Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
prateekmulye icon

mcp-server-client-demo

by prateekmulye

Sec9

This project demonstrates the integration of custom Micro-Core Protocol (MCP) servers providing tools with a LangChain client.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid)
  • ⚠️Requires Python 3.13 or newer
Verified SafeView Analysis
The provided code is simple and does not contain obvious security risks such as `eval`, `exec`, or hardcoded credentials. It properly uses `python-dotenv` for API keys. The exposed functions perform basic arithmetic and return a hardcoded string. Security would largely depend on the `mcp.server.fastmcp` framework's implementation, which is not fully visible.
Updated: 2025-12-01GitHub
0
0
High Cost
Sec8

Real-time anti-cheat server utilizing AI (GPT-4, MiniMax M2) to detect cheating patterns and suspicious activity in games.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0.0
  • ⚠️Requires Discord Bot Token, Application ID, and Owner ID for core functionality.
  • ⚠️OpenAI API Key required for GPT-4 features (paid service).
  • ⚠️MiniMax API Key required for MiniMax M2 features (paid service).
Verified SafeView Analysis
This anti-cheat server requires deep system access (memory, network, processes, registry) for its core functionality. The project states adherence to privacy principles (no permanent data storage, anonymous analysis, encrypted communication, no API keys in logs) to mitigate associated risks. No explicit `eval` or obfuscation detected, suggesting a relatively safe implementation given its purpose. However, running any anti-cheat system always implies granting high privileges to the software.
Updated: 2025-11-23GitHub
0
0
Low Cost
azzizulhakim810 icon

Basic_Mcp_Server

by azzizulhakim810

Sec8

A Model Context Protocol (MCP) server providing basic utilities like arithmetic, conversational prompts, and Google Calendar integration for AI agent consumption.

Setup Requirements

  • ⚠️Requires a Google API Key (needs Google Cloud project setup).
  • ⚠️Requires a specific Google Calendar ID to access event data.
  • ⚠️Requires `npm install` to set up dependencies and `npm run build` to compile TypeScript.
Verified SafeView Analysis
The server correctly uses environment variables (`process.env`) for sensitive information like the Google API Key and Calendar ID, preventing hardcoding. No 'eval' or obfuscation is present. The primary security consideration is the secure management of these environment variables in the deployment environment. The naming `GOOGLE_PUBLIC_API_KEY` for an authentication credential could be misleading, as such keys are typically sensitive and should not be publicly exposed.
Updated: 2025-12-09GitHub
0
0
Medium Cost
chef72max icon
Sec9

An AI-powered digital reading companion application that assists users with note-taking, highlighting, goal tracking, and provides AI-driven insights and summaries for various document types like PDFs and EPUBs.

Setup Requirements

  • ⚠️Requires Node.js 18+ to run the development server.
  • ⚠️AI features are currently placeholders ('TODO: Replace with actual AI API call') and require custom implementation and potential API key integration (e.g., OpenAI, Gemini) for full functionality, which would incur external costs.
Verified SafeView Analysis
The application primarily operates client-side, storing user data (books, notes, highlights) in IndexedDB and localStorage, which limits direct server-side vulnerabilities from the provided code. The AI features are currently placeholders, meaning actual AI API keys/integrations are not present and thus no hardcoded secrets or immediate network risks associated with AI calls exist in this version. File upload is simulated. Loading PDF worker from CDN (jsdelivr) is a common practice but relies on CDN integrity. Overall, the code appears to be clean and focuses on client-side functionality, making it relatively safe to run.
Updated: 2025-12-15GitHub
0
0
Medium Cost
prem676 icon
Sec2

Provides a semantically enriched search experience over AWS Cloudscape Design System documentation, leveraging AI to understand and retrieve information effectively.

