Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
shivamprasad1001 icon

expense-mcp-server

by shivamprasad1001

Sec9

A Model Context Protocol (MCP) server for tracking and managing personal or group expenses via AI assistants.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires the `uv` Python package manager to be installed globally and accessible in PATH.
  • ⚠️Configuration for MCP clients (e.g., Claude Desktop, Cursor) requires absolute paths to the `uv` executable and the repository directory.
Verified SafeView Analysis
The server uses `sqlite3` for persistent storage, and all SQL queries are properly parameterized, which prevents common SQL injection vulnerabilities. There are no explicit uses of `eval`, `exec`, or `os.system` that would pose command injection risks. No hardcoded secrets or credentials were found. Data is stored locally, limiting network-based attack surfaces. The primary risks are general to running any local application and depend on the integrity of the `uv` and `fastmcp` dependencies.
Updated: 2025-12-07GitHub
0
0
Low Cost
justfortheloveof icon

mcp_searxng

by justfortheloveof

Sec9

Provides a low token consumption Python MCP server for integrating a local or remote SearXNG instance as a web search tool for LLMs.

Setup Requirements

  • ⚠️Requires Python 3.13 or newer
  • ⚠️Requires a running SearXNG instance accessible via a URL
  • ⚠️Recommended installation method uses 'uv', which might need prior installation
Verified SafeView Analysis
The server uses `httpx` for network requests and handles authentication securely, enforcing HTTPS for all authentication types (Basic, Bearer, API Key). SSL certificate verification is enabled by default, with an option for custom CA files. Input validation is present for critical parameters. No 'eval' or obvious malicious patterns found. Secrets are designed to be passed via CLI arguments or environment variables and are redacted from logs, preventing hardcoded credentials.
Updated: 2025-11-24GitHub
0
0
Low Cost
lchenudc icon
Sec3

An MCP server that exposes news headline retrieval functionality (simulated and real-time) as tools for LLM applications.

Setup Requirements

  • ⚠️Requires `mcp` and `langchain-mcp-adapters` Python packages.
  • ⚠️Requires a NewsAPI key for the `get_realtime_headlines` tool (needs to be obtained from newsapi.org).
  • ⚠️The `requests` library is required if `get_realtime_headlines` is used (not explicitly in initial `pip install mcp` instruction).
Review RequiredView Analysis
The 'changes_part4.py' file, which demonstrates an extension to the server, explicitly hardcodes `NEWSAPI_KEY = "your key"`. This is a critical security vulnerability as it places a sensitive credential directly in the source code. While the README suggests using environment variables, the provided code snippet does not follow this best practice. Running this code as-is would expose the API key. The server also makes external HTTP requests if the `get_realtime_headlines` tool is implemented.
Updated: 2025-11-22GitHub
0
0
Low Cost
CyprianFusi icon

mcp-server-streamable

by CyprianFusi

Sec9

This server exposes a 'greeting' tool over an HTTP interface using the FastMCP framework, enabling clients or agents to interact with defined functionalities.

Setup Requirements

  • ⚠️Python 3.13+ required
  • ⚠️Requires 'mcp' library to be installed
Verified SafeView Analysis
The provided source code is minimal and does not contain any obvious security vulnerabilities such as 'eval', hardcoded secrets, or malicious patterns. The 'greeting' tool is simple and inherently safe.
Updated: 2025-11-29GitHub
0
0
Medium Cost
consigcody94 icon

