Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
YuweiXiao icon
Sec8

Integrates Zed's Model Context Protocol with RelytONE's MCP server, providing AI-powered coding assistance by sending code context to RelytONE.

Setup Requirements

  • ⚠️Requires a RelytONE bearer token, obtained from relytone.data.cloud.
  • ⚠️Requires Node.js to be installed on the system for the underlying MCP server.
Verified SafeView Analysis
The extension uses standard Zed API calls for package management (npm_install_package) and executing Node.js processes. The RelytONE bearer token is securely passed as an environment variable (RELYTONE_BEARER_TOKEN) to the child process, avoiding hardcoding or command-line exposure. The primary security consideration is the trust in the `@relyt/mcp-server-relytone` npm package itself, as the extension automatically installs and updates it to the latest version. No 'eval' or obvious obfuscation was found.
Updated: 2025-11-20GitHub
0
0
Low Cost
sohaib-sharih icon

github_mcp_server_text

by sohaib-sharih

Sec10

This project modifies a CSV file to update the 'Sale price' column to a fixed value.

Setup Requirements

  • ⚠️Requires 'pandas' library to be installed (e.g., `pip install pandas`).
  • ⚠️The input file 'white heaven.csv' must exist in the same directory as the script.
Verified SafeView Analysis
The script is simple, uses the well-known Pandas library for local file operations, and does not contain 'eval', obfuscation, network calls, or hardcoded secrets. It performs no malicious patterns.
Updated: 2026-01-19GitHub
0
0
Low Cost
suissa icon
Sec9

Acts as a Model Context Protocol (MCP) server enabling AI models to interact with the Magalu Marketplace API for managing products, orders, customer service, questions, and chat.

Setup Requirements

  • ⚠️Requires a Magalu Marketplace Seller Account with an API Key and Seller ID.
  • ⚠️Requires Node.js (version 18 or higher, as implied by @modelcontextprotocol/sdk dependency requirements).
Verified SafeView Analysis
The server correctly uses environment variables for sensitive API keys (MAGALU_API_KEY, MAGALU_SELLER_ID), preventing hardcoded secrets. It implements semantic types (e.g., MagaluSkuId, MagaluPage) with basic validation (length, regex, range) for many inputs, enhancing data integrity. There is no usage of 'eval' or obvious obfuscation. Network calls are made to defined Magalu API endpoints. A minor area for potential improvement could be more explicit and comprehensive JSON schema validation for complex input objects (e.g., 'sku', 'price', 'delivery' objects) within the MCP tool definitions or the MagaluClient, beyond basic type checks, to ensure all fields conform to expected structures before forwarding to the external API.
Updated: 2025-11-25GitHub
0
0
Medium Cost
9Mercury icon
Sec9

Automated discovery and data extraction of LinkedIn profiles for purposes such as recruitment, lead generation, market research, and competitive intelligence.

Setup Requirements

  • ⚠️Requires RapidAPI Account and API Key (paid for higher usage tiers)
  • ⚠️Requires Serper API Key (paid for higher usage tiers, free tier has limits)
  • ⚠️Python 3.8 or higher is required
Verified SafeView Analysis
API keys (RapidAPI and Serper) are correctly loaded from environment variables using `python-dotenv`, preventing hardcoding and enhancing security. The system utilizes `httpx` for external API calls with timeouts, contributing to network stability. No direct use of `eval` or `exec`, and no malicious code patterns were identified. The primary security and legal considerations revolve around the ethical use of scraped data and adherence to LinkedIn's Terms of Service and data protection regulations, which the README extensively addresses.
Updated: 2025-12-02GitHub
0
0
Medium Cost
NikolaiGoMedicus icon

personio-mcp-server

by NikolaiGoMedicus

Sec8

Facilitates AI assistants like Claude in interacting with the Personio HR API for various employee, attendance, absence, and document management tasks.

Setup Requirements

  • ⚠️Requires Node.js 18 or higher.
  • ⚠️Personio API credentials (Client ID and Client Secret) are mandatory and must have appropriate scopes. V2 API features, particularly for attendance, may require specific, non-default scopes that can lead to 403 Forbidden errors.
  • ⚠️Manual MCP client configuration (e.g., for Claude Desktop) requires specifying an absolute path to the server's executable in the client's config file.
Verified SafeView Analysis
The server correctly handles API credentials via environment variables and uses an HTTP client (axios) with interceptors for robust error handling and token management. Input validation for tool arguments is present through `inputSchema` definitions and handler-level checks, primarily focusing on types and presence. No `eval` or direct command injection vectors were found. A minor potential concern is the `upload_document` tool, which accepts base64 file content and a file name but lacks explicit server-side validation of file types before forwarding to the Personio API. This could potentially allow uploading files with inappropriate extensions if the Personio API itself is not strict. The project includes a `SECURITY.md` with good practices.
Updated: 2025-11-25GitHub
0
0
Medium Cost
mudakara icon
Sec4

This MCP (Model Context Protocol) server enables open-source LLMs to query a MongoDB database containing Azure resource data, generating charts and reports for analytics.

