Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
AamnaAnsari icon

mcp-server

by AamnaAnsari

Sec3

Provides a custom server for Minecraft clients to connect and interact with, likely offering custom gameplay, features, or modifications.

Review RequiredView Analysis
Cannot perform a security audit as the source code was not provided. Without access to the code, it's impossible to check for malicious patterns, hardcoded secrets, 'eval' usage, or network vulnerabilities. Therefore, a low score is assigned due to unverified risk.
Updated: 2025-12-03GitHub
0
0
Low Cost
bruvik icon

omnifocus-mcp

by bruvik

Sec8

Provides a Model Context Protocol (MCP) server to allow AI assistants (like Claude Code) to manage tasks in OmniFocus on macOS via AppleScript automation.

Setup Requirements

  • ⚠️Requires macOS with OmniFocus installed and running.
  • ⚠️Requires Python 3.11+.
  • ⚠️Initial setup involves creating a Python virtual environment and installing dependencies.
Verified SafeView Analysis
The server primarily uses `subprocess.run` to execute AppleScript commands (`osascript`). While the Python wrapper correctly passes arguments as a list to prevent shell injection, the security ultimately relies on the robustness of the AppleScripts and OmniFocus against potentially malicious input. Since the server is designed to run locally and interact with a trusted application, the risk is mitigated. No hardcoded secrets or arbitrary code execution (`eval`, `exec`) on user input were found in the Python codebase.
Updated: 2026-01-02GitHub
0
0
Medium Cost
asmdrk icon

mcp-spotty

by asmdrk

Sec6

An MCP server providing tools to interact with the Spotify API, allowing an AI agent to fetch currently playing songs or search for song details.

Setup Requirements

  • ⚠️Requires Spotify API credentials (client ID and secret) to be obtained from the Spotify Developer Dashboard and set as environment variables.
  • ⚠️A manual OAuth flow must be performed once by running `python3 src/get_token.py` to acquire and save the Spotify access token to 'token.json'. This involves opening a browser for user login and authorization.
  • ⚠️The Spotify application's redirect URIs must be configured to match `http://127.0.0.1:3000/callback` (for token acquisition) and `http://127.0.0.1:3001/mcp` (for server operation).
Verified SafeView Analysis
Spotify API credentials (client ID and secret) are correctly loaded from environment variables. However, the Spotify OAuth token is stored locally in 'token.json', which is a security risk if the server is deployed without proper token management (e.g., encryption, secrets manager, or a more robust refresh token flow). Debug-level logging by default could expose sensitive information. Hardcoded 'localhost' redirect URIs are suitable for local development but would need careful configuration and HTTPS for production deployment.
Updated: 2025-11-27GitHub
0
0
Medium Cost
wireweave icon

mcp-server

by wireweave

Sec9

Enables AI assistants to generate, validate, render, and manage wireframes using the Wireweave DSL by providing a tool-based interface through the Model Context Protocol.

Setup Requirements

  • ⚠️Requires a Wireweave API Key from dashboard.wireweave.org (Paid).
  • ⚠️API Key must be set as `WIREWEAVE_API_KEY` environment variable.
  • ⚠️Designed for integration with Claude Desktop, requiring specific JSON configuration (`claude_desktop_config.json`).
Verified SafeView Analysis
The MCP server acts as a thin client, forwarding requests to an external Wireweave API. It uses environment variables for sensitive data like API keys, sanitizes logs to prevent accidental exposure of secrets, and robustly constructs API requests by handling path and query parameters. The security of the overall system heavily relies on the upstream Wireweave API Server, which is beyond the scope of this audit. No direct 'eval' or other malicious code patterns, obfuscation, or hardcoded sensitive secrets were found in the provided code.
Updated: 2026-01-19GitHub
0
0
High Cost
vosamoilenko icon

mcp-youtube-transcript

by vosamoilenko

Sec8

Provides tools for AI assistants to fetch, search, and analyze YouTube video transcripts and retrieve channel video lists.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0.0
  • ⚠️Requires Python 3
  • ⚠️Requires 'youtube_transcript_api' Python package (pip install youtube-transcript-api)
Verified SafeView Analysis
The server uses 'child_process.execFile' to run a Python script for transcript fetching. While generally safer than 'exec' due to arguments being passed separately, it still involves executing an external process. Input validation is performed for video/channel IDs, mitigating direct command injection risk for the Python script arguments. No 'eval' or obvious obfuscation was found. No hardcoded secrets were identified.
Updated: 2026-01-17GitHub
0
0
Low Cost
payincom icon

402ok-mcp

by payincom

Sec8

Provides a Model Context Protocol (MCP) server middleware to integrate HTTP 402 Payment Required for AI tools, supporting multi-network blockchain payments with a focus on XLayer/OKX.