code-memory

by consigcody94

Sec4

A persistent context vault for AI-assisted development, solving the 'missing context' problem by remembering decisions, indexing code, preserving conversations, and tracking evolution.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0.0.
  • ⚠️The `CODE_MEMORY_DIR` environment variable is optional but highly recommended to specify where memory files are stored; otherwise, it defaults to `.code-memory` in the current working directory, which might not be ideal for a globally used tool.
  • ⚠️Requires explicit path to `dist/index.js` in MCP client configuration (e.g., Claude Desktop) if not installed globally, or ensuring the `code-memory` binary is in the system PATH.
Review RequiredView Analysis
The server's core functionality involves indexing and searching local file systems (`index_codebase`, `search_code`) based on user-provided paths. While `path.resolve` normalizes paths, there are no explicit sandboxing mechanisms to restrict the 'path' argument to a specific, safe directory (beyond the `.code-memory` data storage itself). This means an attacker who can manipulate the AI's prompts could potentially coerce the MCP server to read arbitrary files from the local file system (e.g., sensitive configurations, private keys, etc.) that the Node.js process has access to. This is a significant arbitrary file read vulnerability if the AI client is compromised or jailbroken. No `eval` or intentional obfuscation was found, and error handling is present, but the powerful file access is a critical risk.
Updated: 2025-11-22GitHub
0
0
High Cost
mustafametesengul icon

webquest-mcp

by mustafametesengul

Sec9

Provides powerful web search and scraping tools to AI agents and MCP-compatible clients via a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires `OPENAI_API_KEY` (potentially incurs costs based on usage within the 'webquest' scrapers).
  • ⚠️Requires `HYPERBROWSER_API_KEY` (likely a paid third-party service).
  • ⚠️Python 3.12 or higher is required.
Verified SafeView Analysis
The server correctly loads API keys and JWT secrets from environment variables or a .env file, avoiding hardcoded credentials. It supports JWT authentication for requests, which is a good security practice for API access. No 'eval' or obvious obfuscation was found. Users must ensure proper management of environment variables and be aware of the disclaimer regarding web scraping legality and website terms of service.
Updated: 2026-01-10GitHub
0
0
Low Cost
peicodes icon

test-mcp-server

by peicodes

Sec4

A TypeScript-based Model Context Protocol (MCP) server for testing or providing a single tool via Server-Sent Events (SSE) transport.

Setup Requirements

  • ⚠️The `VALID_API_TOKEN` is hardcoded as a placeholder and MUST be changed for any non-local or production usage. It is recommended to use an environment variable for this secret.
  • ⚠️The server explicitly binds to `localhost:3000` and is not designed for direct public exposure without a reverse proxy or further network configuration.
Verified SafeView Analysis
The server uses a hardcoded placeholder for the API token (`VALID_API_TOKEN = "your-secret-api-token-here"`). While this is likely intended as an instruction for developers to replace, deploying the server with this default value would constitute a critical security vulnerability, as anyone could authenticate by sending `api-token: your-secret-api-token-here`. It should be an environment variable set to a strong, unique secret.
Updated: 2025-12-05GitHub
0
0
Medium Cost
sakhoury icon

kube-compare-mcp

by sakhoury

Sec8

Enables AI assistants to compare Kubernetes cluster configurations against reference templates, including Red Hat Telco Reference Design Specifications (RDS), to detect configuration drift.

Setup Requirements

  • ⚠️Requires Red Hat Registry credentials (`registry.redhat.io`) for RDS (Reference Design Specification) tools to function. These can be configured via Kubernetes secrets.
  • ⚠️Designed for remote deployment; reference configurations must be provided via HTTP/HTTPS URLs or OCI container image references, local filesystem paths are not supported.
  • ⚠️When providing a `kubeconfig`, exec-based authentication and deprecated auth provider plugins are explicitly blocked for security reasons; users must use token, client certificate, or OIDC authentication methods. Kubeconfig size limits also apply, which might necessitate creating a 'minimal kubeconfig' for OpenShift Lightspeed (OLS) integration.
Verified SafeView Analysis
The server implements strong security measures. It explicitly blocks exec-based authentication and auth provider plugins in provided kubeconfigs to prevent arbitrary code execution, enforces size limits on kubeconfig inputs, and sanitizes error messages to prevent leakage of sensitive information. Container image extraction includes path traversal prevention and file size limits. The Kubernetes deployment uses good security practices such as `runAsNonRoot`, `seccompProfile: RuntimeDefault`, `allowPrivilegeEscalation: false`, and `drop: ALL` capabilities. However, the `ClusterRole` grants broad read-only access (`apiGroups: ['*'], resources: ['*'], verbs: ['get', 'list', 'watch']`) to the cluster, which is a functional requirement for a configuration comparison tool but means the server has visibility into all cluster resources. The `readOnlyRootFilesystem: false` is necessary due to temporary file operations and container image extraction.
Updated: 2026-01-19GitHub
0
0
Low Cost
PivotLLM icon

MCPProbe

by PivotLLM

Sec8

A command-line utility for testing and debugging Model Context Protocol (MCP) servers by enumerating server capabilities and executing MCP tools.

