Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

24
1
Medium Cost
cameronrye icon

atproto-mcp

by cameronrye

Sec9

Provides LLMs with direct access to the AT Protocol ecosystem, enabling seamless interaction with Bluesky and other AT Protocol-based social networks.

Setup Requirements

  • ⚠️Requires Node.js 20.0.0 or higher.
  • ⚠️Requires pnpm for package management.
  • ⚠️Full functionality (write operations, private data, feeds) requires authentication via either ATPROTO_IDENTIFIER/ATPROTO_PASSWORD (app password) or OAUTH_CLIENT_ID/OAUTH_CLIENT_SECRET/OAUTH_REDIRECT_URI (OAuth), which need to be obtained and configured as environment variables.
  • ⚠️OAuth authentication requires obtaining client credentials (ID, secret, redirect URI) from the AT Protocol provider (e.g., Bluesky) and configuring them.
Verified SafeView Analysis
The server demonstrates strong security practices, including extensive use of Zod for input validation, reliance on environment variables for sensitive configurations (e.g., OAuth client secrets, AT Protocol passwords), and a dedicated `SecurityManager` for input/error sanitization and rate limiting. It avoids dangerous patterns like `eval` and `child_process.exec` in core server logic (uses `spawn` for internal CLI/health checks). The primary interaction model is over STDIN/STDOUT, reducing direct network attack surface for the MCP protocol itself. Potential risks, such as handling `ATPROTO_PASSWORD` in 'app-password' mode, are inherent to the chosen authentication method rather than flaws in the server's implementation. Overall, it's well-engineered for secure operation as a trusted bridge component.
Updated: 2025-11-19GitHub
24
1
Medium Cost
GhostTypes icon
Sec8

Interacts with Printables.com to search for 3D models, retrieve associated downloadable files, and scrape model descriptions.

Setup Requirements

  • ⚠️Requires Python 3.8+.
  • ⚠️Requires installing Python dependencies via `pip install -r requirements.txt`.
  • ⚠️Requires an MCP client to interact with the server (e.g., VSCode MCP extension).
  • ⚠️Relies on the Printables.com API and website structure, which may change and break functionality.
Verified SafeView Analysis
The server primarily uses `requests` for GraphQL API interactions and `cloudscraper` with `BeautifulSoup` for web scraping. No 'eval' or other direct code execution vulnerabilities were found. Input validation for search parameters (limit, ordering) is present. The web scraping component parses untrusted HTML, which always carries a minor inherent risk of parsing vulnerabilities, though `BeautifulSoup` is generally robust. No hardcoded secrets were identified.
Updated: 2025-11-18GitHub
24
1
Medium Cost
AImaginationLab icon

magic-the-gathering-mcp

by AImaginationLab

Sec8

Provides an MCP (Model-Client-Protocol) server to integrate Magic: The Gathering card data and analysis tools with AI-powered client applications for deck building assistance, synergy finding, and strategy analysis.

Setup Requirements

  • ⚠️Requires Python 3.11+.
  • ⚠️Requires 'uv' package manager for installation and execution.
  • ⚠️Initial setup requires downloading a ~350MB+ MTG database and other data sources, necessitating an internet connection and potentially taking some time.
  • ⚠️Designed to integrate with MCP-compatible clients, such as Claude Desktop, for AI-powered assistance.
Verified SafeView Analysis
The server is designed for local MCP client integration (e.g., Claude Desktop), limiting its exposure. It uses `aiosqlite` for database access with a `QueryBuilder` suggesting parameterized queries to mitigate SQL injection. External data is sourced from reputable APIs (Scryfall, MTGJson, GitHub releases) via `httpx` with proper status checks and streaming JSON parsing (`ijson`) to prevent large file attacks. No obvious hardcoded secrets or malicious patterns are present in the provided snippets. Reliance on third-party data sources and local filesystem interaction introduces general, but managed, risks.
Updated: 2026-01-04GitHub
24
4
High Cost
ruslanmv icon
Sec8

Transforms static images and audio into realistic talking head videos using state-of-the-art deep learning models for production-grade avatar video generation and on-demand rendering. It supports both real-time streaming and high-quality content creation.

Setup Requirements

  • ⚠️Requires Python 3.11 or 3.12.
  • ⚠️High-quality rendering mode critically requires an NVIDIA GPU with CUDA 12.4+ and FFmpeg with NVENC support.
  • ⚠️Requires downloading approximately 3GB+ of large AI model weights (`make download-models`).
  • ⚠️The Chatterbox TTS server (`app/tts/chatterbox_server.py`) must be running separately for text-to-audio functionality.
  • ⚠️Specific Python package versions are crucial for compatibility, notably `numpy<2.0.0`, `librosa>=0.9.2,<0.10.0` for Wav2Lip and SadTalker components.
  • ⚠️Requires `guided_diffusion` to be manually installed from its GitHub repository for Diff2Lip functionality (`pip install git+https://github.com/openai/guided-diffusion.git`).
Verified SafeView Analysis
The system heavily relies on `subprocess` calls (e.g., `ffmpeg`, `mfa`) and dynamic module loading for external AI models. While essential for its functionality, these mechanisms could pose a risk if input paths or data were maliciously crafted by an attacker; however, the codebase appears to primarily use internally generated or validated file paths, mitigating direct user-controlled exploits. Network communication to the Chatterbox TTS server is to a configurable URL, defaulting to `localhost`, reducing external network exposure risks. File uploads are directed to unique, UUID-named temporary directories, preventing common path traversal vulnerabilities.
Updated: 2026-01-01GitHub
24
2
Medium Cost
labeveryday icon