Setup Requirements

  • ⚠️Requires Python 3.7 or later, 4GB RAM, and 200MB disk space.
  • ⚠️The `SentenceTransformer` model ('Alibaba-NLP/gte-multilingual-base') is downloaded on the first run of the ingestion script, requiring internet access.
  • ⚠️The installation and run commands in the provided README (e.g., `pip install -r https://raw.githubusercontent.com/...zip`, `python https://raw.githubusercontent.com/...zip`) appear to be malformed, pointing to a `.zip` file within a 'docs/components/badge' path rather than a `requirements.txt` or a Python script. This would prevent successful setup and execution.
  • ⚠️The `trust_remote_code=True` setting for `SentenceTransformer` is a significant security concern for ML supply chain attacks.
Review RequiredView Analysis
The ingestion script (`ingest.py`) uses `trust_remote_code=True` when loading the `SentenceTransformer` model. This is a critical supply chain security risk, as it allows arbitrary code execution if the referenced model on Hugging Face or its repository is compromised. More severely, the `cloudscape_read_doc` function exposed as an MCP tool takes a `file_path` argument directly from what can be user input or an AI agent. There is no input validation or sanitization, making the server vulnerable to Path Traversal attacks, allowing an attacker to read arbitrary files on the system (e.g., `/etc/passwd`, sensitive configuration files).
Updated: 2026-01-19GitHub
0
0
Medium Cost
Ujwalmahajan777 icon

test-mcp-server

by Ujwalmahajan777

Sec9

This server acts as an expense tracker, allowing users to add, list, and summarize personal financial expenses using a local SQLite database.

Setup Requirements

  • ⚠️Python 3.10+ required
Verified SafeView Analysis
SQL injection is effectively prevented by using parameterized queries for all database operations. The SQLite database is created in a temporary directory, mitigating risks related to persistent storage in sensitive locations. No 'eval' or obvious obfuscation is present. There are no hardcoded secrets or sensitive credentials. Error messages, while catching broad exceptions, provide a controlled message (`Database error: {str(e)}`) which is better than exposing full stack traces.
Updated: 2026-01-10GitHub
0
0
Low Cost
vab-labo icon

discord-mcp

by vab-labo

Sec9

This MCP server fetches messages from specified Discord channels, enabling an LLM to access and process Discord communication history.

Setup Requirements

  • ⚠️Requires a Discord Bot Token to be obtained from the Discord Developer Portal.
  • ⚠️The Discord Bot needs 'Read Message History' OAuth2 permission and must be invited to the target Discord server.
  • ⚠️The DISCORD_BOT_TOKEN must be set as an environment variable (e.g., in a .env file).
Verified SafeView Analysis
The code appears secure. It properly validates input parameters using Zod, handles the Discord Bot Token via environment variables (DISCORD_BOT_TOKEN), and limits the number of messages fetched (1-100) to prevent excessive load. No 'eval' or other dangerous dynamic code execution patterns were found. Interactions are limited to the Discord API via the official `@discordjs/rest` library, reducing custom network attack surface. The bot requires 'Read Message History' permission, which is appropriate for its function.
Updated: 2026-01-17GitHub
0
0
Medium Cost
larrygmaguire-hash icon

better-claude-mems

by larrygmaguire-hash

Sec9

Provides Claude Code with enhanced access to its conversation history, enabling search, summarization, and detailed retrieval of past coding sessions.

Setup Requirements

  • ⚠️Requires Node.js and npm to be installed.
  • ⚠️Manual configuration in `~/.claude.json` is required to integrate with Claude Code.
  • ⚠️Relies on existing Claude Code conversation history (`.jsonl` files) being present in `~/.claude/projects/` to function, otherwise tools will return empty results.
Verified SafeView Analysis
The server operates as a stdio (standard input/output) server, which inherently minimizes external network attack surfaces. No usage of `eval`, obfuscation, or hardcoded secrets was found. File system access is restricted to the `~/.claude/projects/` directory, and path handling for project directories appears to prevent path traversal vulnerabilities. While parsing `.jsonl` files always carries a minor risk of malformed input, the code's approach to data handling seems robust for its intended purpose.
Updated: 2026-01-18GitHub
0
0
Medium Cost
eh24905-wiz icon

