Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

33
3
Medium Cost

lm

by vrund038

Sec6

Provides a user-friendly interface for interacting with advanced AI models, generating code, and managing AI tasks with customizable prompts.

Setup Requirements

  • ⚠️Requires trust in the downloaded '.zip' executable and manual installation outside of standard package managers.
  • ⚠️Requires Windows 10+ or macOS Catalina+, at least 4GB RAM, 500MB disk space, and a dual-core processor.
Review RequiredView Analysis
The primary method of installation is downloading a pre-compiled '.zip' executable from a direct link within the repository, which requires trust in the maintainer and the integrity of the downloaded file. This approach lacks transparency compared to building from source or using package managers with security audits, making it not unconditionally safe to run without further inspection.
Updated: 2025-11-20GitHub
33
3
Medium Cost
double16 icon

shyhurricane

by double16

Sec3

An MCP server designed to assist AI agents in offensive security testing, focusing on efficient enumeration, content indexing, and tool orchestration for vulnerability discovery and exploitation.

Setup Requirements

  • ⚠️Requires Docker for tool execution and database (Qdrant).
  • ⚠️Requires Ollama or API keys for OpenAI/Google AI/AWS Bedrock for LLM interactions.
  • ⚠️GPU recommended for embedding model performance, even with non-local LLMs.
  • ⚠️Python 3.12+ required for local development environment.
Review RequiredView Analysis
This project is explicitly designed for offensive security testing, which inherently involves high-risk operations. The primary security concern is the `run_unix_command` tool, which allows the AI agent to execute arbitrary Linux/macOS commands on the host (or within a Docker container that has network access, including privileged operations like mounting volumes and building images). Several other tools (e.g., `port_scan`, `spider_website`, `directory_buster`, `web_search`, `oast` capabilities) also interact with external targets in potentially intrusive ways. By default, `DISABLE_ELICITATION` is set to `True` in `docker-compose.dev.yml`, meaning dangerous actions might proceed without explicit user confirmation. The `unix_command` Docker image bundles numerous offensive security tools, and its `entrypoint.sh` persists `/tmp` and `/var/tmp` across invocations, which could lead to sensitive data leakage between different tool runs. HTTP request/response bodies are logged which may contain sensitive data. Given its purpose, these features are intended, but for a general user, running this server poses a significant risk of unintended system compromise or unauthorized network activity.
Updated: 2026-01-16GitHub
33
3
Medium Cost
rioriost icon
Sec3

This server provides a tool interface for Large Language Models (LLMs) to interact with and manage graph data stored in Apache AGE on Azure Database for PostgreSQL through Cypher queries, enabling natural language data exploration and manipulation.

Setup Requirements

  • ⚠️Requires Python 3.13 or above.
  • ⚠️Requires the Apache AGE extension to be enabled and loaded in the Azure Database for PostgreSQL instance.
  • ⚠️Requires a PostgreSQL connection string, with the password either embedded, provided via the PGPASSWORD environment variable, or retrievable through Azure CLI (which must be installed and authenticated).
  • ⚠️Designed to be run as an MCP server, primarily for integration with LLM clients like Claude Desktop Client or Visual Studio Code with the MCP extension.
Review RequiredView Analysis
The server is vulnerable to SQL injection through the 'graph_name' parameter in multiple tools (e.g., 'create-age-graph', 'drop-age-graph', 'get-age-schema', 'read-age-cypher', and 'write-age-cypher'). The 'graph_name' argument, which originates from user/LLM input, is directly inserted into SQL queries using f-strings or string formatting (e.g., `SELECT create_graph('{}')` or `cypher('{graph_name}', $$...$$)`) without proper sanitization or parameterized queries for this specific argument. This allows a malicious input for 'graph_name' (e.g., `my_graph'); DROP TABLE important_data; --`) to execute arbitrary SQL commands, potentially leading to data loss, unauthorized access, or database corruption. While the server includes checks for Cypher-level write operations and parameterized Cypher queries, these do not mitigate the SQL injection vulnerability associated with the 'graph_name' argument. The use of `subprocess.check_output` for Azure CLI token retrieval is a legitimate pattern but executing external commands always carries a minimal inherent risk.
Updated: 2026-01-18GitHub
33
1
Medium Cost
yeeking icon
Sec2

Enables language models to control and interact with the Reaper Digital Audio Workstation (DAW) through an MCP server.

Setup Requirements

  • ⚠️Requires manual configuration within REAPER, including enabling the Python API and running a specific ReaScript to enable the distributed API.
  • ⚠️The Python virtual environment path where `reapy` is installed must be manually added to ReaScript's `sys.path` within REAPER.
  • ⚠️If using the 'http' transport option, `fastapi` and `uvicorn` must be explicitly installed (`pip install fastapi uvicorn[standard]`).
Review RequiredView Analysis
The server explicitly states 'Security: There is none so watch out.' It exposes a `call_api` tool that allows arbitrary ReaScript API functions to be invoked by name with provided arguments. This creates a critical vulnerability for prompt injection leading to unrestricted access and potential command execution on the host system via REAPER's capabilities. There is no authentication or authorization mechanism.
Updated: 2025-11-23GitHub
33
3
Low Cost
Qbandev icon
Sec9

Enables AI assistants to query real-time blockchain data across 30+ networks via Infura's JSON-RPC API using natural language.

