Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
CWACoderWithAttitude icon

rmv-mcp-server

by CWACoderWithAttitude

Sec9

An MCP (Model Context Protocol) server connecting LLMs to Germany's RMV public transport data (stations, connections, departures) via its API for natural language queries.

Setup Requirements

  • ⚠️Requires Python 3.13+
  • ⚠️Requires UV 0.8.13+ (package installer)
  • ⚠️Requires a free RMV API Key from the RMV Open Data Portal
Verified SafeView Analysis
The server uses `os.getenv` for API key retrieval, preventing hardcoding. External API calls are made using `httpx` with basic error handling. No `eval` or `exec` calls were found. User inputs are passed as parameters to the external RMV API, which is a standard practice and generally safe, as the RMV API itself would be responsible for parsing its parameters securely.
Updated: 2025-12-11GitHub
0
0
High Cost
yixianfan icon

mcp-geo-database

by yixianfan

Sec8

Accessing NCBI Gene Expression Omnibus (GEO) database for searching, downloading, parsing, and analyzing gene expression and genomics data.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Requires installation of several Python packages: 'mcp', 'GEOparse', 'biopython', 'pandas', 'scipy'.
  • ⚠️The NCBI Entrez.email is hardcoded within the `geo_server.py` and `geo_database_server.py` files. While functional, it's generally better practice to make this configurable.
Verified SafeView Analysis
The server primarily interacts with external NCBI services (Entrez E-utilities, FTP) for data. File system operations for downloading are constrained to a user-defined or default directory ('./data') using `os.makedirs(destdir, exist_ok=True)` and `os.path.join` to prevent path traversal. The `parse_soft_file` function reads the content of a specified file, which could potentially expose local files if the `filepath` argument is maliciously crafted to point outside the intended data directory. However, it only reads and prints content, not executes it. There is no usage of `eval`, `exec`, or direct shell command execution. The `Entrez.email` is hardcoded, which is a minor configuration concern but not a direct security vulnerability.
Updated: 2026-01-17GitHub
0
0
Low Cost
pks1116 icon
Sec9

Provides a Micro-Copilot (MCP) server for accessing Chess.com public player profiles and statistics.

Setup Requirements

  • ⚠️Requires Python 3.11 or newer.
  • ⚠️Relies on `uvx` (part of the `uv` package manager) for installation and execution, meaning `uv` needs to be installed first (e.g., `pip install uv`).
Verified SafeView Analysis
The server utilizes the `requests` library to interact with a public, unauthenticated Chess.com API. It correctly uses `response.raise_for_status()` to handle HTTP errors. There are no indications of malicious patterns, `eval` usage, code obfuscation, or hardcoded sensitive secrets within the provided source. The included `User-Agent` is standard. The primary security consideration is the reliability of the external Chess.com API itself.
Updated: 2025-11-26GitHub
0
0
Low Cost
joelverhagen icon
Sec7

Demonstrates and provides a template for creating Model Context Protocol (MCP) servers using C# and NuGet packages, specifically showcasing a simple tool for generating random numbers.

Setup Requirements

  • ⚠️Requires installation of a compatible .NET SDK (specifically a prerelease version, '10.0.100-rc.2.25502.107' as per global.json, or a newer compatible version).
  • ⚠️Requires VS Code with Copilot Chat enabled for the described integration.
Verified SafeView Analysis
Actual server logic (C# source code) is not provided, limiting a full security audit of the implementation. Based on the provided `global.json` and `README.md` (which covers configuration and setup), no 'eval', obfuscation, hardcoded secrets, or direct network risks (beyond standard stdio communication) are apparent in the configuration or setup instructions. The `WEATHER_CHOICES` environment variable is shown in configuration examples, but its usage and validation within the unseen server logic are unknown.
Updated: 2025-12-19GitHub
0
0
Low Cost
TakuyaSuenaga icon

claude-mcp-server

by TakuyaSuenaga

Sec9

A sample MCP server demonstrating tools for echoing text and listing AWS S3 buckets, integrated with Claude Code CLI and GitHub Actions.

