Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

31
1
Medium Cost
luutuankiet icon

fs-mcp

by luutuankiet

Sec9

This server provides a 'Human-in-the-Loop' filesystem interface for LLM agents, enabling interactive code editing and review with developer oversight.

Setup Requirements

  • ⚠️Requires `uvx` for quick installation and execution (or `uv` for package management and direct Python invocation).
  • ⚠️VS Code CLI (`code` command) must be installed and available in the system's PATH for the `propose_and_review` tool to automatically launch diff windows.
  • ⚠️Requires Python 3.10 or newer.
  • ⚠️The `google-genai` library is needed for Streamlit UI's Gemini schema conversion feature; ensure it's installed (e.g., `uv add google-genai`).
Verified SafeView Analysis
The `validate_path` function is robust, ensuring all file operations are strictly confined to explicitly allowed directories and the system's temporary directory. Access to the temporary directory is further restricted to specific patterns (e.g., `mcp_review_` directories and `current_`/`future_` files within them), preventing arbitrary file creation or access in `/tmp`. The use of `subprocess.Popen(..., shell=True)` for launching VS Code is generally a risk, but in this implementation, the command's arguments are carefully constructed from validated path components, minimizing shell injection risks.
Updated: 2026-01-16GitHub
31
1
Low Cost
switchbm icon

claude-redline

by switchbm

Sec7

Provides a human-in-the-loop review interface, allowing AI agents to pause for interactive user feedback on markdown documents and code during development workflows.

Setup Requirements

  • ⚠️Requires `uv` (Python's fast package manager) to be installed as a prerequisite.
  • ⚠️Requires Python 3.12+.
  • ⚠️The local HTTP server has no authentication, making it theoretically vulnerable to other malicious processes running on the same local machine.
  • ⚠️MCP configuration requires a sufficiently long timeout (e.g., 24 hours) to prevent review sessions from timing out while waiting for human input.
Verified SafeView Analysis
The server runs a local HTTP server on `127.0.0.1` (localhost only) without authentication. This means any other process on the user's local machine could potentially interact with its API endpoints. However, path traversal attacks are mitigated for file access via the `/api/file` endpoint by resolving paths and checking against a base directory. It is designed for single-user, local use.
Updated: 2025-12-12GitHub
31
1
Low Cost
yujiterada icon

mcp-server-verkada

by yujiterada

Sec3

This server connects AI agents, assistants, and chatbots to the Verkada Command platform by providing a Model Context Protocol (MCP) interface to Verkada APIs for security-related functions like access control, camera management, guest interactions, and sensor data.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0.0.
  • ⚠️Requires a Verkada API Key, which must be obtained and configured as an environment variable.
  • ⚠️Requires manual configuration in `claude_desktop_config.json` with an absolute path to the built server entry point.
Review RequiredView Analysis
The most critical security risk identified is the potential for Local File Inclusion (LFI) via the `updateProfilePhoto` tool. The input schema for this tool's body parameter `file` is `z.string().optional()` with a description stating "Profile photo file path (formatted @/<image-path>)". This format strongly suggests the server will attempt to read a file from the local filesystem based on user-provided input, which could allow an attacker to read arbitrary files if not robustly sanitized and validated. While Zod is used for validation, the specific handling of this `@/<image-path>` pattern in `callVerkadaAPI` is not fully visible, but the pattern itself is inherently risky. Standard Node.js `npm install` practices also present supply chain risks if dependencies are compromised. The server relies on environment variables for API keys (`VERKADA_API_KEY`), which is a good practice to avoid hardcoding secrets in source code.
Updated: 2026-01-19GitHub
31
1
Medium Cost
matebenyovszky icon

agentplaybooks

by matebenyovszky

Sec9

Provides a Model Context Protocol (MCP) server for AI agents, offering platform-independent memory, skill management, and persona definitions.

Setup Requirements

  • ⚠️Requires a Supabase account setup (URL, anonymous key, and service role key).
  • ⚠️Requires configuration of OAuth providers (Google, GitHub, LinkedIn OIDC) for user authentication, likely within Supabase.
  • ⚠️Requires Docker for the most straightforward self-hosting deployment.
Verified SafeView Analysis
The project demonstrates strong security practices, including robust authentication and authorization via Supabase, API key validation with granular permissions (`memory:read`, `playbooks:write`), and strict ownership checks for resources. Input validation is present for API routes, and file attachment uploads are well-sanitized to prevent path traversal and binary content. No 'eval' or direct code execution from user input is observed. Sensitive keys are expected from environment variables.
Updated: 2026-01-16GitHub
31
1
Medium Cost
XuYunlei icon
Sec9

