Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

30
1
Low Cost
PinXian53 icon

python-mcp-server

by PinXian53

Sec8

This project implements a Model Context Protocol (MCP) server providing weather information tools (alerts and forecasts) via Server-Sent Events (SSE), demonstrating how AI agents can interact with external services.

Setup Requirements

  • ⚠️Requires `uv` for environment and package management.
  • ⚠️Requires Python 3.11 or newer.
  • ⚠️Relies on the external National Weather Service (NWS) API for data.
Verified SafeView Analysis
The server uses `httpx` to make requests to a public NWS API. Input parameters for tools (state, latitude, longitude) are used in f-strings to construct URLs, which is generally safe for the types of input expected. There are no direct `eval` or `exec` calls, nor obvious arbitrary code execution vectors. Debug mode (`debug=True`) is enabled, which is common for development but should be disabled in production to prevent exposure of sensitive information.
Updated: 2025-12-15GitHub
30
1
Low Cost
dearnidhi icon

MultiServer-Mcp

by dearnidhi

Sec9

Demonstrates building and interacting with multiple Microservice-Compatible Protocol (MCP) servers for math and text processing using a LangChain MCP client for direct tool invocation.

Setup Requirements

  • ⚠️Requires Python 3.13+.
  • ⚠️Requires UV for project initialization.
  • ⚠️A .env file containing GROQ_API_KEY is expected to be present, though the key is not explicitly used for LLM calls in the provided client.py example.
Verified SafeView Analysis
The project uses standard I/O for inter-process communication, limiting direct network exposure. Environment variables are loaded securely from a .env file. No 'eval' or obvious malicious patterns found in the provided code. The risk is primarily limited to vulnerabilities within the simple functions defined in mathserver.py and texttools.py, which appear safe.
Updated: 2026-01-15GitHub
30
1
Medium Cost
damianboh icon

fmp_mcp_server

by damianboh

Sec9

Serves real-time financial data via Model Context Protocol (MCP) to AI agents and LLM applications for various financial analyses.

Setup Requirements

  • ⚠️Requires Python 3.9+
  • ⚠️Requires a Financial Modeling Prep (FMP) API Key (free tier has limitations for full access)
  • ⚠️Requires a paid ChatGPT Plus account for Developer Mode if used with ChatGPT Custom Tools
  • ⚠️Requires exposing a local port to the internet via Cloudflare Tunnel or Ngrok for external LLM access
Verified SafeView Analysis
The server loads API keys from environment variables, which is a good practice. It handles API request errors gracefully. No 'eval' or malicious patterns were found. The primary network risk is related to exposing the local server publicly via tunneling solutions (Cloudflare, Ngrok) without additional authentication/authorization layers within the server itself, but this is a common pattern for MCP servers intended for specific LLM integrations like ChatGPT's Custom Tools.
Updated: 2025-12-10GitHub
30
1
Medium Cost
ymyzk icon
Sec9

Provides tools to query Nagoya City bus timetables and real-time approach information for LLM agents.

Setup Requirements

  • ⚠️Requires Python 3.11+
Verified SafeView Analysis
The server uses standard, reputable libraries (httpx, hishel, pydantic) and does not contain obvious security vulnerabilities such as 'eval' on untrusted input, hardcoded secrets, or insecure direct command execution. It interacts with a single hardcoded external API. Robust error handling for network requests is present, including a specific check for HTML 404 responses with 200 HTTP status from the upstream API. The risk is primarily associated with external dependencies and potential vulnerabilities in the upstream Nagoya Bus API, which are outside the scope of this server's direct control.
Updated: 2026-01-19GitHub
30
1
Medium Cost
dataontap icon

gorse

by dataontap

Sec7

The server provides a comprehensive backend for a global eSIM connectivity platform, integrating AI-driven activation, blockchain-based rewards, various mobile telecommunication services, and a Model Context Protocol (MCP) server for AI assistant interaction.

