Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

25
1
Medium Cost
Gustavocoello icon

MCP-Nexus

by Gustavocoello

Sec8

An intelligent conversational AI assistant designed to enhance developer productivity by providing free, local generative AI capabilities and integrating with external services via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires multiple API keys for various services (OpenRouter LLMs, Azure AI Vision, Clerk Auth, Google OAuth) which may require account setup and potential billing.
  • ⚠️Database setup is required (MySQL locally or Azure SQL), including running migrations with Alembic, and a Redis instance for session management and OAuth state.
  • ⚠️The project has both a Python backend and a React/Vite/pnpm frontend, requiring separate setup and execution for a full development environment.
Verified SafeView Analysis
The project employs strong security practices including JWT-based authentication via Clerk, OAuth 2.0 for Google and OneDrive integrations, and Fernet encryption for sensitive tokens stored in the database. API keys and database credentials are properly managed through environment variables. File uploads are processed with text extraction and rate-limited for Azure AI Vision, reducing abuse potential. CORS is explicitly configured with a list of allowed origins, mitigating common web vulnerabilities. No obvious direct 'eval' of user input or malicious code patterns were identified. Potential risks could stem from the security of third-party libraries used for file parsing (e.g., pypdf, docx2txt) or the secure configuration of numerous external APIs.
Updated: 2026-01-06GitHub
25
25
Low Cost
7gugu icon

whistle-mcp

by 7gugu

Sec7

Manages a local Whistle proxy server through Model Context Protocol, allowing AI assistants to control network rules, groups, values, and replay requests.

Setup Requirements

  • ⚠️Requires a running Whistle proxy server instance.
  • ⚠️Requires Node.js version 18.20.0 or higher.
Verified SafeView Analysis
The server's primary function is to expose powerful network proxy capabilities (Whistle) to an AI. While the server's code itself does not show obvious direct code injection or hardcoded secrets, granting an AI control over a network proxy via tools like `replayRequest` (allowing arbitrary URL, method, headers, and body) or rule management (creating/updating rules) carries inherent risks. A malicious or unconstrained AI could potentially be instructed to perform network attacks, bypass security, or intercept sensitive data if the underlying Whistle server is not properly secured or is exposed beyond a trusted local environment. The `getInterceptInfo` tool uses user-provided `url` as a regular expression, which is mitigated by a `try-catch` block for invalid regex, falling back to a string `includes` check.
Updated: 2025-12-26GitHub
25
5
Low Cost
blinkysc icon

azerothMCP

by blinkysc

Sec3

Provides AI assistants with read-only access to AzerothCore game databases and documentation for understanding game mechanics and debugging scripts.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Requires a running MySQL server with AzerothCore databases (world, characters, auth).
  • ⚠️Requires `git clone --recursive` to initialize the Keira3 submodule for spell database and comment generation.
  • ⚠️The `execute_investigation` sandbox tool executes Python code which poses a significant security risk if not carefully managed.
Review RequiredView Analysis
The `azerothmcp/tools/sandbox.py` module, when `ENABLE_SANDBOX=true` (which is default), allows the execution of arbitrary Python code via the `execute_investigation` tool. While it implements `validate_code` with a `FORBIDDEN_PATTERNS` blacklist and restricts built-ins to `SAFE_BUILTINS`, `exec()` is inherently dangerous when exposed to untrusted or AI-generated input due to the potential for bypasses and prompt injection attacks. This means an attacker (or a misdirected AI) could potentially execute arbitrary code on the host system. Additionally, `subprocess.run` is used in `packets.py` (for WowPacketParser) and `source.py` (for grep), which, if paths or arguments were manipulated, could lead to arbitrary command execution. The default `READ_ONLY=true` for database operations is a good security practice, but can be disabled.
Updated: 2025-12-30GitHub
25
3
Low Cost
cyrup-ai icon

kodegen

by cyrup-ai

Sec7

A Rust-native Model Context Protocol (MCP) server providing blazing-fast auto-coding and development tools for AI agents.