nba_mcp_server

by labeveryday

Sec8

Provide a Model Context Protocol (MCP) server that offers 30 tools to access comprehensive NBA statistics, including live scores, player and team data, and advanced analytics for agents and UIs.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Requires an MCP-compatible client (e.g., Claude Desktop, Strands).
  • ⚠️Live NBA API endpoints may occasionally return 403 errors in some environments, though the server attempts a fallback to alternative stats APIs.
  • ⚠️Users might encounter PermissionError related to TLS certificates on macOS; can be mitigated by setting NBA_MCP_TLS_VERIFY=0 (not recommended for production).
Verified SafeView Analysis
The server defaults to TLS verification for API calls. An explicit environment variable (NBA_MCP_TLS_VERIFY=0) can disable this, which is not recommended for security but might be necessary in some constrained environments (e.g., specific macOS privacy contexts) to resolve PermissionError when reading CA bundles. Subprocess calls are used for internal testing mechanisms, not core server operation. No obvious hardcoded secrets or malicious patterns.
Updated: 2026-01-03GitHub
24
1
Medium Cost
AImaginationLab icon

magic-the-gathering-toolkit

by AImaginationLab

Sec9

Provides an MCP server for AI-powered Magic: The Gathering deck building assistance, card search, and synergy/combo discovery.

Setup Requirements

  • ⚠️Requires Python 3.11+ and 'uv' package manager.
  • ⚠️Initial setup involves downloading large data files (~350MB Scryfall bulk data, MTGJson, and combo database) and building local SQLite databases, which requires an internet connection and can take several minutes.
  • ⚠️The TUI client, while not the MCP server itself, requires a terminal with true color support for optimal display.
Verified SafeView Analysis
The project adheres to good security practices, utilizing Pydantic for input validation in API endpoints and `aiosqlite` with parameterized queries to prevent SQL injection. Network requests for data sources (Scryfall, MTGJson, GitHub releases) are directed to trusted, hardcoded URLs. The synergy and combo detection mechanisms use regular expressions derived from static, developer-controlled JSON files, mitigating ReDoS risks from user input. There are no apparent hardcoded secrets or direct shell command executions based on unvalidated user input. The server is designed for local integration with MCP clients, limiting external attack surface.
Updated: 2026-01-04GitHub
24
7
Medium Cost
DannyWongIsAvailable icon

my_stock_mcp_server

by DannyWongIsAvailable

Sec9

Provides real-time stock data and analysis tools for AI models by scraping EastMoney.com.

Setup Requirements

  • ⚠️Requires Python 3.12+.
  • ⚠️The setup instructions recommend and use the `uv` package manager.
  • ⚠️Reliant on web scraping EastMoney.com and SZSE.cn APIs, which may be unstable or break due to website changes.
  • ⚠️Restricted to personal study and research; commercial use is prohibited as per the README.
Verified SafeView Analysis
The server primarily relies on web scraping public-facing APIs from EastMoney.com and szse.cn. It correctly uses `requests` and `json.loads` for parsing JSONP, mitigating `eval` risks. No apparent hardcoded sensitive secrets or malicious patterns were found. The 'ut' and 'cb' parameters in crawler requests appear to be public API identifiers rather than confidential tokens. However, web scraping inherently depends on external website structures remaining stable; changes could lead to data fetching failures, though not a direct security vulnerability of the server code itself.
Updated: 2025-12-27GitHub
24
5
High Cost
M507 icon
Sec3

AI-powered Security Operations Center (SOC) agent for incident response, case management, SIEM, EDR, CTI, and engineering task orchestration.

Setup Requirements

  • ⚠️Requires an OpenAI API key (or compatible LLM) for core AI agent functionality.
  • ⚠️Requires configured instances of multiple external security platforms: Case Management (IRIS/TheHive), SIEM (Elasticsearch), EDR (Elastic Defend), CTI (OpenCTI/Local TIP), and Engineering task boards (Trello/ClickUp/GitHub).
  • ⚠️Relies on an external `cursor-agent` binary being installed and accessible in the system's PATH, which acts as a coding AI assistant.
  • ⚠️Python 3.8+ is generally expected, as the codebase uses modern Python features and type hints.
Review RequiredView Analysis
The `_run_cursor_agent` function in `src/ai_controller/agent_executor.py` executes an external `cursor-agent` command using `subprocess.run` with `prompt_text` directly included in the arguments. If `prompt_text` can be influenced by untrusted input, this poses a severe command injection vulnerability. While the system typically generates prompts internally, any exposure to external users could be critical. Additionally, the `ElasticSIEMClient` allows passing raw Elasticsearch Query DSL, which, if not properly validated by the underlying Elasticsearch API, could lead to powerful but potentially malicious queries (e.g., data exfiltration, denial of service). The system also handles various API keys and tokens for numerous integrations, necessitating robust secrets management.
Updated: 2025-12-28GitHub
24
1
Medium Cost
Enlavan icon
Sec8