Setup Requirements

  • ⚠️Requires `INFURA_API_KEY` environment variable, which must be obtained from Infura.
  • ⚠️Requires Node.js version 20 or higher.
  • ⚠️For HTTP mode, the server runs on `localhost:3001` by default and requires a separate process or client connection.
Verified SafeView Analysis
The server demonstrates strong security practices: comprehensive input validation (`lib/validators.js`) prevents common injection attacks for addresses, hashes, and network names. Operations are explicitly read-only, preventing any blockchain state modification. API keys are strictly managed via environment variables. The HTTP mode implements robust security headers (Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) and disables server fingerprinting. CORS is also properly configured. No `eval` or obvious malicious patterns were found. The primary security risk lies in the secure management of the `INFURA_API_KEY` by the user outside of the application's code.
Updated: 2026-01-19GitHub
33
3
Medium Cost
egarcia74 icon
Sec9

An MCP server for SQL Server, enabling AI assistants to securely interact with databases for schema discovery, data retrieval, query execution, performance monitoring, and optimization.

Setup Requirements

  • ⚠️Requires a running and accessible SQL Server instance (2016+).
  • ⚠️Configuration is heavily reliant on environment variables; .env files are NOT automatically loaded by MCP servers in isolated environments, requiring explicit setup in AI assistant settings or a global configuration file (~/.warp-sql-server-mcp.json).
  • ⚠️Running the full automated integration test suite (`npm run test:integration`) requires Docker to spin up a SQL Server container.
Verified SafeView Analysis
The server features a robust three-tier safety system with AST-based SQL query validation (using node-sql-parser) to detect dangerous functions (e.g., xp_cmdshell, openrowset) and potential SQL injection patterns. It supports cloud secret managers (AWS Secrets Manager, Azure Key Vault) for credential management, and provides context-aware SSL certificate handling that defaults to secure settings in production. Streaming functions include prototype pollution and size limit protection for JSON chunk processing. Comprehensive security audit logging and secure configuration defaults are also in place. The system errs on the side of security, requiring strong indicators for development environments to trust certificates.
Updated: 2026-01-19GitHub
33
3
Medium Cost
andreibesleaga icon

ocm-sdk

by andreibesleaga

Sec5

An MCP server that enables AI assistants to interact with the Open Charge Map (OCM) API, providing tools for documentation search and executing TypeScript SDK code in a sandboxed environment.

Setup Requirements

  • ⚠️Requires OCM API Key and/or Username for authentication to the Open Charge Map API.
  • ⚠️The 'code mode' tool relies on an external third-party service (Stainless API) for arbitrary code execution and sandboxing; the security of this feature depends entirely on that external service.
  • ⚠️Requires Node.js 18.0.0 or higher.
  • ⚠️Deployment to Cloudflare Workers requires `wrangler` CLI and Cloudflare account setup (e.g., KV namespaces).
  • ⚠️Requires inputting API keys/credentials into a mock OAuth login screen for initial connection via MCP clients.
Verified SafeView Analysis
The server includes a 'code mode' tool ('execute') that allows arbitrary JavaScript code, provided by an AI assistant, to be sent to an external service (https://api.stainless.com/api/ai/code-tool by default) for execution. The project claims this code runs in an 'isolated sandbox' provided by the external service. The security of this mechanism is critically dependent on the robustness and trustworthiness of this third-party sandboxing service. If the external service were compromised or had vulnerabilities in its sandbox implementation, it could lead to arbitrary code execution outside the intended scope. API keys and bearer tokens are expected via environment variables or headers, which should be protected from unauthorized access. No hardcoded secrets are directly observed in the provided source.
Updated: 2026-01-19GitHub
33
3
High Cost
KittyCAD icon

zoo-mcp

by KittyCAD

Sec9

An MCP server enabling AI assistants to perform CAD operations, generate KCL code, and manage KCL projects using the Zoo API.

Setup Requirements

  • ⚠️Requires Zoo API Key (Paid) set as ZOO_API_TOKEN environment variable.
  • ⚠️Requires Python version >=3.11 and <3.14.
  • ⚠️Requires the 'uv' package manager for installation and running commands.
  • ⚠️Requires network access to GitHub (for KCL docs/samples) and KittyCAD API/Websockets (for CAD operations).
Verified SafeView Analysis
The server uses external APIs (KittyCAD, GitHub) and websockets. Secrets (API tokens) are managed via environment variables. Basic path validation is in place for documentation and sample fetching to prevent traversal. File operations for export and image saving can overwrite specified paths, which is a standard feature but should be considered in the context of an AI agent's permissions. No 'eval' or obvious malicious patterns were found.
Updated: 2026-01-18GitHub
33
2
Medium Cost
fpcsa icon
Sec9

A financial intelligence MCP server providing structured market analysis and insights for crypto and equities, designed for LLM and human developer consumption.

