Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
starfoxbeta icon

astrology-mcp

by starfoxbeta

Sec8

Provides astrological natal chart calculations by integrating with an external API.

Setup Requirements

  • ⚠️Requires Node.js 18+ to run.
  • ⚠️Requires an external astrology API for real calculations; otherwise, it returns mock data. (ASTROLOGY_API_URL, ASTROLOGY_API_KEY)
Verified SafeView Analysis
The server uses environment variables for API keys (`ASTROLOGY_API_KEY`), which is good practice. Input parameters are validated using `zod`. No `eval` or obvious malicious patterns were found in the provided source code. The primary security consideration is the reliability and trustworthiness of the external astrology API it connects to, which is configurable by the user.
Updated: 2026-01-16GitHub
0
0
Medium Cost
mhumphrey17 icon
Sec3

Deploys an unauthenticated remote Model Context Protocol (MCP) server on Cloudflare Workers, providing real-time UK train information via six specialized tools.

Setup Requirements

  • ⚠️Requires active (likely paid) Realtime Trains API credentials.
  • ⚠️Requires a Cloudflare Workers environment for deployment.
  • ⚠️The server is explicitly 'authless' for client connections, meaning no authentication is required to access its tools once deployed.
Review RequiredView Analysis
CRITICAL: The Realtime Trains API username and password (`API_USERNAME`, `API_PASSWORD`) are hardcoded directly in `src/index.ts`. This means that if the server is deployed, these credentials will be publicly exposed in the source code visible via the worker's URL or potentially through other means. This presents a severe security vulnerability, as anyone could extract and misuse these API keys.
Updated: 2025-12-04GitHub
0
0
Low Cost
DoubtfulTurnip icon

portainer-mcp-server

by DoubtfulTurnip

Sec7

This server acts as an API proxy or gateway, enabling multi-cluster management by routing requests to different target URLs based on dynamic configuration.

Setup Requirements

  • ⚠️Requires `API_KEY` environment variable for authentication and secure operation.
  • ⚠️Requires a Node.js runtime environment.
  • ⚠️The process needs write access to the `configs/` directory to manage configurations.
Verified SafeView Analysis
The server's core functionality is an API proxy, which inherently carries risks like SSRF if not properly secured. It employs a global API key authentication middleware (`x-api-key`), which is crucial for protecting both configuration management and the proxy itself. No 'eval' or obfuscation found. Hardcoded secrets are avoided by using environment variables (e.g., API_KEY). The main security consideration is the strength of the API key itself and the trust placed in authenticated users, as they can direct the proxy to arbitrary target URLs. Robust input validation for target URLs is essential.
Updated: 2025-11-24GitHub
0
0
Low Cost
ameympatil icon

Simple-MCP

by ameympatil

Sec9

Demonstrates building and exposing simple tools (dice rolling, arithmetic) via the Model Context Protocol (MCP) using Python and fastmcp for AI clients like Claude Desktop.

Setup Requirements

  • ⚠️Requires Python 3.13+
  • ⚠️Requires `uv` package manager
Verified SafeView Analysis
The server exposes basic arithmetic and dice rolling tools. No `eval()` or `exec()` is used, and no hardcoded secrets are present in the provided source code. The default `0.0.0.0:8000` binding (when run directly via `main.py`) is standard for local development but would require proper network isolation if deployed in a production environment. The `fastmcp` framework itself would handle the underlying protocol security.
Updated: 2025-12-24GitHub
0
0
Low Cost
coldtatooine icon

mcp-server-ux-writing

by coldtatooine

Sec9

This server provides a RESTful API and real-time updates for managing UX content (text, status, versions) across different projects, with authentication and persistence in MongoDB.

Setup Requirements

  • ⚠️Requires a running MongoDB instance accessible via MONGO_URI.
  • ⚠️Requires environment variables MONGO_URI and JWT_SECRET to be set.
Verified SafeView Analysis
The project uses `dotenv` for environment variables, preventing hardcoded secrets. It implements `helmet` for common web vulnerabilities and `cors` for controlled access. Authentication relies on JWTs with `bcrypt` for password hashing, indicating good security practices. No `eval` or obvious malicious patterns were detected, and standard libraries are used. Proper error handling and logging (Winston) are present.
Updated: 2025-11-23GitHub
0
0
Medium Cost
thebadpete icon
Sec5

A server-side application primarily for development and experimentation purposes.

Review RequiredView Analysis
Source code was not provided in the prompt, therefore a comprehensive security audit could not be performed for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns. The score reflects an unknown security posture.
Updated: 2025-11-20GitHub
0
0
Medium Cost
rmrfslashbin icon

manuals-mcp

by rmrfslashbin

Sec7

An MCP server to access and manage hardware and software documentation, including device details, pinouts, specifications, and full-text search, by connecting to a Manuals REST API backend.