Exposes EOD Historical Data APIs as an MCP server for AI clients to access financial market data.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Requires a valid EODHD API key (set via EODHD_API_KEY environment variable or --apikey CLI argument).
  • ⚠️The 'websockets' Python package is required for real-time data capture; ensure it's installed (e.g., `pip install websockets`).
Verified SafeView Analysis
The server includes good input validation across its tool functions, helping to prevent malformed requests. API keys are handled via environment variables or CLI arguments, and URL parameters are safely encoded using `quote_plus`. There are no apparent uses of `eval`, `exec`, or other highly dangerous functions without clear justification. The `api_client.py` transparently resolves the EODHD token from incoming query parameters (if present) or environment variables. No hardcoded secrets (besides the public 'demo' key) were found. The primary security considerations revolve around the proper securing of the EODHD API key by the user and the inherent risks of making external network requests.
Updated: 2026-01-06GitHub
24
10
High Cost
JamesANZ icon

cross-llm-mcp

by JamesANZ

Sec9

Provides unified access to multiple Large Language Model APIs (ChatGPT, Claude, DeepSeek, Gemini, Grok, Kimi, Perplexity, Mistral) for AI coding environments, enabling intelligent model selection, preferences, and prompt logging.

Setup Requirements

  • ⚠️Requires API keys for each LLM provider (e.g., OPENAI_API_KEY, ANTHROPIC_API_KEY), which may involve paid subscriptions.
  • ⚠️Requires Node.js 18+ and npm to be installed.
  • ⚠️Manual configuration for clients like Claude Desktop may require adjusting absolute paths to the server's executable.
  • ⚠️The 'call-all-llms' feature can lead to high token consumption if multiple LLM APIs are active simultaneously.
Verified SafeView Analysis
The server follows standard practices for handling API keys via environment variables and stores user preferences and prompt logs locally using SQLite in user-specific configuration directories. It relies on the MCP SDK for inter-process communication (stdio) and uses HTTPS for external LLM API calls. No 'eval' or obvious malicious patterns were found. Local storage of prompts and responses means data resides on the user's machine, which is generally secure, but users should be aware of this local data persistence.
Updated: 2025-12-29GitHub
24
1
Medium Cost
pangeacyber icon

mcpscanner

by pangeacyber

Sec9

Analyzes MCP servers by discovering configuration files, fetching available tools and resources, scanning them for security risks using Pangea AI Guard, and reporting findings including tool similarities and changes.

Setup Requirements

  • ⚠️Requires Pangea AI token (PANGEA_AI_GUARD_TOKEN) for a paid service.
  • ⚠️Requires Python 3.11 or newer.
  • ⚠️Relies on pre-existing MCP server configuration files from tools like Cursor or Codeium to automatically discover servers.
Verified SafeView Analysis
The server appears to be designed with security in mind. It uses environment variables for sensitive API tokens (PANGEA_AI_GUARD_TOKEN) and explicitly integrates with a security service (Pangea AI Guard) to scan discovered tools. There are no obvious signs of 'eval', obfuscation, or hardcoded secrets. Network interactions are for legitimate scanning purposes. The primary security risks would stem from the inherent trust placed in the external MCP servers being scanned and the Pangea API.
Updated: 2026-01-05GitHub
24
6
Medium Cost
aaltat icon

robocop-mcp

by aaltat

Sec9

Helps users resolve static code analysis errors and warnings in Robot Framework files using an LLM by providing reports and fix suggestions.

Setup Requirements

  • ⚠️Requires Python 3.10.11 or higher.
  • ⚠️Requires specific VS Code Copilot Chat setup and an `mcp.json` configuration.
  • ⚠️Configuration for `robocop-mcp` is done via `[tool.robocop_mcp]` section in `pyproject.toml` or environment variables (`ROBOCOPMCP_CONFIG_FILE`, `ROBOCOPMCP_ROBOCOP_CONFIG_FILE`).
Verified SafeView Analysis
The server primarily executes the `robocop` linter/formatter on provided file paths. Paths are handled as `pathlib.Path` objects and passed as arguments to `robocop`'s Python functions, which is generally safer than direct shell execution. No direct `eval` or arbitrary code execution from user input is observed. The main security considerations would be the integrity of the `robocop` library itself, or potential symlink attacks if `robocop` were vulnerable to them when processing user-controlled file paths. No hardcoded secrets or explicit network risks are apparent in the analyzed code.
Updated: 2025-12-29GitHub
PreviousPage 241 of 713Next