Setup Requirements

  • ⚠️Requires Rust nightly toolchain.
  • ⚠️The `claude` CLI must be installed and accessible in the system's PATH for the `kodegen claude` subcommand to function.
  • ⚠️Backend MCP HTTP category servers (e.g., for filesystem, terminal, git tools) must be running for tools to be available; otherwise, the server will operate with reduced functionality or fail to start.
Verified SafeView Analysis
The `kodegen claude` subcommand spawns the `claude` CLI process and passes through arbitrary arguments (`passthrough_args`) directly. This is a powerful feature intended for agent control, but it implies that `kodegen` allows `claude` CLI commands to be executed via its interface. If `kodegen` were exposed to untrusted input without proper sanitization at a higher level, this could be a vulnerability. The `StdioProxyServer` sends the current working directory (`X_KODEGEN_PWD`) and detected Git repository root (`X_KODEGEN_GITROOT`) as HTTP headers to backend MCP servers. This is a potential information leak if `--host` is configured to point to an untrusted endpoint. Credentials for database and SSH connections (`DATABASE_DSN`, `SSH_KEY`, `SSH_PASSWORD`) can be provided via environment variables or CLI arguments; their security depends on how the downstream category servers (to which `kodegen` proxies) handle and store them. The server itself does not perform deep validation of tool arguments, deferring this to backend services.
Updated: 2026-01-02GitHub
25
3
Medium Cost
elad12390 icon
Sec8

Comprehensive web research and discovery for AI agents, including general web search, code examples, API documentation, package information, GitHub repository analysis, error troubleshooting, structured data extraction, technology comparison, changelog retrieval, and service health checks.

Setup Requirements

  • ⚠️Requires a running SearXNG instance (Docker recommended) on `http://localhost:2288` for core search functionality.
  • ⚠️Requires Python 3.10+.
  • ⚠️Requires Playwright browsers to be installed (`uv run crawl4ai-setup`) for `crawl_url` tool.
  • ⚠️Optional `PIXABAY_API_KEY` is needed for `search_images` tool to function.
  • ⚠️Optional `GITHUB_TOKEN` is recommended for `github_repo` and `get_changelog` to avoid GitHub API rate limits.
Verified SafeView Analysis
The server uses `httpx.AsyncClient` for external network calls, with configured timeouts. It relies on `crawl4ai` for crawling arbitrary URLs, which is an inherent risk for any crawling tool, but it manages `max_chars` limits and explicitly warns users about crawling trusted sources in `SECURITY.md`. API keys (`PIXABAY_API_KEY`, `GITHUB_TOKEN`) are loaded from environment variables, preventing hardcoding. Usage analytics are stored locally and do not contain sensitive data. The project emphasizes running the dependent SearXNG instance locally. No 'eval' or obfuscation is present.
Updated: 2026-01-02GitHub
25
25
High Cost
onkernel icon
Sec8

Provides AI assistants with secure access to Kernel platform tools for browser automation, app deployment, and monitoring.

Setup Requirements

  • ⚠️Requires 'bun' as the package manager for all dependency management operations.
  • ⚠️Requires a Redis instance for temporary storage of organization context and token mappings.
  • ⚠️Requires access to specific environment variables (e.g., Clerk secrets, Kernel client IDs, Mintlify tokens) which are noted as being in '1Password > DevEnvVars > MCP section', implying they are not publicly available or require specific registration/credentials.
Verified SafeView Analysis
The server implements OAuth 2.0 authentication via Clerk, using environment variables for all sensitive keys (Clerk secret, Redis URL, API tokens). JWTs and refresh tokens are hashed before storage in Redis, with proper TTL management. Route protection is enforced via Clerk middleware. The 'execute_playwright_code' tool allows AI agents to submit arbitrary Playwright/TypeScript code, which is then executed remotely on the Kernel platform in a sandboxed environment, not on the MCP server itself. While this is a powerful feature, the risk is shifted to the robustness of Kernel's remote sandboxing rather than a direct vulnerability within this server's codebase. No 'eval' or direct obfuscation found. Network communications with external services are standard. The use of plain API keys (if not JWT-formatted) is less robust than JWTs but relies on TLS.
Updated: 2025-12-23GitHub
25
42
Low Cost
Azure-Samples icon
Sec9

Hosts remote Model Context Protocol (MCP) servers built with Python SDK on Azure Functions as custom handlers for AI agent tools.

