Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
dmarsters icon

terpene-mcp-server

by dmarsters

Sec9

A FastMCP server providing deterministic mapping of terpene compounds to visual parameters for image generation, including temporal stages and master prompts for LLM fusion.

Setup Requirements

  • ⚠️Requires the 'fastmcp' framework to be installed via pip.
  • ⚠️Production deployment is specifically designed for 'FastMCP Cloud' platform, which might require specific infrastructure or account setup for broader cloud deployments.
Verified SafeView Analysis
The server's core logic is based on deterministic dictionary lookups within hardcoded data, with no apparent use of 'eval' or other dynamic code execution from user input. Inputs for terpene names are sanitized by converting to lowercase and stripping whitespace before being used as dictionary keys, minimizing injection risks. No hardcoded secrets or direct external network calls are evident in the provided application logic. The project explicitly states 'zero LLM cost', indicating that the server itself does not invoke LLMs internally, further reducing related security risks. Assumes the 'FastMCP' library itself is secure.
Updated: 2025-11-29GitHub
0
0
High Cost
wfnian icon

mcp_server

by wfnian

Sec9

Provides real-time and historical weather, air quality, and time information via an MCP server, integrating with external APIs.

Setup Requirements

  • ⚠️Requires Python 3.9+ for 'zoneinfo' module.
  • ⚠️Relies on external Open-Meteo Weather and Air Quality APIs (free tier available with potential usage limits).
  • ⚠️City names for weather and air quality lookups must be in English for proper geocoding.
Verified SafeView Analysis
The server primarily makes HTTP requests to Open-Meteo APIs. Input parameters for city, dates, and timezones are directly inserted into URL query strings. While this approach is standard for GET requests, it relies on the upstream Open-Meteo API to correctly handle these as data rather than executable commands. There are no obvious signs of 'eval', 'exec', or direct OS command injection vulnerabilities within the provided code. Input validation focuses on the presence of required arguments. No hardcoded secrets were found; API keys for Open-Meteo are typically not required for free-tier access. The server supports multiple modes (stdio, SSE, streamable-http) for communication.
Updated: 2026-01-19GitHub
0
0
Medium Cost
gmunumel icon

mcp-browse-me

by gmunumel

Sec2

A simple Model Context Protocol (MCP) 'Hello World' application demonstrating basic client-server communication with an AI agent capable of using tools and maintaining state.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires Docker and Docker Compose for database (PostgreSQL/SQLite) and optional vector memory (ChromaDB).
  • ⚠️Requires an OpenAI API Key for AI Agent functionality (paid service).
Review RequiredView Analysis
CRITICAL: The `query_database` tool, exposed directly via the `/actions` API endpoint and callable by the agent, executes arbitrary SQL queries directly from user input without sanitization. This leads to severe SQL injection vulnerabilities. Similarly, the `browse_files` tool allows arbitrary path browsing, posing a local file exposure risk. Although `DATABASE_URL` and `OPENAI_API_KEY` are loaded from `.env`, this does not mitigate the critical lack of input validation for tool arguments directly provided by potentially untrusted users or generated by the agent.
Updated: 2025-11-21GitHub
0
0
Low Cost
hitoshura25 icon
Sec9

Facilitates advanced software development workflows by bridging Claude Code's reasoning with Gemini CLI's context compression for codebase analysis, specification, review, and documentation.

Setup Requirements

  • ⚠️Requires Gemini CLI (installed via npm) and prior authentication.
  • ⚠️Requires Python 3.11+.
Verified SafeView Analysis
The server interacts with the local filesystem and executes the `gemini` CLI via subprocess. Input validation for parameters like `output_dir` (using `Path.resolve()`) and enum-type arguments mitigates risks. Prompts to Gemini are passed via stdin, which is safer than command-line arguments. No dangerous patterns like `eval` or hardcoded critical secrets were found. File system operations are within expected boundaries for a developer tool.
Updated: 2025-11-20GitHub
0
0
Low Cost
sattiPavan1999 icon

my_mcp_employee_server

by sattiPavan1999

Sec9

Provides a micro-tool server for managing employee records (CRUD operations) via an MCP API.

