Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

34
3
Medium Cost
ssdeanx icon
Sec7

Providing agents with access to external execution environments (local filesystem) and AI models (Hugging Face) via the Model Context Protocol, enabling them to perform research tasks involving file operations and diverse AI capabilities.

Setup Requirements

  • ⚠️Requires HUGGING_FACE_TOKEN environment variable, likely for a paid service.
  • ⚠️Requires Node.js and npm for the 'filesystem' MCP server to execute via npx.
  • ⚠️Grants filesystem access to the user's 'Desktop' directory, which has security implications for data access and modification by the AI agent.
Verified SafeView Analysis
The 'filesystem' MCP server executes 'npx -y @modelcontextprotocol/server-filesystem' which can be risky if the external package or its dependencies are compromised, as '-y' bypasses confirmation. It also grants filesystem access to the user's 'Desktop' directory, which is a sensitive area. The 'hf-mcp-server' uses a Hugging Face API token via an environment variable (HUGGING_FACE_TOKEN), which is good practice for secret management, but depends on the security of the token and the remote service.
Updated: 2026-01-19GitHub
33
4
Medium Cost
plainly-videos icon

mcp-server

by plainly-videos

Sec9

This MCP server enables LLM clients to browse Plainly designs and projects, retrieve details, and submit video rendering jobs via the Plainly API.

Setup Requirements

  • ⚠️Requires Node.js 18 or higher.
  • ⚠️Requires a Plainly API Key (from a Plainly Account).
Verified SafeView Analysis
The server handles API keys securely via environment variables and validates their presence. It uses standard HTTP libraries (axios) with appropriate error handling and user-agent identification. User-provided parameters for rendering are passed to the Plainly API; the server's role is to correctly forward these inputs, relying on the Plainly API for deep validation and safe processing. No 'eval', obfuscation, or hardcoded secrets were found.
Updated: 2026-01-08GitHub
33
3
Medium Cost
PanseBossuSmecheru icon

notes-mcp

by PanseBossuSmecheru

Sec2

Connects Apple Notes on macOS to an MCP server, enabling seamless access and synchronization across various platforms.

Setup Requirements

  • ⚠️Requires macOS 10.15 or later.
  • ⚠️Requires Apple Notes app installed.
  • ⚠️Requires Node.js installed.
Review RequiredView Analysis
The server's `executeOSAScript` function directly embeds user-controlled input (e.g., note names, bodies, folder IDs) into a shell command via `osascript`. Although there are attempts to escape double quotes and newlines, this method is highly susceptible to command injection. An attacker who can influence the content of notes or folder IDs could potentially execute arbitrary commands on the macOS system running the server, leading to critical system compromise. This represents a severe security vulnerability.
Updated: 2026-01-19GitHub
33
134
Medium Cost
ivnvxd icon
Sec8

Enables AI assistants to interact with Odoo ERP systems, providing natural language access to business data for searching, creating, updating, and deleting records.

Setup Requirements

  • ⚠️Requires an accessible Odoo ERP instance (version 17.0+).
  • ⚠️For production use, the Odoo MCP module must be installed on your Odoo server.
  • ⚠️Authentication requires either an Odoo API key or an Odoo username/password.
Verified SafeView Analysis
The server implements strong security practices including explicit warnings and logging for 'YOLO mode' (a dangerous development-only feature that bypasses security checks), comprehensive error sanitization to prevent information leakage, and reliance on Odoo's native MCP module for production-grade access control. Authentication is handled via API keys or username/password through environment variables. The primary security risk is the misuse of 'YOLO mode' in production, which is explicitly warned against in the documentation and code. The 'streamable-http' transport also requires careful securing (e.g., HTTPS, network ACLs) if exposed remotely.
Updated: 2025-12-15GitHub
33
1
Medium Cost
hwandam77 icon

aegis-ai

by hwandam77

Sec3

Orchestrates multiple AI models (Codex, Qwen, Gemini) via JSON-RPC 2.0 based Model Context Protocol (MCP), focusing on a Test-Driven Development (TDD) workflow.

Setup Requirements

  • ⚠️Requires Node.js >=20.0.0
  • ⚠️Requires external AI CLI tools ('codex', 'qwen', 'gemini') to be installed and configured in the system's PATH. These CLI tools likely require their own API keys or authentication.
  • ⚠️Shell injection risk: User-supplied prompts are executed via `child_process.spawn({ shell: true })` without explicit sanitization.
Review RequiredView Analysis
The AI service wrappers (CodexService, QwenService, GeminiService) execute external CLI commands using `child_process.spawn` with `shell: true`. The `prompt` parameter, which can originate from external JSON-RPC requests, is directly passed as an argument within this shell command. This creates a significant shell injection vulnerability if input validation/sanitization is not rigorously applied to the `prompt` string before execution. There is no explicit sanitization shown in the provided code.
Updated: 2025-11-23GitHub
33
3
Medium Cost
getjotsu icon

jotsu-mcp

by getjotsu

Sec3

General-purpose library for implementing the Model Context Protocol (MCP) and creating workflows that use MCP tools, resources, and prompts.

