Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

33
1
Medium Cost
txn2 icon

mcp-trino

by txn2

Sec9

A Model Context Protocol (MCP) server for Trino, enabling AI assistants to query and explore data warehouses with optional semantic context from metadata catalogs.

Setup Requirements

  • ⚠️Requires a running Trino server for data access.
  • ⚠️Requires Go 1.23+ for local development or building from source.
  • ⚠️Requires DataHub endpoint and token if the DataHub semantic metadata provider is used.
  • ⚠️Requires a semantic configuration file (YAML/JSON) if the static semantic metadata provider is used.
Verified SafeView Analysis
The server implements strong security defaults including a read-only mode (blocking DML/DDL operations), query row limits, and timeouts. SQL identifiers are properly quoted, mitigating basic SQL injection risks for schema exploration tools. For direct SQL execution tools (`trino_query`, `trino_explain`), the system relies on configurable query interceptors (the `ReadOnlyInterceptor` is enabled by default) for deeper validation. Releases are secured with SLSA Level 3 provenance and Cosign signatures, enhancing supply chain security. SSL verification is enabled by default for remote Trino connections. The primary remaining risks would involve crafting highly resource-intensive SELECT queries (mitigated by timeouts) or intentionally disabling/misconfiguring core security extensions.
Updated: 2026-01-17GitHub
33
1
Low Cost
Unobtainiumrock icon

priority-forge

by Unobtainiumrock

Sec7

An AI-powered task prioritization server that learns from user decisions to organize cross-project tasks for AI coding assistants.

Setup Requirements

  • ⚠️Requires Node.js v18+ and npm to be installed.
  • ⚠️Not natively supported on Windows; requires WSL (Windows Subsystem for Linux).
  • ⚠️Requires restarting the connected AI tool (Cursor, Droid, Claude Code) after initial MCP configuration for changes to take effect.
Verified SafeView Analysis
CORS is configured to allow '*' (any origin), which is generally insecure for publicly exposed applications but common for local development. Data is stored in plain JSON files on the local filesystem, which might be a concern for highly sensitive data or multi-user environments without proper filesystem permissions. Input validation is present in routes and MCP tool handlers for required fields and enum values, but extensive sanitization against injection attacks (e.g., in notes fields) is not explicitly implemented. Given its local, single-user context, these risks are mitigated for its intended use.
Updated: 2026-01-16GitHub
33
2
Medium Cost
zero-to-prod icon

mcp-server

by zero-to-prod

Sec4

A PHP 8.4 MCP (Model Context Protocol) server designed to expose custom PHP methods as AI tools and resources, facilitating AI agent interaction with data storage systems like Redis, MongoDB, and Memgraph.

Setup Requirements

  • ⚠️Requires Docker and Docker Compose for setup and execution.
  • ⚠️Requires an external MCP client (e.g., Claude Desktop, Claude Code CLI) to interact with the server.
  • ⚠️The `memgraph_relationship_create` tool has a critical Cypher injection vulnerability.
  • ⚠️Server-side pagination is disabled by default (`setPaginationLimit(PHP_INT_MAX)`), meaning tools like `redis_get` or `mongodb.document.find` can return very large datasets, potentially leading to high token costs or client overload if not managed by the AI agent.
Review RequiredView Analysis
The `memgraph_relationship_create` tool is vulnerable to Cypher injection because it directly embeds user-provided string parameters (`$from`, `$to`) into the Cypher query's WHERE clause without proper sanitization or parameterization, allowing malicious input to execute arbitrary Cypher code. The `redis_command` tool allows direct execution of any raw Redis command, including destructive operations (e.g., DEL, FLUSHDB) or data exfiltration (e.g., KEYS), which is explicitly warned but still presents a high-risk surface if exposed to untrusted input.
Updated: 2026-01-16GitHub
33
2
Low Cost
wwwzhouhui icon

jimeng-mcp-server

by wwwzhouhui

Sec7

An MCP server to provide Claude and other LLMs with image and video generation capabilities via the JiMeng AI service's reverse-engineered API.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires manual deployment of the `jimeng-free-api-all` service as a prerequisite.
  • ⚠️Requires obtaining a `sessionid` from the JiMeng AI website's browser cookies, which can expire.
Verified SafeView Analysis
The server's source code itself does not contain obvious direct vulnerabilities like `eval` or hardcoded sensitive credentials within the Python files. It uses environment variables for `JIMENG_API_KEY` and `JIMENG_API_URL`, which is good practice. However, the project's core functionality relies on `jimeng-free-api-all`, a reverse-engineered API for JiMeng AI. This inherently introduces several security considerations: (1) The `JIMENG_API_KEY` is a browser `sessionid`, which is less secure than a dedicated API key and can expire or be subject to session hijacking if not properly protected. (2) Reliance on an unofficial, reverse-engineered API means potential instability, lack of security patches, and unpredictable behavior if the upstream official service changes. (3) The project explicitly states it is for 'personal learning and research use' and 'prohibits commercial use' due to its reverse-engineered nature.
Updated: 2025-12-14GitHub
33
3
High Cost
CharmHealth icon

charm-mcp-server

by CharmHealth

Sec9

The CharmHealth MCP Server enables LLMs and MCP clients to interact with patient records, encounters, and practice information within the CharmHealth EHR system.