Setup Requirements

  • ⚠️Requires a paid API key for an external LLM provider (OpenRouter or Claude).
  • ⚠️Requires MongoDB 4.0+ running locally on `localhost:27017`.
  • ⚠️Initial data must be uploaded via the Streamlit 'Excel Upload' page before AI analysis can function.
Review RequiredView Analysis
API keys are stored in plaintext in the local MongoDB for persistence, which is a significant security risk for production environments. The MongoDB connection defaults to an unauthenticated `localhost:27017` instance, suitable for local development but insecure for multi-user or network-exposed deployments. External LLM API calls are made, requiring careful handling of API keys.
Updated: 2025-11-26GitHub
0
0
Medium Cost
chiraggahujaa icon

db-explorer

by chiraggahujaa

Sec4

An AI-powered platform for natural language database exploration, querying, modification, and management, supporting multiple database types with team collaboration features.

Setup Requirements

  • ⚠️Requires a Google Gemini API Key (paid service for AI functionality).
  • ⚠️Requires Supabase credentials (URL, Anon Key, Service Role Key) for user management and potentially other features.
  • ⚠️Requires a Resend API Key for email notifications (e.g., password resets, invitations).
Review RequiredView Analysis
The application uses Zod for validation, JWT for authentication, and Helmet for basic Express security. However, a critical SQL injection vulnerability exists in the `select_data` tool within the `/api/chat` route, where the `where` clause is constructed by direct string concatenation without proper parameterization. The `execute_custom_query` tool, which allows arbitrary SQL execution, also poses a high risk if the underlying database connector's `query` method does not adequately protect against injection for raw SQL statements. Storing tokens in local/session storage makes them vulnerable to XSS attacks. These issues significantly lower the security score, making the application potentially unsafe for sensitive data or untrusted users.
Updated: 2025-12-17GitHub
0
0
Low Cost
rnben icon

simple-mcp

by rnben

Sec9

A demonstration project for creating a Model Context Protocol (MCP) server with FastMCP, offering calculator and weather query tools, integrated with Cline.

Setup Requirements

  • ⚠️Requires Python 3.8+
  • ⚠️Requires manual Cline configuration
  • ⚠️Port 8000 must be available
Verified SafeView Analysis
The server binds to `0.0.0.0` which makes it accessible from any network interface. While acceptable for a local demo, in a production environment, it should be bound to a specific IP address (e.g., `127.0.0.1`) or secured appropriately if exposed to external networks. The tools provided are simple and do not inherently introduce security risks; there are no uses of `eval`, obfuscation, or hardcoded secrets.
Updated: 2025-12-10GitHub
0
0
Low Cost
ticket1 icon

MCP-testing

by ticket1

Sec5

A testing environment for a Minecraft Protocol (MCP) server, likely for development and protocol analysis.

Setup Requirements

  • ⚠️Java Development Kit (JDK) required
  • ⚠️Maven or Gradle build tool likely required for compilation and execution
Review RequiredView Analysis
Source code was not provided in the prompt for analysis. Therefore, a comprehensive security audit for malicious patterns, 'eval' usage, hardcoded secrets, or network risks could not be performed. The assigned score reflects an inability to verify safety rather than an assessment of specific vulnerabilities.
Updated: 2025-12-06GitHub
0
0
Low Cost
bzzimmy icon

h1-mcp

by bzzimmy

Sec9

Provides an MCP server to enable AI agents to query HackerOne disclosed reports and hacktivity.

Setup Requirements

  • ⚠️HackerOne API credentials (username and token) are required and must be set via HACKERONE_API_USERNAME and HACKERONE_API_TOKEN environment variables.
  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️Core functionality for querying HackerOne data is not yet implemented (all defined tool calls currently return 'Not implemented' errors).
Verified SafeView Analysis
The server correctly uses environment variables for HackerOne API credentials, which is good practice. It defines legitimate HackerOne API endpoints as its base URL. However, the core functionality for making actual API requests to HackerOne is marked with 'TODO: Implement' and currently throws 'Not implemented' errors. This means the current code does not perform any external data fetching or processing beyond setting up the server and tool definitions, minimizing immediate security risks. Future implementations will require careful review.
Updated: 2025-12-11GitHub
0
0
Low Cost
bioanywhere icon

nachos

by bioanywhere

Sec7

A client library for accessing the World News API to search, extract, and retrieve news articles from various sources and languages.

Setup Requirements

  • ⚠️Requires an API Key for the World News API (which is a paid service) to function, not included in the package.
  • ⚠️Python 3.7+ is required for the Python package.
  • ⚠️For the C++ client, CMake 3.2+, Qt, and a C++ compiler are required for building.
Verified SafeView Analysis
The code primarily implements an API client library. It does not appear to contain malicious patterns or direct hardcoded secrets. API keys and OAuth credentials are expected to be provided by the user programmatically. The C++ client includes a local TCP server for OAuth redirection on port 9999; while a standard pattern for local OAuth flows, this introduces a minor attack surface if not properly firewalled or if the callback data handling were flawed (though no obvious flaws were found in the provided snippets).
Updated: 2025-12-13GitHub
0
0
Low Cost
yash-learner icon

care_mcp_server

by yash-learner

Sec10

A rudimentary, experimental server project initiated with AI assistance, likely intended for exploring server-side development or a specific application like 'care_mcp'.

Setup Requirements

  • ⚠️The project is incomplete; no server-side code or execution instructions are provided beyond the README.md.
Review RequiredView Analysis
The provided 'source code' consists solely of the `README.md` file, which is not executable. Therefore, there are no security risks detectable within the provided content itself. The project is incomplete as a functional server, lacking actual server-side code.
Updated: 2025-11-24GitHub
PreviousPage 305 of 713Next