Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
anonymaew icon

thai-lottery-mcp

by anonymaew

Sec10

Provides an API for checking Thai lottery numbers against predefined prizes and listing all available prizes.

Setup Requirements

  • ⚠️Python 3.13+ required
Verified SafeView Analysis
The code is simple, does not use 'eval' or similar dangerous functions, and does not contain hardcoded secrets or direct network interactions beyond what the 'fastmcp' framework provides. All prize logic is explicit and based on string comparisons. The primary security consideration would be the 'fastmcp' dependency itself, which is assumed to be secure.
Updated: 2025-11-19GitHub
0
0
Medium Cost

SkyFiMCP

by mfuechec

Sec8

Enables AI agents to programmatically access SkyFi's geospatial and satellite imagery services, including search, pricing, ordering, and monitoring.

Setup Requirements

  • ⚠️Requires Node.js 20+ installed
  • ⚠️Requires a SkyFi API Key (potentially paid service access)
  • ⚠️Requires pnpm package manager
Verified SafeView Analysis
Standard Node.js application. Primary security consideration is the secure handling of the `SKYFI_API_KEY`, which grants access to external SkyFi services. No obvious 'eval' or obfuscation found. External deployment using `deploy.sh` would require further security hardening.
Updated: 2025-11-19GitHub
0
0
Medium Cost
jhpark-psynet icon

test-mcp-server

by jhpark-psynet

Sec8

Enables LLM agents to interact with sports data (schedules, detailed statistics) and other external APIs, presenting results via interactive React widgets or formatted text. Supports multi-sport, multi-league data fetching with caching and robust error handling.

Setup Requirements

  • ⚠️Requires Node.js and npm for building React UI components.
  • ⚠️Requires Python 3.12+ and uv pip for Python dependencies.
  • ⚠️External API and Sports API functionality require respective `*_API_BASE_URL` and `*_API_KEY` environment variables (or `.env` configuration).
  • ⚠️Disables DNS rebinding protection for OpenAI Apps SDK integration, which should be considered when deploying in other contexts.
Verified SafeView Analysis
The server employs robust input validation using Pydantic, replaces dangerous `eval()` with a safe AST-based evaluator, and implements rate limiting. However, it explicitly disables DNS rebinding protection in `TransportSecuritySettings` to accommodate diverse origins in ChatGPT App Store integration, which can be a security concern in other deployment contexts. API keys are managed via environment variables/`.env` files.
Updated: 2026-01-18GitHub
0
0
Medium Cost
iamsrinathks icon

mcp-servers-factory

by iamsrinathks

Sec8

Provides AI agents with tools to interact with various developer platforms and services, including GitLab, GitHub, Confluence, and Google Cloud Logging.

Setup Requirements

  • ⚠️Requires various API tokens (GitHub, GitLab, Confluence PAT) and base URLs to be set as environment variables.
  • ⚠️The GCP Logging server requires Google Cloud Application Default Credentials (ADC) setup (e.g., via `gcloud auth application-default login` or GOOGLE_APPLICATION_CREDENTIALS environment variable).
  • ⚠️Requires `mcp` SDK (`pip install mcp[cli]`) and `uvicorn` (`pip install uvicorn`) to be installed.
Verified SafeView Analysis
All sensitive credentials (API tokens, client secrets) are loaded from environment variables. The `github-mcp-server/oauth.py` and `github-mcp-server/sample.py` files use in-memory token storage for 'demo_user', which is explicitly marked 'demo only' and is not suitable for production multi-user deployments without a persistent, secure authentication system. Error messages from API requests may include raw response text, which could potentially expose sensitive API error details, though this is a minor risk. Input validation for `search_logs` limits results and handles invalid filter expressions.
Updated: 2025-11-26GitHub
0
0
Medium Cost
panky77 icon
Sec1

Provides an unauthenticated remote server for a Multi-Crew Protocol (MCP), likely for testing, internal network communication, or specific scenarios where authentication is not required.

Review RequiredView Analysis
No source code was provided for analysis, only the repository name and a truncated README.md file. Therefore, a comprehensive security audit for 'eval' usage, obfuscation, hardcoded secrets, or specific malicious patterns could not be performed. The 'authless' nature of the server inherently poses a significant security risk, as it lacks any authentication mechanism, making it highly vulnerable if exposed to untrusted networks.
Updated: 2025-12-03GitHub
0
0
Low Cost
Jutop icon
Sec3

Automates Linux VM administration and command execution via SSH, integrated with OpenWebUI, including safeguards for destructive commands.

