.
  • ⚠️If using the 'builtin' embedding provider, a 79MB model (nomic-embed-text-v1.5) will be downloaded on first use.
  • ⚠️Using OpenAI embedding provider requires an 'OPENAI_API_KEY' and incurs usage costs.
  • ⚠️Using Ollama embedding provider requires a local Ollama server running and the specified model pulled.
  • ⚠️GPU acceleration ('metal' or 'cuda' features) requires platform-specific builds.
Verified SafeView Analysis
The project uses standard and well-audited libraries for networking (reqwest), file system access (tokio::fs, ignore), and hashing (sha2, md5). Environment variables are used for sensitive information like API keys, preventing hardcoding. Input path validation is present. Regex patterns for ignore files are escaped to prevent injection. The llama.cpp backend explicitly voids logs to prevent interference, a good practice for structured output. No obvious `eval` or dynamic code execution from user input was found.
Updated: 2026-01-19GitHub
34
3
Medium Cost
dunialabs icon

mcp-servers

by dunialabs

Sec9

Integrates Notion with Model Context Protocol to manage pages, databases, blocks, comments, and search functionality for Notion workspaces.

Setup Requirements

  • ⚠️Requires a Notion Internal Integration Token or OAuth Access Token with appropriate permissions.
  • ⚠️Notion pages/databases must be explicitly shared with the integration for the server to access them.
  • ⚠️Requires a Node.js (>=18.0.0) or Docker runtime environment.
Verified SafeView Analysis
Uses environment variables for the Notion API token, which is a good practice for sensitive credentials. Input validation is implemented using Zod schemas, ensuring parameters conform to expected types and constraints. The server interacts with the official Notion API over HTTPS. No direct use of `eval` or other dynamic code execution methods was found. Comprehensive error handling is in place to prevent sensitive information leakage. All logs are directed to stderr to avoid interfering with the MCP protocol on stdout.
Updated: 2026-01-15GitHub
34
2
High Cost
justoneapi icon

justoneapi-mcp

by justoneapi

Sec8

MCP server to expose JustOneAPI's Chinese social media and news search capabilities to AI assistants, returning raw upstream JSON responses.

Setup Requirements

  • ⚠️Requires a paid JustOneAPI token for full functionality.
  • ⚠️Requires Node.js >= 18.0.0.
  • ⚠️Manual configuration of the MCP client (e.g., Claude Desktop JSON config file) is necessary.
Verified SafeView Analysis
The server passes the `JUSTONEAPI_TOKEN` as a query parameter, which is less secure than header-based authentication as it can be logged by proxies or web servers. However, the code explicitly encodes the token, masks it in debug logs, and validates its presence. No `eval` or obvious malicious patterns were found in the provided source code.
Updated: 2026-01-19GitHub
34
3
High Cost
workato-devs icon

dewy-resort

by workato-devs

Sec8

A comprehensive hotel management system integrating with external services (Salesforce, Stripe, Twilio, Home Assistant) and an AI conversational agent (AWS Bedrock) for managing bookings, guest services, maintenance, and billing.

Setup Requirements

  • ⚠️Requires a Workato account and the Workato CLI for deployment and management of integration recipes.
  • ⚠️Requires an AWS account with configured Cognito User Pool, Identity Pool, and access to AWS Bedrock models for AI conversational features and authentication.
  • ⚠️Requires Salesforce and Stripe accounts with API credentials for core CRM and payment processing functionalities.
  • ⚠️Relies on numerous environment variables for configuring all integrated services and features (Workato, Salesforce, Stripe, AWS, Okta, Home Assistant, Twilio, database settings).
  • ⚠️Requires local SQLite database initialization via a setup script.
Verified SafeView Analysis
The project uses environment variables for sensitive data (API keys, tokens) rather than hardcoding. Authentication is delegated to external providers (Okta/Cognito). Extensive use of JSON parsing for configurations and inter-process communication is noted, which is safe when data sources are controlled. A configurable 'DISABLE_SSL_VERIFICATION' flag exists for fetch utilities; if enabled in production, it poses a significant man-in-the-middle attack risk. Default manager credentials are hardcoded in `hotel-db-server.ts` if not overridden by environment variables, which is acceptable for development but a concern for production.
Updated: 2026-01-19GitHub
34
4
Low Cost
MarimerLLC icon

csla-mcp

by MarimerLLC

Sec9

Provides a knowledge base and semantic search capabilities for AI coding assistants to generate .NET C# applications using the CSLA .NET framework.