Setup Requirements

  • ⚠️Requires an Anthropic API Key (Paid).
  • ⚠️Complex AWS IAM and OIDC configuration for GitHub Actions.
  • ⚠️Requires `uv` and `mcp` CLI for local development.
Verified SafeView Analysis
The project demonstrates good security practices by leveraging GitHub Actions OIDC for AWS authentication, avoiding hardcoded secrets, and explicitly stating API keys should be stored as GitHub Secrets. The tools are simple (echo, S3 list buckets) and do not suggest inherent vulnerabilities. A full code review of `server.py` would confirm, but based on provided information, it's robust.
Updated: 2025-11-23GitHub
0
0
Low Cost
AuraFriday icon
Sec9

Provides a local, private, and automatically cached service for generating 1024-dimensional Qwen3-Embedding-0.6B vectors from text, supporting over 100 languages for semantic search and RAG systems.

Setup Requirements

  • ⚠️Requires an initial ~600MB model download from HuggingFace Hub on the first run (takes 2-5 minutes, requires internet).
  • ⚠️Automatic dependency installation via 'pip' requires 'pip' to be available and write permissions in the environment.
  • ⚠️Requires approximately 2GB of RAM for the Qwen model.
Verified SafeView Analysis
The server's core design emphasizes local inference and privacy, with no API calls sending user data externally after the initial model download. The `TOOL_UNLOCK_TOKEN` is a dynamically generated security measure for AI interaction, not a hardcoded secret. SQLite usage employs parameter binding, preventing SQL injection. The primary network risk is the one-time, automatic download of the Qwen3-Embedding-0.6B model (~600MB) and Python dependencies (`sentence-transformers`, `transformers`) from trusted sources (HuggingFace Hub, PyPI) during the first run. While `pip.main` is used for auto-installation, it targets known libraries. No 'eval' or obvious obfuscation is present.
Updated: 2025-12-02GitHub
0
0
Low Cost
torkian icon

rag-mcp-server

by torkian

Sec9

Enables Claude Desktop to perform Retrieval-Augmented Generation (RAG) by connecting to a custom knowledge base via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Claude Desktop application.
  • ⚠️Python 3.10 or higher is required.
  • ⚠️Requires specifying absolute file paths for the server script and Python executable in Claude Desktop's configuration.
Verified SafeView Analysis
The provided source code for the MCP server is straightforward and does not contain obvious security vulnerabilities such as 'eval' or hardcoded secrets. It communicates via standard I/O (stdio_server). The primary security considerations would arise from how users customize the 'search_knowledge_base' function, e.g., if they integrate with insecure external APIs or handle sensitive data improperly. The base code itself is safe.
Updated: 2026-01-16GitHub
0
0
Low Cost
thorsteneckel icon

nocodb-mcp-server-builds

by thorsteneckel

Sec10

This repository provides a CI/CD pipeline for building and publishing Docker images of the NocoDB MCP Server.

Setup Requirements

  • ⚠️Requires Docker to be installed and running on the host system.
  • ⚠️Requires an existing NocoDB instance with a valid API token and Base ID for the server to connect and function properly.
  • ⚠️Mandatory environment variables (NOCODB_URL, NOCODB_API_TOKEN, NOCODB_BASE_ID) must be provided during container runtime for proper configuration.
Verified SafeView Analysis
The provided "SOURCE CODE" is solely the `README.md` of the `nocodb-mcp-server-builds` repository. This README describes a CI/CD pipeline for building Docker images and how to run them. It does not contain executable code, server logic, `eval` statements, obfuscation, or direct network calls within itself. It correctly instructs users to pass sensitive information (like `NOCODB_API_TOKEN`) via environment variables. The security score reflects only the content of the provided `README.md` and not the underlying `edwinbernadus/nocodb-mcp-server` application or the GitHub Actions workflow files which were not provided.
Updated: 2025-12-02GitHub
0
0
Medium Cost
gnufoo icon

MeCP

by gnufoo

Sec8

A self-hosted Rust server for AI context management, offering modular integrations with databases and LLM reasoning via the Model Context Protocol.