Setup Requirements

  • ⚠️Requires a running instance of the Manuals REST API to connect to.
  • ⚠️Requires a Manuals API Key for full read/write and administrative features (read-only is anonymous).
  • ⚠️The `upload_file` and `publish` tools can read arbitrary files from the local filesystem based on AI input, which may pose a security risk for information disclosure.
Review RequiredView Analysis
The server correctly uses environment variables or a configuration file for sensitive API keys, avoiding hardcoding. It acts as an API client, not exposing direct network ports for external interaction. However, the `upload_file` and `publish` tools accept a `local_path` argument from the AI model to read files from the local filesystem. This could pose an information disclosure risk if a malicious or compromised AI requests sensitive local files that the MCP server process has permission to read (e.g., `/etc/passwd`, user configuration files) without any explicit path sanitization or restrictions in the provided code. The server itself does not contain `eval` or `os/exec` patterns that would directly lead to arbitrary code execution based on AI input, making the primary risk information exfiltration via `local_path` if an untrusted AI is used.
Updated: 2025-12-14GitHub
0
0
High Cost
NoCodeify icon

aeo

by NoCodeify

Sec9

Performs Answer Engine Optimization (AEO) audits across ChatGPT, Gemini, and Google Search, comparing LLM responses, extracting citations, and generating comprehensive brand audit reports with detailed analysis.

Setup Requirements

  • ⚠️Requires paid API keys for OpenAI, Google GenAI, and ScrapingBee.
  • ⚠️Requires manual configuration in the Claude Code config file (~/.claude/claude_desktop_config.json).
  • ⚠️Calls to 'run_brand_audit' execute 8 queries across 3 engines (ChatGPT, Gemini, Google Search), incurring significant costs due to multiple LLM inferences and web scrapes.
Verified SafeView Analysis
API keys are properly handled via environment variables. Input parameters for tools are validated using Zod, mitigating some injection risks to the external APIs. Network calls are made to trusted external APIs (OpenAI, Google GenAI, ScrapingBee). No critical security vulnerabilities like 'eval' or direct arbitrary file system access are identified in the provided truncated code.
Updated: 2026-01-19GitHub
0
0
Medium Cost
aplaceforallmystuff icon

mcp-wp-abilities

by aplaceforallmystuff

Sec9

Exposes WordPress 6.9+ Abilities API as AI-accessible tools for dynamic interaction with a WordPress site.

Setup Requirements

  • ⚠️Requires Node.js 18+
  • ⚠️Requires WordPress 6.9+ with the Abilities API enabled
  • ⚠️Requires a WordPress Application Password for authentication
Verified SafeView Analysis
The server relies on WordPress Application Passwords for authentication, which grants full API access for the associated user. The README correctly advises using a dedicated user with minimal required capabilities and storing credentials securely via environment variables. No 'eval' or obvious code injection vulnerabilities were found. Input validation is delegated to the WordPress Abilities API itself, which is a standard practice.
Updated: 2026-01-16GitHub
0
0
Low Cost
DareDev256 icon

fcp-mcp-server

by DareDev256

Sec9

This server enables AI assistants to interact with and control Final Cut Pro projects through natural language by parsing and modifying FCPXML files.

Setup Requirements

  • ⚠️Requires Python 3.10+
  • ⚠️Requires an MCP-compatible AI client (e.g., Claude Desktop)
  • ⚠️Requires Final Cut Pro 10.4+ (for FCPXML compatibility)
Verified SafeView Analysis
The server primarily operates on local FCPXML files, limiting external attack surfaces. It uses standard Python libraries for XML parsing and file system interaction (pathlib), without obvious signs of direct shell command execution, 'eval' or 'exec', or hardcoded secrets. File paths are derived from an environment variable or directly passed as tool arguments, implying that the AI client is a trusted orchestrator. The main risk would stem from malicious FCPXML files themselves, which are assumed to be sourced by the user.
Updated: 2026-01-18GitHub
0
0
High Cost
UzmaFateh icon

mcp-servers

by UzmaFateh

Sec5

Manages and runs Minecraft servers, likely with custom modifications or enhanced features given the 'MCP' (Mod Coder Pack) context.

Setup Requirements

  • ⚠️Requires a Java Runtime Environment (JRE) installed
  • ⚠️Can be highly demanding on CPU and RAM resources
  • ⚠️May require port forwarding for external multiplayer access
Review RequiredView Analysis
A thorough security audit could not be performed as no source code was provided for analysis. Without access to the code, it's impossible to check for dangerous patterns like 'eval', obfuscation, hardcoded secrets, network risks, or malicious logic. The score is a neutral placeholder reflecting this lack of information.
Updated: 2025-12-05GitHub
0
0
Medium Cost
ankitk090-lang icon

Zantrix

by ankitk090-lang

Sec7

Provides a suite of cybersecurity diagnostic and network analysis tools that integrate with MCP clients like Claude Desktop.

Setup Requirements

  • ⚠️Requires Node.js (v16 or higher) and npm.
  • ⚠️Requires an MCP client (e.g., Claude Desktop) and manual configuration of its `mcpServers` config file, including providing the absolute path to the server's `dist/index.js` file.
Verified SafeView Analysis
The server's core functionality involves performing network requests to user-provided IPs/domains/URLs (e.g., trace_ip, scan_network, analyze_headers, dns_lookup, whois_lookup, ssl_inspector, find_subdomains, check_robots) and accessing local file paths (e.g., scan_files, hash_file, search_logs). While these are the intended security features, they inherently grant the integrated AI powerful capabilities for local file system interaction and external/internal network reconnaissance from the user's machine. This means a malicious or compromised AI, or a user tricked by a prompt, could potentially misuse these tools to read sensitive local files (e.g., scan_files, search_logs) or perform network activities. No 'eval' or direct self-executing malicious patterns are found in the server's own code; 'eval' is used as a *pattern to detect* in `scanFiles.ts`. No hardcoded secrets were identified. The `@ts-ignore` for the 'whois' library is a minor code quality note but not a direct security vulnerability.
Updated: 2025-12-03GitHub
PreviousPage 270 of 713Next