Setup Requirements

  • ⚠️Requires OKX API Key, Secret Key, and Passphrase with x402 permissions for XLayer payments if using the OKX facilitator.
  • ⚠️Requires configuration of a recipient wallet address for payments.
  • ⚠️Requires the `URL` environment variable to be set for the server's external URL if not running on `http://localhost:3000` to correctly construct payment resource URIs.
  • ⚠️This is a library/middleware; users must write their own application (e.g., using Express) to host the MCP server functionality.
Verified SafeView Analysis
The project uses standard cryptographic practices (HMAC SHA256) for OKX API authentication and relies on environment variables for sensitive credentials (API keys, secret keys, passphrases). The design separates payment verification/settlement to external facilitators, reducing direct blockchain interaction risk for the server. However, `makeOKXRequest` logs full request headers (which may contain API keys) and body to console, which could pose an information leakage risk in a production environment if logs are not securely managed. The JSON parsing of base64-encoded payment metadata is a standard practice but should be handled robustly against malformed inputs.
Updated: 2025-12-05GitHub
0
0
Low Cost
SaiVSrini icon

mcpfinder

by SaiVSrini

Sec8

A personal tool router that answers natural language queries to recommend the most relevant developer tools and MCP servers.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid) for optimal performance, otherwise falls back to heuristic scoring.
  • ⚠️Requires a populated SQLite database file (`mcpfinder.sqlite`), which must be generated from `db_with_embeddings.csv` by running `mcp_suggester/load_mcp_csv_to_sqlite.py`.
Verified SafeView Analysis
The project adheres to good practices by retrieving API keys from environment variables and using parameterized queries for SQLite interactions, mitigating common injection risks. The data loading from CSV to SQLite includes JSON parsing with error handling for embedded vectors. The `api_server.py` component defaults to binding on `0.0.0.0` (all network interfaces), which should be secured if exposed to untrusted networks, but this is an optional server and not the default `command` type usage with Cursor.
Updated: 2025-12-07GitHub
0
0
Low Cost
ifiecas icon

spotify-mcp

by ifiecas

Sec5

Connects Microsoft Copilot Studio AI agents to the Spotify Web API to enable music search, artist information, track details, and audio analysis.

Setup Requirements

  • ⚠️Requires Python 3.11+ to run.
  • ⚠️Requires a Spotify Developer Account to obtain Client ID and Secret.
  • ⚠️Requires a secure, manually generated `LOCAL_TOKEN` environment variable for authentication.
  • ⚠️Requires an Azure Account for cloud deployment and Microsoft Copilot Studio for AI agent integration.
Verified SafeView Analysis
The server uses a simple Bearer token for authentication with a single, shared secret (`LOCAL_TOKEN`). This is explicitly noted in the README as being for development/demo purposes and is not suitable for production environments due to lack of advanced security features like OAuth, user-specific access control, token expiration, rate limiting, and secure secret management (e.g., Azure Key Vault). If the `LOCAL_TOKEN` is compromised, the server is fully accessible. However, the source code does not contain direct malicious patterns, arbitrary code execution (like `eval`), or hardcoded secrets (it relies on environment variables).
Updated: 2025-11-20GitHub
0
0
Low Cost
Intra-Pay icon

mcp-server

by Intra-Pay

Sec9

A Model Context Protocol (MCP) server exposing Brazilian Pix payment (cash-in/cash-out) and webhook operations from the Intra Pay API to AI agents and IDEs.