Setup Requirements

  • ⚠️Requires PostgreSQL database connection configured via `DATABASE_URL`.
  • ⚠️Extensive API key configuration for various third-party services: Stripe, OXIO, ElevenLabs, Gemini, Ethereum (Etherscan), and Resend/SMTP.
  • ⚠️Firebase Admin SDK requires proper server-side authentication setup (e.g., `GOOGLE_APPLICATION_CREDENTIALS` environment variable pointing to a service account JSON file).
Verified SafeView Analysis
The application employs strong authentication with Firebase and secure payment processing with Stripe webhook verification. SQL injection risks are mitigated through parameterized queries. However, client-side Firebase configurations contain a placeholder API key (`your-api-key-here`), and a test endpoint (`/api/token/create-test-wallet`) exposes Ethereum private keys (with a warning not to use in production). Running the Flask app with `allow_unsafe_werkzeug=True` is not recommended for production environments. Server-side Firebase Admin SDK credentials are required but not explicitly detailed in environment variables in `main.py`.
Updated: 2025-11-24GitHub
30
1
Medium Cost
joeynyc icon

Govee-MCP

by joeynyc

Sec9

Controls Govee smart lights via natural language commands using an MCP-compatible AI assistant.

Setup Requirements

  • ⚠️Requires a Govee Developer API Key (free for personal use, but needs manual acquisition).
  • ⚠️Recommended: Configure a device allowlist by manually retrieving device IDs after initial setup for enhanced security.
  • ⚠️Requires Node.js version 18.0.0 or higher.
Verified SafeView Analysis
The server demonstrates strong security practices: API key is environment-variable based (not hardcoded, .env is gitignored), input is rigorously validated with Zod schemas, requests are rate-limited, and a device allowlist feature is implemented (and highly recommended for production). A dry-run mode is available for safe testing. The LAN adapter is a stub, so it currently poses no direct network risks from the provided code, relying instead on the Govee Cloud API's security. No 'eval', obfuscation, or obvious malicious patterns were found.
Updated: 2026-01-19GitHub
30
1
Medium Cost
rajagopal17 icon

mcpRAG

by rajagopal17

Sec9

A Retrieval-Augmented Generation (RAG) system for document-based question answering using local embeddings and a Gemini LLM.

Setup Requirements

  • ⚠️Requires Python 3.11+.
  • ⚠️Ollama must be installed and running locally with the 'nomic-embed-text' model pulled.
  • ⚠️A Gemini API key needs to be obtained and configured in a '.env' file.
  • ⚠️Initial document embeddings and FAISS index must be created by running 'ollamaEmbed.py' before querying.
Verified SafeView Analysis
The system loads the Gemini API key from an environment variable (`.env`), which is good practice. Ollama embeddings are processed locally, reducing external data transfer risks. There are no obvious signs of 'eval', obfuscation, or direct shell command injection points from user input. A potential code structure issue in `ragModel.py` exists where the Gemini generation call is outside the `if __name__ == '__main__':` block, relying on variables defined within it. This is a code correctness concern rather than a direct security vulnerability but could lead to runtime errors or unexpected behavior if the file is imported.
Updated: 2025-12-03GitHub
30
1
High Cost
Swaymaw icon
Sec8

Provides AI-powered chess game analysis, including per-move insights, best lines, and AI commentary, to help players improve.

Setup Requirements

  • ⚠️Requires Python 3.13+ (currently in beta/RC), which might necessitate installing a specific development build of Python.
  • ⚠️Users must download and configure the paths to local chess engine binaries (Stockfish, LC0). The provided paths are OS-specific and will likely need adjustment.
  • ⚠️A `GOOGLE_API_KEY` is required for AI commentary, indicating reliance on a paid external LLM service.
Verified SafeView Analysis
The application interacts with local chess engine binaries via `popen_uci`. While this is standard for such tools, it requires trust in the local environment and engine binaries. Input validation using Pydantic is implemented for API requests. CORS origins are configurable via environment variables, and the `GOOGLE_API_KEY` is loaded securely from environment variables, preventing hardcoding. No 'eval' or obvious malicious patterns were found.
Updated: 2026-01-16GitHub
30
1
Medium Cost
Joibel icon
Sec7