Setup Requirements

  • ⚠️Docker required
  • ⚠️`config.yaml` with plain-text SSH passwords must be manually created
  • ⚠️Requires OpenWebUI to be running and connected to the same Docker network
  • ⚠️Explicit `docker network connect` step is required after initial setup.
Review RequiredView Analysis
CRITICAL: The HTTP API (port 3000) lacks any authentication or authorization, allowing any entity on the same Docker network or host to execute arbitrary commands on configured VMs. The `config.yaml` stores SSH passwords in plain text, presenting a significant risk if the file or the server is compromised. While destructive command detection is present, it relies on pattern matching and is not foolproof. Designed for trusted networks, but this does not mitigate the unauthenticated API access.
Updated: 2025-11-30GitHub
0
0
High Cost
IBM icon
Sec4

Provides AI assistants with a Model Context Protocol (MCP) interface to interact with IBM Master Data Management (MDM) services for searching, retrieving, and managing master data through natural language.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Requires an IBM MDM instance with valid credentials (API Key/CRN for Cloud, Username/Password/URLs for Software Hub).
  • ⚠️Disables SSL verification by default in HTTP requests, which is not suitable for production. Must manually set `verify_ssl=True` for secure deployments.
  • ⚠️Does not verify JWT signatures by default, relying solely on trust for the authentication server.
Verified SafeView Analysis
The default `verify_ssl=False` setting in `BaseMDMAdapter` and `AuthenticationManager` is a significant security risk for production environments, as it disables SSL certificate validation, making the application vulnerable to Man-in-the-Middle attacks. Additionally, the `jwt.decode` operation in `AuthenticationManager` uses `verify_signature=False`, which critically weakens JWT security by trusting tokens without cryptographic verification of their origin, potentially allowing forged tokens if the authentication server or communication channel is compromised. While credentials are read from environment variables, these two default behaviors pose severe vulnerabilities.
Updated: 2026-01-19GitHub
0
0
Medium Cost
ashotchumore icon

my-mcp-server

by ashotchumore

Sec8

A boilerplate for developing Model Context Protocol (MCP) servers in TypeScript, demonstrating the creation of AI tools (calculator, greeter, code reviewer) and resources (server info) that can be integrated with AI clients like Cursor.

Setup Requirements

  • ⚠️Requires Node.js (version 20.0.0 or higher based on @smithery/cli dependency).
  • ⚠️Requires a TypeScript development environment for code authoring.
  • ⚠️Requires manual configuration (absolute path) in client-side tools like Cursor's mcp.json for integration.
Verified SafeView Analysis
The provided code is a boilerplate using the official MCP SDK and Zod for input validation, which is a good practice. There are no explicit uses of 'eval', obfuscation, hardcoded sensitive secrets, or direct execution of untrusted arbitrary code within the provided examples. The `dotenv` dependency implies that secrets should be managed via environment variables, but none are directly used in the truncated code. The security of a server built on this boilerplate would depend heavily on how developers extend it to interact with external APIs or local resources.
Updated: 2025-11-27GitHub
0
0
Low Cost
czirakim icon
Sec3

An MCP server for managing Netscaler network devices via the NITRO API using Python tools.

Setup Requirements

  • ⚠️Requires a running Netscaler device to function.
  • ⚠️Requires a `.env` file with `IP_ADDRESS`, `X-NITRO-USER`, and `X-NITRO-PASS` configured.
  • ⚠️Critical security risk due to disabled SSL verification (`verify=False`) in network communication. Not suitable for production without modification.
Review RequiredView Analysis
CRITICAL RISK: The server uses `verify=False` for all HTTPS requests to the Netscaler device, disabling SSL certificate verification. This makes it vulnerable to Man-in-the-Middle (MITM) attacks, potentially allowing an attacker to intercept, view, or alter communication and credentials. While sensitive information like IP addresses and authentication are loaded from a `.env` file (which is good practice), the `X-NITRO-USER` and `X-NITRO-PASS` are sent with every request, making them susceptible if a MITM attack occurs. The `forbidden_objects` list is a very minimal attempt at security and could be easily bypassed for other critical Netscaler components.
Updated: 2026-01-19GitHub
0
0
Low Cost
AiDD-app icon

mcp-server

by AiDD-app

Sec1

An ADHD-optimized productivity platform offering AI-powered task management, action item extraction from notes, and smart prioritization accessible via MCP clients like ChatGPT and Claude.