Setup Requirements

  • ⚠️Requires Go (1.24.3 or higher) to build from source.
  • ⚠️Requires an existing MCP server (either a remote URL or a local executable for stdio mode) to test against.
Verified SafeView Analysis
The utility uses `exec.Command` when operating in `stdio` transport mode to spawn a local MCP server executable specified by the user. While this is its intended functionality, it means the tool will execute an arbitrary binary provided by the user via the `-stdio` flag. Users must ensure that the specified executable is trusted. No 'eval' or obvious code obfuscation is present. HTTP headers can be customized, which is expected for an API testing client, but users should be mindful of sensitive data when connecting to untrusted endpoints. Debug output (when enabled) may expose raw MCP messages.
Updated: 2026-01-14GitHub
0
0
Low Cost
MSMuneerIqbal icon
Sec9

Calculates Islamic inheritance shares for cash and land, generating a PDF report with precise land distribution.

Setup Requirements

  • ⚠️Requires Python 3.12 or higher
  • ⚠️Requires specific Python packages: fastmcp, reportlab, uvicorn, httpx
  • ⚠️Must be run using the 'fastmcp run' command, not directly with python
Verified SafeView Analysis
The code primarily performs arithmetic calculations and PDF generation. There are no signs of 'eval', obfuscation, hardcoded secrets, or direct malicious patterns. Input validation for non-negative numerical inputs is not explicit in the provided code, though FastMCP handles basic type checks. This is a minor logical concern rather than a critical security flaw. The primary security considerations would relate to the FastMCP framework itself and the environment in which the server is deployed.
Updated: 2025-12-03GitHub
0
0
Medium Cost
khleel213 icon
Sec8

Provides a lightweight interface for AI agents to interact with the Bluesky social network, enabling reading, writing, and reactive capabilities.

Setup Requirements

  • ⚠️Requires `BLUESKY_HANDLE` and `BLUESKY_PASSWORD` environment variables to be set, typically in a `.env` file.
  • ⚠️Primarily designed and tested for Windows environments and the Antigravity IDE due to explicit Windows-specific I/O handling in the wrapper script.
  • ⚠️Requires installation of Python dependencies, including `atproto` and `python-dotenv`.
Verified SafeView Analysis
The server loads sensitive credentials (Bluesky handle and password) from environment variables using `dotenv`, which is a good practice to avoid hardcoding. No `eval` or obvious code injection vulnerabilities were found. Network interactions are confined to the official Bluesky API. The `mcp_wrapper.py` addresses Windows-specific standard I/O issues, which is a functional detail rather than a security concern. The primary security consideration remains the secure management of the `.env` file or environment variables on the host system.
Updated: 2026-01-19GitHub
0
0
Low Cost
krzysztofprz icon

ReGo.MCP

by krzysztofprz

Sec9

An MCP server designed to retrieve business entity details (from the Polish CEIDG and REGON databases) based on NIP, KRS, or REGON numbers using a C# application.

Setup Requirements

  • ⚠️Requires a `regonApiKey` for the Polish REGON API.
  • ⚠️The MCP server template is currently in an early preview stage, which might imply potential changes or unpolished aspects.
Verified SafeView Analysis
The server template uses standard .NET practices, references a legitimate government API (REGON), and indicates that sensitive keys like `regonApiKey` should be provided via environment variables or command-line arguments rather than being hardcoded. No 'eval' or obvious malicious patterns were found in the provided snippets. The `ConnectedService.json` indicates a standard SOAP web service reference. A full security audit would require the complete codebase.
Updated: 2026-01-19GitHub
PreviousPage 310 of 713Next