Setup Requirements

  • ⚠️Requires Python 3.12+ (implied by Dockerfile).
  • ⚠️Limited interval support for equities (yfinance) for `timeseries` and `analyze_asset` tools (only '1d', '1h', '1wk').
  • ⚠️Relies on external financial data APIs (ccxt, yfinance) which may have rate limits or usage restrictions.
Verified SafeView Analysis
The server's source code shows good practice with no 'eval' or obfuscation. External API calls to ccxt (Binance) and yfinance (Yahoo Finance) are encapsulated within adapters. No hardcoded secrets are evident, and the server runs on a standard port. The use of checksums enhances data provenance. However, reliance on external APIs always introduces a minimal supply chain risk and potential for rate limits or API key requirements (though not explicitly shown as required in the code).
Updated: 2025-11-24GitHub
33
3
Medium Cost
redbadger icon

crux-mcp

by redbadger

Sec8

Loads a Crux application's WebAssembly component to expose its functionality via ModelContext Protocol (MCP) for LLM agent interaction and agentic coding.

Setup Requirements

  • ⚠️Requires manual checkout of a specific branch/pull request of the 'crux' repository into a sibling directory named 'crux'.
  • ⚠️Requires building a WebAssembly component ('shared.wasm') from the 'crux' repository with specific features ('facet_typegen') and target ('wasm32-wasip2') before running the server.
  • ⚠️The 'CRUX_COMPONENT' environment variable must be set to the absolute path of the built WebAssembly component.
  • ⚠️Interacting with the server as intended requires the '@modelcontextprotocol/inspector' client tool via `pnpx`.
Verified SafeView Analysis
The server's security is highly dependent on the trustworthiness of the WebAssembly component loaded via the 'CRUX_COMPONENT' environment variable. The server's own codebase does not exhibit 'eval', obfuscation, hardcoded secrets, or directly malicious patterns. It communicates over standard I/O (StdioTransport), which limits its direct network exposure. While WASI Preview 2 offers sandboxing, the user is responsible for ensuring the integrity and safety of the provided WASM component.
Updated: 2025-11-25GitHub
33
3
Medium Cost
code-rabi icon

toolception

by code-rabi

Sec9

Provides a dynamic Model Context Protocol (MCP) server toolkit for runtime toolset management, exposure control, and robust permission-based access control for AI agents.

Setup Requirements

  • ⚠️Requires Node.js version 25.3.0 or higher, which might be newer than many typical LTS environments.
  • ⚠️Permission resolvers (when using config-based permissions) must be synchronous; external permission lookups need to be pre-cached.
  • ⚠️Server creation requires a factory function (`createServer`) that produces an high-level McpServer instance from `@modelcontextprotocol/sdk/server/mcp.js`, allowing for custom MCP server configurations.
Verified SafeView Analysis
The server framework incorporates robust security practices including Zod for schema validation on custom HTTP endpoints, clear separation of concerns for permission resolution, and safe error responses to prevent information leakage of unauthorized toolsets. Client IDs are either provided by headers or generated anonymously with non-anonymous ones being cached. The system largely delegates tool execution and module loading to user-provided handlers and resolvers, which means the ultimate security of the server depends heavily on the security of the implemented tools and permission logic. The framework itself provides the necessary mechanisms to build a secure system, such as explicit validation for permission configurations and reserved HTTP paths. No direct 'eval' or obvious hardcoded secrets were found.
Updated: 2026-01-15GitHub
33
3
Medium Cost
mikhae1 icon

kubeview-mcp

by mikhae1

Sec7

Enables AI agents to inspect, diagnose, and debug Kubernetes clusters through a read-only Model Context Protocol (MCP) server.

Verified SafeView Analysis
The server uses a sandboxed Node.js `vm` environment for executing agent-provided TypeScript code (`run_code`), which enhances isolation. Sensitive data masking is implemented for ConfigMaps and Secrets, and is configurable (`MCP_HIDE_SENSITIVE`). However, while the server's direct interaction with the Kubernetes API aims to be read-only, the `kube_exec` tool allows agents to execute arbitrary commands inside specific containers within pods. This means an agent could instruct the tool to perform write operations or other non-read-only actions within a running workload, potentially impacting applications. Similarly, `kube_port` can establish temporary port-forwards, exposing internal services locally. Users and AI agents should exercise caution when utilizing these powerful capabilities.
Updated: 2026-01-14GitHub
PreviousPage 164 of 713Next