An agentic voice-to-voice product discovery assistant performing RAG and web searches over an Amazon product dataset to provide grounded answers.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid service for GPT-4o-mini, Whisper, and TTS).
  • ⚠️Requires a Brave Search API Key (potentially paid or free-tier limited). Note: The `mcp_server/tools/web_tool.py` expects `SEARCH_API_KEY` environment variable, but `configs/env.example` defines `BRAVE_API_KEY`. Users must either rename the variable in their `.env` to `SEARCH_API_KEY` or modify `web_tool.py` to use `BRAVE_API_KEY` for web search functionality to work.
  • ⚠️Requires `ffmpeg` installed on the system for Whisper ASR, which is not part of the `requirements.txt`.
Verified SafeView Analysis
The server uses environment variables for API keys (e.g., OpenAI, Brave), preventing hardcoding of secrets. Input validation is provided by Pydantic models for FastAPI endpoints. External API calls (Brave, OpenAI TTS) use `httpx` with timeouts and error handling. The `critic` node includes basic safety checks. The MCP server is designed to run locally (127.0.0.1:8000), reducing direct external exposure risks. No 'eval' or malicious patterns were found. A minor potential improvement is to explicitly implement domain allowlisting for web search results as mentioned in `SAFETY.md`.
Updated: 2025-11-21GitHub
31
1
Medium Cost
mcp-fortress icon

mcp-fortress

by mcp-fortress

Sec9

Provides automated security scanning, runtime protection, and vulnerability detection for Model Context Protocol (MCP) servers and AI agent tools within developer environments.

Setup Requirements

  • ⚠️Requires one-time authentication with Smithery for marketplace installation.
  • ⚠️Manual local installation requires `npm install -g mcp-fortress` and modifying `claude_desktop_config.json`.
  • ⚠️Requires Node.js runtime for local installation.
Verified SafeView Analysis
The project's primary purpose is security scanning and threat detection, demonstrating a strong security-first approach in its architecture and documented findings (e.g., `postmark-mcp` analysis). The provided client-side script (`docs/script.js`) is benign. However, the core server-side 'Scanner Engine' and 'API Server' implementations are explicitly stated as 'closed source' in `CONTRIBUTING.md`. This prevents a full code audit of these critical components, meaning the analysis relies on the detailed documentation of its functionality and security principles rather than direct code inspection for its core logic. The tool itself is designed to detect dangerous patterns like 'eval' and 'child_process' in *other* packages.
Updated: 2025-11-30GitHub
31
1
Medium Cost
lunchflow icon

mcp

by lunchflow

Sec9

This server allows AI assistants like Claude to access a user's financial data (accounts, transactions, balances) from 20,000+ banks via the Lunch Flow API.

Setup Requirements

  • ⚠️Requires a Lunch Flow account
  • ⚠️Requires banks to be connected within the Lunch Flow account
  • ⚠️Requires a Lunch Flow API key obtained from their dashboard
Verified SafeView Analysis
The server acts as a proxy for the Lunch Flow API, providing a Model Context Protocol interface. It requires an API key, which is passed as configuration and used in an HTTP header, rather than being hardcoded. The README explicitly states security measures: 'Read-only access', 'API keys are securely encrypted', 'No credentials stored in the MCP server', 'All data fetched from your Lunch Flow account', and 'Open source for transparency'. No 'eval' or other directly dangerous patterns were found. The primary security relies on the Lunch Flow API's security and secure management of the API key within the Smithery deployment environment.
Updated: 2025-11-21GitHub
31
2
High Cost
documan-ai icon

documan

by documan-ai

Sec7

A documentation tool that provides a built-in MCP server, allowing AI assistants to semantically search and understand documentation in real-time.

Setup Requirements

  • ⚠️Requires OpenAI API Key for semantic search (DOCUMAN_OPENAI_API_KEY)
  • ⚠️Running the binary directly requires downloading from GitHub Releases, which implies trust in the distributed binaries.
Verified SafeView Analysis
A full security audit is not possible as the actual server source code (e.g., Go, Rust) was not provided for analysis, only the README.md. Based solely on the README and deployment instructions: the application uses environment variables for sensitive data (DOCUMAN_OPENAI_API_KEY), which is good practice. The binary distribution method (curl | tar xz) carries the general risk associated with running third-party binaries, but no immediate malicious patterns or dangerous code (like 'eval' or obfuscation) were identified in the provided text. Network exposure is limited to a configurable HTTP port.
Updated: 2026-01-08GitHub
31
4
Medium Cost
timescale icon
Sec6

This boilerplate provides common code for creating a Model Context Protocol (MCP) server in Node.js, focusing on integrating 'skills' (modular agent capabilities) as tools and resources for LLM agents.