Setup Requirements

  • ⚠️Installation scripts for MySQL and Neo4j are currently designed for WSL Ubuntu/Debian systems.
  • ⚠️Milvus integration (if enabled) requires Docker for local deployment.
  • ⚠️Leveraging external LLM providers (e.g., OpenAI, Anthropic) for reasoning will incur API costs and requires API keys.
Verified SafeView Analysis
The server implements robust Web3 authentication with JWT sessions, daily nonces, and signature verification, along with address whitelisting. Key configuration values like database passwords and JWT secrets are defaulted in `config.toml` but clearly documented for change in production, with helper scripts to generate secure secrets. `CorsLayer::permissive()` is used, which is permissive for development but a risk in production without explicit configuration. The Neo4j installation script sets `server.default_listen_address=0.0.0.0` which can expose the database if not behind a firewall. However, the documentation explicitly highlights hardening for production. No obvious malicious patterns or 'eval' usage.
Updated: 2026-01-19GitHub
0
0
Medium Cost
Dub1n icon

stelae

by Dub1n

Sec6

Transforms a local WSL workspace into a single, extensible MCP endpoint for desktop agents, ChatGPT Connectors, and other HTTP/SSE clients, enabling declarative tool overrides and aggregations for AI agent tooling.

Setup Requirements

  • ⚠️Requires WSL with systemd enabled.
  • ⚠️Requires Python 3.11+, Go toolchain, Node.js (via NVM recommended), `pm2`, and `cloudflared` CLI.
  • ⚠️Extensive configuration via environment variables and `.env` files (e.g., STELAE_CONFIG_HOME, PUBLIC_BASE_URL) is crucial for proper operation.
  • ⚠️Path sensitivity: workspaces must be on WSL's ext4 filesystem, not Windows-backed mounts (e.g., /mnt/c/).
Review RequiredView Analysis
The server is designed to execute local commands, manage filesystems, and install/remove other MCP servers, which exposes a significant attack surface if not properly secured at the deployment and access control layers. It relies heavily on `subprocess.run` and `urllib.request.urlopen` for core functionalities and external interactions. Configuration changes via `manage_stelae` allow the server to self-modify its operational capabilities. While the code includes some path validation and environment variable expansion, robust external authentication and authorization are critical, especially when exposed publicly via Cloudflare. Hardcoded secrets are generally avoided, with `OPENAI_API_KEY` and `GITHUB_TOKEN` being passed via environment variables.
Updated: 2025-11-25GitHub
0
0
Low Cost
Rbfinch icon

hindsight-mcp

by Rbfinch

Sec9

Provides AI assistants with searchable development history (git commits, test results, GitHub Copilot sessions) via Model Context Protocol (MCP) tool calls in VS Code.

Setup Requirements

  • ⚠️Requires VS Code v1.99+ with GitHub Copilot.
  • ⚠️For test ingestion, `cargo-nextest` must be installed separately via `cargo install cargo-nextest`.
Verified SafeView Analysis
Robust against common injection attacks due to parameterized SQL queries using `rusqlite::params![]` and extensive fuzz testing on input parsing. Command execution (`std::process::Command`) is used for `cargo nextest`, which generally handles arguments safely, but direct execution of external processes always carries a minimal inherent risk. The VS Code extension downloads binaries from GitHub Releases, relying on GitHub's integrity for secure distribution.
Updated: 2026-01-19GitHub
0
0
High Cost
you0best icon

my-mcp-server

by you0best

Sec8

This project serves as a TypeScript boilerplate for developing Model Context Protocol (MCP) servers, providing various AI-enabled and utility tools for integration with AI agents.

Setup Requirements

  • ⚠️Requires a Hugging Face API Token (`HF_TOKEN`) for the image generation functionality.
  • ⚠️Uses the Smithery CLI for building and development (`npm run build`, `npm run dev`).
  • ⚠️Requires Node.js version 18 or higher.
Verified SafeView Analysis
The server includes an image generation tool that relies on an external Hugging Face API. The API token (`hfToken`) is loaded from configuration, which is a good practice, preventing hardcoded credentials. No direct 'eval' or malicious code execution patterns were found. The 'code_review' prompt generates text for an external LLM, not executing code locally. The `express-rate-limit` dependency in `package-lock.json` suggests network security considerations, but the core server logic provided here uses a `StdioServerTransport` in the example, which is generally safer for local process communication. Overall, the server appears robust for a boilerplate, but users must ensure their `hfToken` is secured and be aware of potential large data transfers for image generation.
Updated: 2025-11-27GitHub
PreviousPage 302 of 713Next