Setup Requirements

  • ⚠️Requires an Azure subscription and permissions to create a Microsoft Entra app.
  • ⚠️Specific CLI tools are required: Azure Developer CLI (azd), Azure Functions Core Tools (func), and uv (Python package installer).
  • ⚠️The `get_user_info` tool, demonstrating OBO flow, requires deployment to Azure and will not work in local development without additional configuration.
Verified SafeView Analysis
The server correctly uses environment variables for sensitive configuration and implements a standard On-Behalf-Of (OBO) flow for Microsoft Graph API access, extracting tokens from headers. It makes calls to legitimate external APIs (NWS, Microsoft Graph). No 'eval' or other directly dangerous patterns are present. The primary security considerations are proper Azure configuration and secret management for the environment variables.
Updated: 2025-12-16GitHub
25
7
Medium Cost
chrisleekr icon
Sec8

A playground and reference implementation for a Model Context Protocol (MCP) server, featuring streamable HTTP transport, OAuth proxy for third-party authorization servers like Auth0, and stateful session management.

Setup Requirements

  • ⚠️Requires Docker for Valkey (Redis-compatible) storage, essential for stateful sessions across multiple server instances.
  • ⚠️Requires extensive AWS credentials and configuration (region, profile/keys) for `aws-ecs` and `aws-s3` tools, including separate settings for AWS Bedrock.
  • ⚠️Requires a full Auth0 application and API setup (domain, client ID, client secret, audience, scope) if OAuth authentication is enabled.
Verified SafeView Analysis
The server uses standard security practices for Express applications, including `helmet` for security headers and `express-rate-limit` for rate limiting. Input validation is rigorously enforced using Zod schemas for all tool and API inputs, significantly reducing injection risks. Secrets such as JWT keys and Auth0 credentials are designed to be loaded from environment variables, preventing hardcoding. The OAuth proxy implementation addresses the security concerns of dynamic client registration by delegating authorization to a third-party provider (Auth0) while managing local client registration and token flows using PKCE. The CORS header `Access-Control-Allow-Origin: *` is broadly permissive, which is acceptable for a 'playground' but would typically be narrowed in a production environment. The integration with AWS Bedrock for the `aws-ecs` tool has a maximum output token limit, and the prompt construction relies on stringifying internal data, reducing direct injection risk into the LLM prompt itself.
Updated: 2025-12-31GitHub
25
10
Medium Cost
LGDiMaggio icon
Sec9

The server provides tools for industrial machinery diagnostics, vibration analysis, bearing fault detection, and predictive maintenance workflows using time-series signal processing and machine learning, integrated with LLMs.

Setup Requirements

  • ⚠️Requires Python 3.11 or 3.12.
  • ⚠️PDF reading functionality depends on PyPDF2, which is an optional dependency and will disable PDF features if not installed.
  • ⚠️When configuring for Claude Desktop, absolute paths to the Python executable within the virtual environment and the server script are critical to avoid common setup issues.
Verified SafeView Analysis
The server demonstrates good security practices by explicitly informing the user about critical parameter assumptions (e.g., sampling_rate, signal_unit) and requiring confirmation. It avoids `eval()` and direct network calls to external APIs, focusing on local file processing. Filename sanitization (`safe_name`) is used for reports to mitigate path traversal risks. The primary security considerations are standard for any application interacting with a local filesystem and processing user-provided documents, such as managing access permissions to data/report/model directories and exercising caution when processing untrusted PDF files due to potential PyPDF2 vulnerabilities.
Updated: 2025-12-27GitHub
25
34
Medium Cost
CodeLogicIncEngineering icon

codelogic-mcp-server

by CodeLogicIncEngineering

Sec8

The server integrates CodeLogic's rich software dependency data with AI programming assistants to provide code and database impact analysis.