Setup Requirements

  • ⚠️Requires Azure OpenAI API Key and Endpoint (Paid service).
  • ⚠️Requires a deployed Azure OpenAI embedding model (e.g., `text-embedding-3-large`) in your Azure OpenAI resource.
  • ⚠️Docker is required to build and run the server image locally.
Verified SafeView Analysis
The server emphasizes security best practices by utilizing environment variables for sensitive Azure OpenAI API keys, explicitly warning against insecure client-side identity flow (`FlowSecurityPrincipalFromClient = true`), and implementing robust checks to block path traversal attacks in file access operations for the `Fetch` tool. The Docker build process uses `set -euo pipefail` for shell script robustness. No 'eval' or other highly dynamic code execution without clear justification is apparent in the provided source.
Updated: 2026-01-18GitHub
34
3
High Cost
201Harsh icon

Varon-AI

by 201Harsh

Sec8

A multi-agent AI system designed to coordinate specialized AI tools for complex real-world task execution and automation, including coding, research, scraping, and content generation.

Setup Requirements

  • ⚠️Requires Google Gemini API Keys (VARON_AI_API_KEY, VARON_AI_TEAM_API_KEY), which are usage-based.
  • ⚠️Requires a MongoDB instance for data storage.
  • ⚠️Requires a SerpAPI Key for web search capabilities (used by HydraSearch and ViperCart).
  • ⚠️Requires SMTP credentials (SMTP_USER, SMTP_PASSWORD) for email verification during user registration.
  • ⚠️Requires Google OAuth Client ID and Secret for the 'Continue with Google' authentication feature.
Verified SafeView Analysis
The application demonstrates several good security practices, including the use of environment variables for sensitive API keys (Gemini, JWT secret, Google OAuth), secure password hashing with bcrypt, and JWTs for session management configured with `httpOnly`, `secure`, and `samesite: none` flags for cookies. Rate limiting is applied to authentication endpoints to mitigate brute-force attacks, and `express-validator` provides basic input validation. The tool execution mechanism via `@modelcontextprotocol/sdk` relies on a predefined set of tools with structured parameters, minimizing the risk of arbitrary code execution. A minor concern is the hardcoded sender email address (`endgamingai2@gmail.com`) for nodemailer within `server/controllers/user.controller.js`, which ideally should be configured via an environment variable.
Updated: 2026-01-10GitHub
34
3
High Cost
monitoringartist icon

logicmonitor-mcp-server

by monitoringartist

Sec9

Enables AI assistants to interact with a LogicMonitor monitoring tool.

Setup Requirements

  • ⚠️Requires LogicMonitor company name (LM_COMPANY) and API Bearer Token (LM_BEARER_TOKEN) to be set as environment variables for LogicMonitor API access.
  • ⚠️For network transports (SSE/HTTP), unauthenticated access is allowed by default if OAuth or a static MCP Bearer Token are not configured.
  • ⚠️Requires Node.js 18+ and a build step (`npm run build`) if not using npx or Docker images.
Verified SafeView Analysis
Comprehensive input sanitization (XSS, SQLi for filter/names), sensitive data redaction in logs, robust JWT validation with audience binding, and CSRF protection are implemented. Explicit warnings are provided for production secret management. CORS defaults to allow all origins if `ALLOWED_ORIGINS` is not configured, which needs careful production setup.
Updated: 2026-01-19GitHub
PreviousPage 143 of 713Next