github-mcp

by eh24905-wiz

Sec9

A Model Context Protocol (MCP) server for GitHub integration, enabling AI assistants to interact with GitHub repositories, pull requests, and issues.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0.0.
  • ⚠️Requires a GitHub Personal Access Token (PAT) to be generated.
  • ⚠️The GitHub PAT must have 'repo' (full control of private repositories) and 'read:user' scopes, granting broad access.
Verified SafeView Analysis
The server uses `process.env.GITHUB_TOKEN` for authentication, preventing hardcoded secrets. Input validation is handled using `zod` schemas for each tool, mitigating common injection risks. All external communication is via HTTPS to the official GitHub API. The main security concern is the broad permissions (`repo`, `read:user`) required for the `GITHUB_TOKEN`, which is inherent to its functionality and noted in the README.
Updated: 2025-12-12GitHub
0
0
Medium Cost
vinod827 icon
Sec8

Enables AI agents and developer tools to securely interact with Reddit via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires Reddit API application setup (Client ID, Client Secret, Redirect URI) for OAuth2 authentication.
  • ⚠️Node.js and npm must be installed on the system.
Verified SafeView Analysis
The README emphasizes human-in-the-loop actions, secure Reddit OAuth2, and scoped API permissions (`read`, `identity`, `submit` - the last with explicit human confirmation). No 'eval' or malicious patterns are evident in the provided README text. A full security audit would require reviewing the actual TypeScript/Node.js source code for implementation details, but the stated architecture and design principles prioritize safety and user consent.
Updated: 2025-12-05GitHub
0
0
Medium Cost
pea-sys icon

my-mcp-server

by pea-sys

Sec7

A framework for building and operating a Multi-Agent Communication Protocol (MCP) server, including utilities for development, debugging, monitoring, and error tracking.

Setup Requirements

  • ⚠️Requires Python 3.12.11 or newer.
  • ⚠️Potential typo/mismatch: `scripts/dev.sh` sets `ENABLE_REMOTE_DEBUG` but `src/debug_server.py` checks `ENABLE_REMOTE_DEBUGGER`, which would prevent debugging from `dev.sh` if not corrected.
  • ⚠️The `mcp` library, especially with its `[all]` extras, and suggested LLM integration in `e2e_tests`, implies the need for external AI service API keys which may incur costs.
Verified SafeView Analysis
Remote debugging is enabled on all network interfaces (0.0.0.0) if `ENABLE_REMOTE_DEBUGGER` is true, which could be a security risk without proper network segmentation (e.g., firewall). The example usage in `scripts/check_secret_access.py` shows a hardcoded GitHub token (`ghp_xxxxx`); in real deployments, tokens must be securely managed via environment variables or secrets management.
Updated: 2026-01-18GitHub
0
0
Medium Cost
Ayush9284 icon

openehr_mcp

by Ayush9284

Sec8

Acts as an intelligent bridge, enabling AI assistants to interact seamlessly with openEHR-compliant Electronic Health Record (EHR) systems for natural language access to healthcare data, and provides AI-powered medical coding suggestions.

Setup Requirements

  • ⚠️Requires Python 3.12+
  • ⚠️Docker & Docker Compose are required for EHRbase and Qdrant backend services.
  • ⚠️A manual step is required to load ICD-10 embeddings into Qdrant using `scripts/embedding.py` (requires a `diagnosis.csv` file), otherwise the `suggest_icd_codes` tool will not function.
  • ⚠️GEMINI_API_KEY is required for optional AI refinement in medical coding, which incurs usage costs.
Verified SafeView Analysis
The project uses environment variables for API keys (e.g., GEMINI_API_KEY) which is good practice. Default credentials (`postgres`/`postgres`, `ehrbase`/`ehrbase`) are hardcoded in `docker-compose.yml` for local development, which is a critical security risk if used in production or if exposed publicly. The `README.md` explicitly warns against exposing EHRbase or Qdrant ports to the internet without proper security. `subprocess.Popen` is used in test files, but not with user-controlled input, mitigating a common risk. JSON parsing from external input is handled, but no 'eval' or direct arbitrary code execution from user input was identified in the core server logic. Overall, security practices for sensitive information storage are good for development, but the default infrastructure credentials require careful consideration for any deployment beyond local testing.
Updated: 2025-12-14GitHub
PreviousPage 281 of 713Next