Setup Requirements

  • ⚠️Requires Python 3.13 or higher.
  • ⚠️Mandates obtaining seven specific CharmHealth API credentials (e.g., API Key, Client ID/Secret, Refresh Token) via their OAuth setup process, which can be involved.
  • ⚠️The `uv` tool is recommended for dependency management and running the server, adding an extra tool to install for local development.
Verified SafeView Analysis
The server explicitly handles Protected Health Information (PHI) and includes a critical HIPAA notice, emphasizing user responsibility for compliance (HIPAA-compliant LLMs, BAA, no data retention). It retrieves credentials from environment variables, avoiding hardcoded secrets. OAuth tokens are managed with a shared, client-specific cache and locks for concurrency. Telemetry collection is optional and disabled by default, with clear warnings about PHI in logs if enabled. Input validation is performed at the tool level for required fields, reducing common errors. There is no evidence of `eval`, obfuscation, or arbitrary command execution vulnerabilities in the provided source code.
Updated: 2026-01-14GitHub
33
2
High Cost
jezweb icon
Sec9

Provides multi-language spell checking and AI-powered grammar correction, designed to integrate with Model Context Protocol (MCP) clients such as AI coding assistants.

Setup Requirements

  • ⚠️Requires a Cloudflare account for deployment, utilizing Workers AI and R2 storage services.
  • ⚠️Manual deployment (not using the one-click button) necessitates creating R2 buckets and manually uploading dictionary files using a script that requires R2_ACCESS_KEY_ID and R2_SECRET_ACCESS_KEY environment variables.
  • ⚠️Grammar correction functionality leverages Workers AI (DeepSeek R1 32B), which incurs token costs. The cost per call can be substantial as it includes the full input text, detailed system prompts, and AI-generated response (up to 2048 tokens for response alone).
Verified SafeView Analysis
The server operates within a Cloudflare Workers sandboxed environment, which inherently mitigates many OS-level security risks. Optional Bearer token authentication via `API_SECRET` is available and recommended for production instances. Corrected documents stored in R2 use unique, non-guessable UUIDs for file names and have a 30-day auto-delete lifecycle policy. The code does not use `eval` or other dangerous dynamic code execution methods. R2 credentials (R2_ACCESS_KEY_ID, R2_SECRET_ACCESS_KEY) are required for the `upload-dictionaries.ts` *script* but are not hardcoded in the server's runtime code, instead relying on secure Cloudflare Workers bindings.
Updated: 2025-12-14GitHub
33
12
High Cost
religa icon

multi_mcp

by religa

Sec8

A multi-model AI orchestration server providing automated code review, security analysis, and general LLM-powered assistance through the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Python 3.11+.
  • ⚠️An API key for at least one LLM provider (OpenAI, Anthropic, Google, or OpenRouter) is required for API-based models and integration tests.
  • ⚠️For CLI-based models (Gemini CLI, Codex CLI, Claude CLI), the respective CLI tools must be pre-installed on the system.
Verified SafeView Analysis
The core codebase does not contain overt malicious patterns or hardcoded production secrets. It employs careful path resolution to prevent traversal attacks. The server leverages subprocess execution for CLI models, which is handled with timeout mechanisms and checks for command existence, generally avoiding `shell=True` for safer input handling. Its primary function is to *detect* security issues, reflecting a security-aware design. The "vulnerabilities" mentioned in the README are intentionally vulnerable test cases from the `tests/data/repos/sql_injection` directory, designed to test the Multi-MCP server's detection capabilities, and are not flaws within the Multi-MCP server's own code.
Updated: 2026-01-02GitHub
33
6
Low Cost
olaservo icon
Sec8

This server provides a Model Context Protocol (MCP) interface with various tools and resources designed to assist in maintaining, testing, and developing MCP repositories and clients.

Setup Requirements

  • ⚠️Requires Node.js version 18.0.0 or higher.
Verified SafeView Analysis
The server relies on `@modelcontextprotocol/sdk` and `express`, which are well-established libraries. Input validation for tools is handled robustly using `zod`. Dynamic imports are used in `index.ts` but are restricted to predefined internal modules, posing no `eval` risk from arbitrary user input. No hardcoded secrets or overtly malicious patterns were observed. The `FORMAT_DATA` tool accepts arbitrary data, but the formatting functions (`formatAsTable`, `formatAsYaml`) appear to perform safe stringification and structural traversal without executing input as code. A comprehensive security audit would require reviewing the `@modelcontextprotocol/sdk` itself.
Updated: 2026-01-08GitHub
33
3
High Cost
0x-Crisbanks icon

mcp-for-beginners

by 0x-Crisbanks

Sec5

Demonstrates building custom Model Context Protocol (MCP) servers for various tasks like weather data retrieval, GitHub repository management, and integrating them with AI models via AI Toolkit and VS Code for enhanced developer workflows and study plan generation.