Setup Requirements

  • ⚠️Requires Astral UV to be installed to run the server via 'uvx'.
  • ⚠️Requires Python 3.13 or newer (`requires-python = ">=3.13"`).
  • ⚠️Requires configuration of specific environment variables (CODELOGIC_SERVER_HOST, CODELOGIC_USERNAME, CODELOGIC_PASSWORD, CODELOGIC_WORKSPACE_NAME) for API access.
  • ⚠️For versions 0.4.0 and above, it requires CodeLogic API version 25.10.0 or greater.
Verified SafeView Analysis
The server securely handles credentials by loading them from environment variables (CODELOGIC_USERNAME, CODELOGIC_PASSWORD) and uses standard Bearer token authentication for API calls. It uses `httpx` for network requests with configured timeouts and retries, and `urllib.parse.quote` for URL-encoding workspace names. There are no obvious hardcoded secrets, `eval` statements, or malicious patterns. The primary security risks are related to the security of the configured external `CODELOGIC_SERVER_HOST` and the integrity of the provided credentials.
Updated: 2025-12-23GitHub
25
1
Medium Cost
oguzc icon
Sec9

An intelligent Model Context Protocol (MCP) server that guides developers through creating professional Playwright test suites with built-in best practices.

Setup Requirements

  • ⚠️Requires Node.js 18 or higher.
  • ⚠️Requires an MCP-compatible client (e.g., GitHub Copilot, Claude Desktop, Cline) to interact with the server; it cannot be used standalone.
Verified SafeView Analysis
The server primarily loads and serves pre-defined markdown prompt files using `fs/promises.readFile` from specific, local `.github/prompts/` paths. This approach inherently limits exposure to arbitrary file access or command injection. No direct use of `eval` or arbitrary `child_process` execution is observed. The `readPromptFile` function's fallback to `process.cwd()` for prompt files, while generally safe due to fixed prompt names, could theoretically be a minor concern in highly specific, hostile environments where process.cwd() is manipulated and arbitrary tool names could be requested, but this is unlikely for its intended use within an MCP client.
Updated: 2025-11-19GitHub
25
1
Medium Cost
quanticsoul4772 icon

mcp-server-win-cli

by quanticsoul4772

Sec9

MCP server for secure command-line interactions on Windows systems, enabling controlled access to PowerShell, CMD, Git Bash shells, and remote systems via SSH. It allows MCP clients (like Claude Desktop) to perform operations on your system.

Setup Requirements

  • ⚠️Requires Windows OS for full functionality and shell testing.
  • ⚠️Git for Windows must be installed to use the Git Bash shell.
  • ⚠️WSL (Windows Subsystem for Linux) must be installed and configured for WSL path support in SFTP operations.
  • ⚠️Many security-sensitive features (e.g., SSH, process listing) require explicit opt-in and careful configuration in 'config.json'. The 'allowedPaths' configuration uses an INTERSECTION merge strategy, meaning paths must be in both default and custom config to be allowed, which can result in zero allowed paths if not configured carefully. SSH private keys cannot be passphrase-protected.
Verified SafeView Analysis
The project demonstrates an extremely strong security posture with a 'security-first' and 'fail-closed' design. It implements a multi-stage (9-step) command validation pipeline, including advanced Unicode attack detection (e.g., BiDi control characters, homoglyphs, zero-width characters, PowerShell Unicode quotes), explicit blocking of dangerous commands and arguments, strict path canonicalization and restriction (intersection-merged allowedPaths, TOCTOU protection), and comprehensive error message sanitization to prevent information disclosure. SSH connections enforce host key verification (TOFU/strict mode) and network diagnostic tools include SSRF and port scanning protection (IP range blocking, port whitelisting). Environment variable access is controlled via configurable blocklists/allowlists, and values are validated for dangerous content. Process listing is disabled by default due to its security implications. While highly robust, no system handling direct CLI access can be entirely impenetrable, hence a 9/10.
Updated: 2025-11-19GitHub
PreviousPage 240 of 713Next