Setup Requirements

  • ⚠️Requires macOS for Apple Notes integration (AppleScript dependency).
  • ⚠️Relies on an external backend service: https://aidd-backend-prod-739193356129.us-central1.run.app.
  • ⚠️Opens a local HTTP port (e.g., 54321, 6274) for OAuth callbacks, which may cause conflicts or require firewall configuration.
  • ⚠️Hardcoded 'dev-api-key-123456' for backend communication if OAuth is not used.
Review RequiredView Analysis
CRITICAL: The `execAppleScript` function (used in `src/applescript.ts` and invoked by `src/index-aidd.ts` and `src/index.ts`) is highly vulnerable to command injection. User-provided input for parameters like 'query' or 'folder' in tools like `import_apple_notes` or `search_notes` is directly interpolated into AppleScript commands without sufficient sanitization. An attacker could inject arbitrary AppleScript, leading to remote code execution (RCE) on the macOS system where the MCP server is running. Additionally, local credential storage (`AuthManager`, `OAuthServer`) uses symmetric encryption with hardcoded keys and IVs ('aidd-mcp-key', 'aidd-oauth-key'). This means anyone with access to the codebase can trivially decrypt stored user tokens and other sensitive information, severely compromising data confidentiality. While it provides minimal protection against casual observation, it's not secure against a determined attacker.
Updated: 2026-01-17GitHub
0
0
High Cost
RichardDillman icon

ESO-MCP

by RichardDillman

Sec7

Provides comprehensive Elder Scrolls Online game data, tools, and analysis capabilities for AI assistants.

Setup Requirements

  • ⚠️Manual .env file configuration is required for API credentials (e.g., ESOLOGS_CLIENT_ID, ESOLOGS_CLIENT_SECRET).
  • ⚠️External API credentials for ESO Logs (potentially requiring a paid API key for extensive usage) are mandatory for full parse analysis features.
  • ⚠️Tesseract.js OCR for CMX screenshots may have platform-specific dependencies, and performance varies with image quality.
Verified SafeView Analysis
The server uses various external APIs (ESO Logs, Google Chat, ntfy.sh, Slack, Nodemailer for SMS) requiring sensitive credentials via environment variables. While this is good practice, compromise of the server could lead to abuse of these external services. The CMX OCR tool processes local image paths; if the `imagePath` input is user-controlled and not properly sanitized, it could pose a local file inclusion/path traversal risk. The core communication uses StdioServerTransport, meaning the overall security heavily depends on the execution environment and how the server process is sandboxed.
Updated: 2025-11-26GitHub
0
0
Medium Cost
SifatSikder icon

Life-Inbox-Zero

by SifatSikder

Sec8

A unified AI-powered life management system that ingests various inputs, extracts actionable items, and auto-organizes them into a dashboard.

Setup Requirements

  • ⚠️Requires Google Cloud Project setup for OAuth 2.0 Client ID (Gmail, Calendar, Drive APIs) and downloading 'credentials.json'.
  • ⚠️Requires Tesseract OCR engine installed system-wide for image processing (pytesseract dependency).
  • ⚠️Requires a Google Generative AI API key (e.g., GOOGLE_API_KEY environment variable if not using 'adk run').
Verified SafeView Analysis
The server design generally avoids direct user code execution (e.g., no 'eval'). External MCP servers are run via subprocess with fixed commands, limiting injection risks. However, the system relies heavily on Google APIs (Gmail, Calendar, Drive) and Google Generative AI, requiring proper handling of OAuth 2.0 credentials (`credentials.json`, `token.json`) and an API key. Mismanagement of these sensitive files could lead to unauthorized access to a user's Google services. The `OrganizerAgent` has a missing import (`MediaFileUpload`) which would lead to a runtime error if Drive upload functionality is used.
Updated: 2025-11-23GitHub
PreviousPage 307 of 713Next