Setup Requirements

  • ⚠️Configuring skills requires a `skills.yaml` file (default: `./skills.yaml`) to specify skill sources (local paths or GitHub repositories).
  • ⚠️Loading skills from GitHub repositories requires an `Octokit` instance in the server context, implying a need for GitHub API tokens (e.g., `GITHUB_TOKEN`) for authentication and rate limit management.
  • ⚠️This is an MCP server, requiring an MCP-compatible client (e.g., Anthropic's Claude Code, or a custom SDK client) to interact with its endpoints.
  • ⚠️The custom ESLint plugin (`mcp-boilerplate/no-optional-tool-params`) enforces that tool input parameters must be required, preventing the use of `.optional()`, `.default()`, or `.nullish()` on Zod schemas for `inputSchema` to ensure compatibility with certain LLMs (e.g., GPT-5).
Review RequiredView Analysis
The boilerplate's `apiRouterFactory` directly exposes MCP tools as REST API endpoints without built-in authentication or authorization, which requires careful implementation by the user for sensitive operations. The 'Skills' feature allows loading content from configured GitHub repositories; this introduces a supply chain risk if untrusted or compromised repositories are used. While local file path traversal is mitigated by `normalizeSkillPath`, the inherent trust in external GitHub sources for skill content is a significant consideration. OpenTelemetry integration, while beneficial for observability, could inadvertently expose sensitive data if not configured properly by the implementer.
Updated: 2026-01-07GitHub
31
1
Medium Cost
evrimalacan icon

mcp-bitbucket-server

by evrimalacan

Sec9

Connects AI assistants to Bitbucket Server/Data Center for natural language interaction with pull requests, repositories, and users.

Setup Requirements

  • ⚠️Requires a Bitbucket Server Personal Access Token (PAT) with appropriate read/write permissions for projects and repositories.
  • ⚠️Relies on specific environment variables (BITBUCKET_URL, BITBUCKET_TOKEN) to be set for configuration.
  • ⚠️Requires Node.js version 22.0.0 or higher to run.
Verified SafeView Analysis
The server primarily operates over standard I/O (stdio) as an MCP server, which limits direct external network attack surface. Authentication relies on Personal Access Tokens (PATs) passed securely via environment variables (BITBUCKET_URL, BITBUCKET_TOKEN), preventing hardcoded credentials. Tool inputs are validated using Zod schemas, mitigating common injection vulnerabilities. No 'eval' or other directly dangerous functions/patterns were identified in the provided source code.
Updated: 2025-11-28GitHub
31
1
Medium Cost
apptolast icon

McpServerKotlin

by apptolast

Sec9

An MCP Full-Stack Server implemented in Kotlin that enables AI agents to autonomously build and manage applications.

Setup Requirements

  • ⚠️Requires JDK 21+ and Gradle 8.10+.
  • ⚠️External database services (PostgreSQL, MongoDB) are required for their respective modules to be fully functional.
  • ⚠️A GitHub personal access token (GITHUB_TOKEN) is needed for authenticated Git operations, especially for private repositories.
  • ⚠️JWT_PUBLIC_KEY is required to enable secure authentication.
Verified SafeView Analysis
The server demonstrates a strong security-first design, implementing multiple layers of defense. This includes robust path traversal protection, command whitelisting with dangerous pattern detection (e.g., fork bombs, rm -rf /, sudo, chmod 777), strict read-only query enforcement for PostgreSQL, file size and extension limits, and working directory isolation. JWT authentication with RBAC is available, though it defaults to disabled, which is a common but notable security consideration for production. MongoDB operations parse JSON strings for filters and pipelines, placing the onus on the calling agent to provide safe JSON, rather than the module sanitizing content within the JSON structure.
Updated: 2025-11-27GitHub
31
1
Low Cost
seanepping icon

mcp-cross

by seanepping

Sec9

Acts as a cross-platform bridge for Model Context Protocol (MCP) servers, facilitating seamless stdio communication and path translation between different environments, especially Windows and WSL2, and providing an HTTP proxy mode for accessing HTTP-based MCP servers with environment variable expansion.

Setup Requirements

  • ⚠️Requires Windows Subsystem for Linux (WSL2) to be installed and configured for `--wsl` mode.
  • ⚠️Requires Node.js 18+ to be installed on the host system.
  • ⚠️Commands executed within WSL (e.g., `node`, `python`) must be available in the WSL environment's PATH, or their absolute paths must be specified. Users of version managers (like `nvm` or `pyenv`) in WSL may need to use absolute paths or configure their shell carefully.
Verified SafeView Analysis
The project demonstrates a strong focus on security, particularly in handling shell command execution and environment variable propagation across Windows and WSL. Key measures include robust argument escaping for `wsl.exe` and login shells, a WSL runner script (`wsl-runner.sh`) that sanitizes the PATH to prevent unintended Windows binary execution, and careful handling of environment variables via `WSLENV` with a Windows environment variable blacklist. Header parsing includes validation against CRLF injection, and sensitive header values are masked in debug logs. The HTTP proxy mode also warns against using insecure HTTP for non-localhost endpoints. There are no apparent hardcoded secrets or malicious patterns.
Updated: 2025-12-05GitHub
PreviousPage 188 of 713Next