Setup Requirements

  • ⚠️Requires Python 3.12+.
  • ⚠️If using model-specific nodes (e.g., OpenAI, Anthropic, Cloudflare), requires corresponding API keys/tokens (e.g., OPENAI_API_KEY, CLOUDFLARE_ACCOUNT_ID).
  • ⚠️Local OAuth authentication requires a local HTTP server on port 8001, which needs to be available and accessible by the browser.
  • ⚠️The designated entry point for running the `WorkflowEngine` as an MCP server (`jotsu/mcp/workflow/__main__.py`) contains an import error (`from .server import WorkflowEngine` should be `from .engine import WorkflowEngine`) which would prevent it from running as-is.
Review RequiredView Analysis
The system allows execution of user-defined Python functions (via `asteval`) and JavaScript (via `quickjs`) within workflow nodes (`WorkflowFunctionNode`, `WorkflowScriptNode`). While `asteval` is 'mostly sandboxed', its documentation explicitly states it is 'not suitable for evaluating untrusted input.' `quickjs` offers a full JavaScript runtime. If untrusted users can define or modify workflows, this presents a significant risk of arbitrary code execution. Additionally, network calls (e.g., to MCP servers, OAuth endpoints) use `httpx`, and local OAuth flow involves `webbrowser.open` to external URLs, which could pose a phishing risk if the target URLs are compromised or malicious.
Updated: 2026-01-14GitHub
33
2
High Cost
tjfontaine icon

agent-in-a-browser

by tjfontaine

Sec7

An in-browser, self-contained AI agent environment powered by WebAssembly (WASM) and WASI. It provides a full shell with development tools (TypeScript, Git, SQLite), a virtual file system (OPFS), and an agent layer for writing and executing code locally in a sandbox. The @tjfontaine/wasm-sqlite package specifically enables SQLite database operations within this browser sandbox.

Setup Requirements

  • ⚠️Requires Node.js/pnpm and Rust/cargo-component for local development and building the WASM modules.
  • ⚠️Full functionality, especially synchronous I/O, relies on browser-specific Cross-Origin Isolation headers (COOP/COEP), which might require specific server configurations for non-local deployments.
  • ⚠️API keys for external LLM providers (Anthropic, OpenAI, Gemini) are required to utilize AI agent capabilities with these services.
Verified SafeView Analysis
The core functionality involves executing dynamic code (TypeScript/JavaScript) within a WASI sandbox in the browser, which is inherently high-risk if not properly isolated. The project mitigates this by leveraging browser-native security features: - **WASI Sandbox**: Provides a confined environment for code execution, aiming to prevent access to the host system. - **Origin Private File System (OPFS)**: Used for persistent storage, offering a sandboxed and isolated filesystem. - **Cross-Origin Isolation Headers**: `Cross-Origin-Opener-Policy` and `Cross-Origin-Embedder-Policy` are enforced via the `worker/index.js` to enable `SharedArrayBuffer` for synchronous WASM I/O, which is crucial for strong isolation in various browser environments. - **CORS Proxy Allowlist**: The `/cors-proxy` endpoint in `worker/index.js` explicitly whitelists domains like `api.githubcopilot.com`, `generativelanguage.googleapis.com`, `mcp.stripe.com`, and `github.com`. This helps control outbound requests originating from the main browser context. - **WASI HTTP Client**: WASM modules can make HTTP requests using the `wasi:http` API. While the `curl` command and LLM integrations use this, it means the WASM sandbox itself has network access, which could be a vector for data exfiltration if a malicious agent were to compromise the runtime. However, for an agent to function, such access is often necessary. - **Localhost MCP Bridge**: The `tools/mcp-bridge` provides a local WebSocket and HTTP server for integration with local tools like Claude Code. This is limited to `localhost` and is generally considered safe. Overall, significant effort has been made to secure a high-risk operation within browser sandboxing mechanisms. The residual risks are largely inherent to the nature of running arbitrary code, even within a carefully designed sandbox.
Updated: 2026-01-19GitHub
33
1
High Cost
WayBob icon
Sec8

An AI agent system integrating local/remote Qwen 2.5 LLM and DeepSeek OCR as an MCP server for multimodal tasks.

Setup Requirements

  • ⚠️Requires two separate GPU-enabled devices (or powerful separate processes on one device) for the main LLM (Qwen 2.5 vLLM) and DeepSeek OCR (vLLM + MCP server).
  • ⚠️Requires manual setup and configuration of two vLLM servers and one MCP server.
  • ⚠️Configuration files (models_config.json, mcp_config.json) must be updated with correct IP addresses and ports.
  • ⚠️Python 3.12+ is required.
  • ⚠️For HEIC image support, the `pillow-heif` library must be installed.
Verified SafeView Analysis
API keys are loaded from environment variables (e.g., .env file), which is good practice. The system involves multiple networked components (vLLM servers, MCP server, client) which should be secured with appropriate firewall rules. The 'process_local_image_for_ocr' tool takes a local file path which, if supplied by a malicious LLM prompt, could potentially lead to attempts to open arbitrary local files. However, the `Image.open` function used for processing is robust and primarily designed for image files, mitigating the risk of arbitrary code execution or significant information disclosure for non-image files. The configuration of MCP server launch commands in 'mcp_config.json' could pose a risk if not controlled by a trusted administrator, but this is a deployment-time configuration risk.
Updated: 2025-11-22GitHub
33
3
Medium Cost
tom832 icon
Sec7

Provides a unified API for chemical informatics, including chemical name/SMILES conversion and molecule structure processing, for integration into chemical drawing tools or automation pipelines.