Setup Requirements

  • ⚠️Requires Azure OpenAI API Key (Paid) for LLM interactions and embedding generation.
  • ⚠️Docker required for PostgreSQL database and some MCP server setups.
  • ⚠️Python 3.10+ is required.
  • ⚠️VS Code with AI Toolkit extension is necessary for full integration and visual agent building.
  • ⚠️Node.js and npm are required for setting up the MCP Inspector.
Review RequiredView Analysis
The `git_clone_repo` tool within the `github_mcp_server` takes a `repo_url` as input without explicit validation or sanitization of the URL format. This could potentially allow an attacker to craft a malicious URL that exploits vulnerabilities in Git (e.g., via hooks, submodules, or path traversal within the cloned content) even if `shell=False` is the default for `subprocess.run`. Additionally, the `open_in_vscode` tool uses `shell=True` on Windows for the `start` command, which is generally riskier for user-supplied paths.
Updated: 2025-11-19GitHub
33
4
Medium Cost
cased icon
Sec9

This repository provides a collection of plugins for Claude Code, enabling the AI agent to interact with external developer tools for tasks like Sentry error diagnosis, PostHog feature management, and detailed codebase analysis using a specialized CLI.

Setup Requirements

  • ⚠️Python 3.9+ and Python package managers (uv/pipx/pip) are required for CLI tool installation.
  • ⚠️Multiple external CLI tools (sentry-cli, cased-piglet, cased-kit) must be installed locally.
  • ⚠️Sensitive environment variables (SENTRY_AUTH_TOKEN, SENTRY_ORG, POSTHOG_API_KEY, POSTHOG_PROJECT_ID) must be configured.
  • ⚠️Additional Python dependencies (e.g., sentence-transformers) and system tools (e.g., Graphviz) may be needed for full functionality of certain kit-cli commands.
Verified SafeView Analysis
The plugins define instructions for an AI agent to interact with external CLI tools (`sentry-cli`, `cased-piglet`, `cased-kit`). The security score is high for the plugin definitions themselves as they primarily consist of descriptive markdown. However, safe operation critically depends on: 1. The integrity and security of the underlying CLI tools. 2. The AI agent's robust sanitization and validation of user inputs before constructing and executing shell commands (e.g., ensuring issue IDs are strictly numeric, or preventing command injection in flag values). 3. The secure configuration and handling of sensitive environment variables (`SENTRY_AUTH_TOKEN`, `POSTHOG_API_KEY`) within the Claude Code environment. No hardcoded secrets or direct 'eval' calls are present within the provided plugin definitions.
Updated: 2026-01-07GitHub
33
1
High Cost
adamydwang icon

genai-mcp

by adamydwang

Sec7

This server acts as a Model Context Protocol (MCP) gateway for various GenAI image generation and editing services, with optional S3-compatible storage for generated images.

Setup Requirements

  • ⚠️Requires Go 1.21+ to build and run from source.
  • ⚠️Requires valid API keys for Google Gemini, Aliyun Wanxiang, or APIMart (these are typically paid services).
  • ⚠️Requires an S3-compatible object storage bucket and credentials if `GENAI_IMAGE_FORMAT` is set to 'url'.
Verified SafeView Analysis
The server loads sensitive API keys and OSS credentials from `.env` files or environment variables, which is a good practice. Logging of API keys is masked. The `DownloadImageFromURL` function fetches images from external URLs, which could be a vector for Server-Side Request Forgery (SSRF) if user-provided URLs are not thoroughly validated to prevent access to internal networks or malicious external resources. However, this is an inherent risk of services processing external URLs, and the code itself doesn't show obvious malicious patterns. S3/OSS upload paths use UUIDs to prevent predictable file names.
Updated: 2025-12-08GitHub
33
1
High Cost
michaeltrilford icon

muiscan-mcp

by michaeltrilford

Sec9

Facilitates the conversion of Figma UI designs into MUI (Michael UI) web components using an AI model via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires Claude Desktop for integration.
  • ⚠️Requires manual configuration of Claude Desktop's `claude_desktop_config.json` file with the absolute path to `server.js`.
  • ⚠️Relies on a separate Muiscan Figma Plugin (not provided in this repo) for exporting design layouts.
Verified SafeView Analysis
The server acts as a proxy for a sophisticated prompt to an LLM. The `transform.js` file simply returns the input directly, indicating that the actual transformation logic is handled by the AI model based on the extensive `mui-prompts.js` guide. This design means the server itself executes minimal logic on user input, greatly reducing direct code execution vulnerabilities. Communication is via `stdio`, limiting network attack surfaces. No `eval`, hardcoded secrets, or obvious malicious patterns were found. The primary security consideration would shift to the LLM's code generation safety (e.g., preventing prompt injection or insecure code generation), which is external to this specific server's codebase.
Updated: 2025-11-24GitHub
PreviousPage 157 of 713Next