Setup Requirements

  • ⚠️Requires Node.js 20+ to run.
  • ⚠️Requires an Intra Pay account with API access keys and IP allowlisting configured on their dashboard.
  • ⚠️Requires an .env file with INTRAPAY_BASE_URL, INTRAPAY_CLIENT_KEY, INTRAPAY_CLIENT_SECRET, INTRAPAY_ENV, and PORT configured.
Verified SafeView Analysis
The server properly handles sensitive API keys and secrets by requiring them via environment variables (INTRAPAY_CLIENT_KEY, INTRAPAY_CLIENT_SECRET, INTRAPAY_WEBHOOK_SECRET), rather than hardcoding them. It implements a token caching mechanism to minimize authentication calls. Network requests to the external Intra Pay API include retry logic with exponential backoff and comprehensive error normalization. Logging is implemented with caution, explicitly avoiding the logging of secrets. The README advises enabling IP allowlisting on the Intra Pay dashboard, indicating good security awareness. No 'eval' or similar dangerous dynamic code execution patterns were identified.
Updated: 2025-11-26GitHub
0
0
Low Cost
bans1mp icon

mcp-server

by bans1mp

Sec3

The server provides an agent-callable interface for interacting with Spotify's API to retrieve top songs and for updating local notes.

Setup Requirements

  • ⚠️Requires a valid Spotify Access Token for the `GetTopSongs` tool, which must be provided to the `auth` package (likely via environment variable).
  • ⚠️The server requires write permissions to a local 'assets' directory for the `UpdateNotes` tool.
Review RequiredView Analysis
The `auth.SpotifyAccessToken` variable used for Spotify API authorization is directly accessed without its origin being shown. If this token is hardcoded within the `auth` package (which is part of the same repository), it represents a critical security vulnerability, exposing a sensitive secret. Ensure this token is loaded securely, ideally from environment variables, and never hardcoded. The `UpdateNotes` tool writes user-provided content to a local file (`notes.txt`); while this is contained, it could lead to integrity issues for that specific file if the input is untrusted. No 'eval' or obfuscation found.
Updated: 2025-11-29GitHub
0
0
Low Cost
dvansari65 icon

anchor-mcp-server

by dvansari65

Sec3

An MCP server that enables programmatic deployment of Anchor programs to various Solana networks via a defined tool interface.

Setup Requirements

  • ⚠️Requires the 'anchor' CLI tool to be installed and accessible in the system's PATH.
  • ⚠️Requires Rust and Cargo to be installed for building and running the server.
  • ⚠️Requires network access to the specified Solana cluster (devnet, testnet, mainnet-beta, localnet) for program deployment.
Review RequiredView Analysis
The 'deploy_program' function in `src/anchor/mod.rs` directly invokes the 'anchor deploy' command using `std::process::Command` with user-supplied `program_path` and `network` arguments. This design introduces a critical command injection vulnerability if inputs from the MCP client are not thoroughly validated and sanitized. A malicious actor could potentially craft inputs to execute arbitrary commands on the host system.
Updated: 2025-11-22GitHub
0
0
Low Cost
Mado1968 icon

TTiA

by Mado1968

Sec9

This repository provides the source code for a modern marketing website for 'TTiA', a company specializing in Model Context Protocol (MCP) servers, digital transformation, and consulting services, showcasing their offerings and allowing potential clients to get in touch.

Setup Requirements

  • ⚠️Node.js (>=18 is recommended by dependencies like esbuild, vite, google-auth-library)
  • ⚠️GEMINI_API_KEY environment variable is required if the integrated Google GenAI features are fully implemented and utilized for interactive AI functionality.
Verified SafeView Analysis
The provided source code is for a client-side React application and primarily handles UI rendering and client-side form submission simulation. There are no direct server-side components or custom server logic that would introduce common backend vulnerabilities. Hardcoded secrets are not present; `GEMINI_API_KEY` is correctly handled as an environment variable via Vite. The `@google/genai` dependency is a legitimate library for AI interaction, and its usage within the application, if implemented, would require secure handling of prompts and responses to prevent prompt injection or data leakage. Given that the contact form's submission is simulated (`setTimeout`) and no actual API calls are shown for sensitive data, the current code snippet itself has a high security posture for a static site. Potential risks would lie in any actual backend APIs this frontend interacts with (not provided here) or vulnerabilities in its dependencies.
Updated: 2025-12-14GitHub
PreviousPage 299 of 713Next