Setup Requirements

  • ⚠️Requires a licensed installation of ChemScript/ChemDraw software, which is a proprietary dependency not covered by `uv sync` and is explicitly stated as for 'learning and academic reference only, and must not be used for any commercial purpose' in the repository's disclaimer.
  • ⚠️Strict Python 3.10 requirement.
  • ⚠️Authentication (API_KEY) and API documentation access (DOCS_ACCESS_TOKEN) are bypassed if default values in the `.env` file are not changed.
Verified SafeView Analysis
Relies on the proprietary `ChemScript` library, whose internal security is not transparent and could pose risks with maliciously crafted input. Default values for `API_KEY` and `DOCS_ACCESS_TOKEN` in the `.env` file will bypass authentication if not explicitly changed by the user, creating a security oversight risk during deployment. Open CORS (`allow_origins=['*']`) is configured, which might need to be restricted for specific deployments. Uses `pickle.dumps` for serialization of RDKit objects in responses, which is safe; however, deserialization (`pickle.loads`) of untrusted input is inherently unsafe, and if introduced in new server-side endpoints, it would be a critical vulnerability.
Updated: 2026-01-16GitHub
33
2
Low Cost
yigitkonur icon
Sec8

Provides auto-updating JSON schemas for n8n nodes and workflows, primarily for use by MCP servers and AI agents generating n8n workflows.

Setup Requirements

  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️Requires TypeScript for compilation (handled via `npx tsc` in scripts).
  • ⚠️Dependent on `n8n-nodes-base` and `n8n-workflow` packages for schema extraction, leading to a substantial number of transitive dependencies and a larger installation footprint.
Verified SafeView Analysis
The server exposes an HTTP API that processes JSON input for validation. It reads and writes local files to manage schemas. While no direct `eval` or arbitrary code execution from user input is apparent, any network-exposed service processing external data has inherent risks. The validation logic is custom-built, reducing reliance on third-party validation libraries that might have broader attack surfaces. Hardcoded secrets are not visible in the provided code, and environment variables are used for configuration. Overall, it appears responsibly built for its intended purpose as a local or internal tooling API.
Updated: 2026-01-16GitHub
33
2
High Cost
MagnetonIO icon

contextfs

by MagnetonIO

Sec8

Provides a universal, persistent, and searchable memory layer for AI agents and developer tools, enabling cross-repository context management, semantic search, session tracking, and structured knowledge recall.

Setup Requirements

  • ⚠️Requires Python 3.9+ (implied by pydantic, dataclasses.dataclass)
  • ⚠️External LLM API keys (Anthropic or OpenAI) are required for agent features.
  • ⚠️Optional dependencies like `jsonschema`, `pyyaml`, `tomllib`, `falkordb`, `psycopg`, `chromadb`, `sentence-transformers`, `fastembed` may need to be installed based on configured backend and features.
  • ⚠️MCP Server (`contextfs server`) must be running in the background for plugin integrations.
Verified SafeView Analysis
The server correctly uses environment variables for sensitive API keys (Stripe, LLMs) and implements webhook signature verification for billing. Subprocess calls for Git operations and ChromaDB auto-start are generally well-scoped. The agent framework's ability to execute arbitrary tools introduces a configurable risk, requiring users to carefully review and manage the tools an agent can access. Client-side encryption is available for sync features.
Updated: 2026-01-19GitHub
33
2
Low Cost
ProfRandom92 icon

comptext-mcp-server

by ProfRandom92

Sec9

Provides token-efficient access to Domain-Specific Language (DSL) documentation stored in Notion for LLM interactions.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Requires a Notion API Token and optionally a CompText Database ID to function with Notion.
  • ⚠️On Render.com's free tier, the server may experience cold starts (~30 seconds) after 15 minutes of inactivity.
Verified SafeView Analysis
The project is highly security-conscious, implementing input validation and sanitization, rate limiting, and robust error handling with retry logic. It runs Docker containers as non-root users and passes Bandit and CodeQL scans with no issues. The `SECURITY.md` clearly documents known limitations, specifically that the public REST API has no authentication by default and that CORS is wide open, recommending user-added authentication and restricted CORS for production deployments. Potential cache timing attacks are also noted. Adhering to the documented best practices is crucial for secure deployment.
Updated: 2026-01-16GitHub
PreviousPage 151 of 713Next