Enables AI assistants to interact with and manage Argo Workflows via a standardized Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires a running Kubernetes cluster with Argo Workflows installed.
  • ⚠️Requires Kubernetes access (via kubeconfig or Argo Server token).
  • ⚠️The default Kubernetes RBAC (`ClusterRole`) granted to the server provides extensive permissions (full CRUD on Argo resources, access to pods/logs), demanding careful consideration in production environments.
  • ⚠️For HTTP/SSE transport, external authentication middleware is explicitly required for production deployments, as the server itself does not provide client authentication.
Verified SafeView Analysis
The server provides extensive control over Kubernetes Argo Workflows, including create, update, and delete operations. The default Kubernetes RBAC configuration grants a 'ClusterRole' with broad permissions (full CRUD on Argo Workflows resources, plus get/list/watch on pods/logs/events), making it a high-privilege target. If deployed with HTTP/SSE transport, the documentation explicitly states that external authentication middleware is required for production, implying no built-in client authentication. The code itself employs good practices like strict YAML unmarshaling and manifest size limits (1MiB) to prevent certain vulnerabilities, but the overall security posture heavily relies on secure deployment practices and external access controls.
Updated: 2026-01-17GitHub
29
4
Medium Cost
mezmo icon

mezmo-mcp

by mezmo

Sec7

Enables AI assistants and IDE chat agents to interact with the Mezmo observability platform for streamlined log analysis and root-cause analysis.

Setup Requirements

  • ⚠️Mezmo Service Key (required for authentication)
  • ⚠️Node.js >= 18 (for `mcp-remote` bridge)
  • ⚠️Potential `npx` argument-escaping issues (requires specific environment variable setup for Authorization header)
Verified SafeView Analysis
The provided source code is primarily the README and client configuration examples. The actual server's implementation source code is not available for audit, as it's described as a 'remote' server. Client-side setup involves passing a Mezmo Service Key as a Bearer token over HTTPS to `https://mcp.mezmo.com/mcp`. The `npx mcp-remote` bridge requires trust in the `mcp-remote` npm package. No 'eval', obfuscation, or obvious malicious patterns found in the provided text. Mezmo Service Key is a sensitive credential and needs to be managed securely by the user.
Updated: 2025-11-19GitHub
29
7
Medium Cost
verdexhq icon

verdex-mcp

by verdexhq

Sec8

AI-first browser automation for Playwright test authoring, enabling AI coding assistants to generate robust, container-scoped, and content-filtered Playwright selectors for end-to-end tests.

Setup Requirements

  • ⚠️Requires Node.js version >= 18.
  • ⚠️Requires installing Chromium browser binaries (e.g., `npx playwright install chromium` if not already installed by Puppeteer).
  • ⚠️Multi-role authentication requires user-provided JSON files for each role; these files must be securely managed and properly formatted.
  • ⚠️Requires configuration within an MCP client's `mcpServers` settings to be used as an AI tool.
Verified SafeView Analysis
The server uses Puppeteer to control a browser, which inherently involves risks when interacting with untrusted websites. It injects its own bundled JavaScript into an isolated world using `Runtime.evaluate`, a standard practice in browser automation but one that requires trust in the injected code. User-provided authentication files (JSON) are loaded, which could be a risk if untrusted files are supplied, though the `RolesConfigParser` warns if these files are not found. The project demonstrates good security awareness with a dedicated `SECURITY.md` that outlines best practices for protecting sensitive data (auth files) and managing network access, and uses isolated browser contexts for different roles to enhance security.
Updated: 2026-01-04GitHub
29
12
Medium Cost
blencorp icon
Sec9

An AI-native server that integrates SAM.gov, USASpending.gov, and Tango APIs to analyze federal procurement and spending data through natural language queries.

Setup Requirements

  • ⚠️Requires Node.js 18+.
  • ⚠️Full functionality (15 tools) requires API keys for SAM.gov (can take ~24 hours to activate) and Tango (may involve pricing tiers).
  • ⚠️Hosted deployment on AWS requires an AWS account, AWS CLI, and AWS CDK CLI, with appropriate permissions configured.
Verified SafeView Analysis
The server demonstrates strong security practices including hashing API keys (never storing them in raw form in S3) via the `s3-api-key.ts` middleware, thorough input sanitization (`ApiClient.sanitizeInput`), and queue-based rate limiting to protect external APIs from accidental abuse. AWS infrastructure defined via CDK (`infrastructure/`) enforces S3 public access blocking, SSL, and server-side encryption, and follows least-privilege IAM policies for Lambda. No `eval` or code obfuscation found. The `SECURITY.md` outlines a clear vulnerability reporting and disclosure policy.
Updated: 2026-01-02GitHub
PreviousPage 227 of 713Next