Setup Requirements

  • ⚠️The 'mcp' CLI tool must be installed globally or available in the PATH to use 'mcp install' and 'mcp dev'.
  • ⚠️The 'init_db.py' script must be run manually once to create the 'employees.db' file and its schema before the server can operate correctly, which is not explicitly mentioned in the README's server run instructions.
Verified SafeView Analysis
The server uses parameterized queries for all database operations, effectively preventing SQL injection vulnerabilities. No 'eval' or similar dangerous functions are present. Database connection management includes proper closing for production but keeps connections open for in-memory testing, which is acceptable. The system operates with a local SQLite database, minimizing network-based attack vectors beyond the MCP server itself. There are no apparent hardcoded secrets.
Updated: 2025-11-25GitHub
0
0
Medium Cost
dballinger icon

intervals-icu-mcp

by dballinger

Sec9

Integrates with the intervals.icu API to access and manage athlete training data through a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires an Intervals.icu API Key (obtained from intervals.icu settings)
  • ⚠️Requires an Intervals.icu Athlete ID (found in intervals.icu URL)
  • ⚠️Requires Node.js and a build step (`npm run build`) before execution
  • ⚠️Requires manual configuration in Claude Desktop's `claude_desktop_config.json`
Verified SafeView Analysis
The server correctly loads API credentials from environment variables and logs sanitized versions. Input validation for tool arguments is performed using Zod schemas. All external API communication is via HTTPS. The `update_workout` tool performs a delete followed by a create, with a critical error path if the creation fails after deletion. Extensive logging to a debug file is implemented, which includes a preview of API responses. While credentials are sanitized, small full API response bodies might be logged for debugging, potentially exposing user data if the log file is not properly secured, although this is a common debug practice and not a direct vulnerability in data handling or authentication.
Updated: 2025-12-10GitHub
0
0
Medium Cost
dumitrubogdanmihai icon

simple-ai-chat-mcp-connection

by dumitrubogdanmihai

Sec8

A simple AI chat interface connected to an MCP server for inspecting and troubleshooting AI API requests and tool usage.

Setup Requirements

  • ⚠️Requires an OpenAI API Key (which is a paid service).
  • ⚠️Requires the local MCP server to be running in conjunction with the frontend application for full functionality (managed by `npm run dev:all`).
  • ⚠️Manual entry of MCP connection configuration in the UI requires valid JSON input for server details.
Verified SafeView Analysis
The application handles the OpenAI API key client-side, sending it directly to OpenAI and not storing it, which is a good practice. The MCP server configuration and tool arguments are parsed from JSON inputs (from UI or LLM responses); while a malformed input could cause runtime errors, there are no obvious direct code injection vulnerabilities due to this parsing in the current browser-based context. The local MCP server implements basic tools with input validation using Zod.
Updated: 2026-01-18GitHub
0
0
Medium Cost
barecommerce-core icon

baremcp

by barecommerce-core

Sec10

Manage BareCommerceCore e-commerce stores using AI assistants via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Bun runtime (v1.x+) for optimal performance, though Node.js is a fallback.
  • ⚠️Manual configuration of the MCP client (e.g., editing `claude_desktop_config.json`) is necessary for client discovery.
  • ⚠️Authentication uses an interactive browser-based OAuth Device Flow, requiring user interaction if `BARECOMMERCE_API_KEY` is not pre-configured.
Verified SafeView Analysis
The server demonstrates strong security practices: - OAuth Device Flow prevents API keys from being exposed in chat. - Credentials are encrypted at rest with AES-256-GCM using a machine-specific key, ensuring confidentiality and integrity. - Webhook URLs are rigorously validated to prevent Server-Side Request Forgery (SSRF) by blocking private IPs and non-HTTPS schemes. - Command injection is prevented by using 'child_process.spawn' with array arguments for browser opening. - Sensitive information is sanitized from error messages to prevent disclosure in client responses. - Extensive Zod schemas are used for input validation across all tools. - Explicit privacy policy states no telemetry or analytics collection.
Updated: 2025-12-16GitHub
0
0
Medium Cost
domdomegg icon

starling-bank-mcp

by domdomegg

Sec8

Integrate AI systems with Starling Bank API to manage accounts, view transactions, and initiate payments.

Setup Requirements

  • ⚠️Requires a Starling Bank personal access token with appropriate scopes.
  • ⚠️Requires Node.js installed to run via npx or directly.
  • ⚠️Advanced setup for payment functionality requires generating ECDSA keys, uploading public keys to Starling Developer Portal, and providing the private key to the server.
  • ⚠️If using HTTP transport, external authentication/security (e.g., a reverse proxy) is critical as the server itself lacks built-in authentication for this mode.
Verified SafeView Analysis
The server handles sensitive financial data and API access tokens. Access tokens and private keys for payment signing are loaded from environment variables, which is a good practice to avoid hardcoding. Input schemas are validated using Zod, reducing risks from malformed inputs. However, the configurable `STARLING_BANK_BASE_URL` environment variable could allow redirection to a malicious API if the environment is compromised. The HTTP transport option explicitly warns that it lacks authentication and should only be used behind a reverse proxy or in a secured setup, indicating a potential network risk if this warning is ignored.
Updated: 2026-01-07GitHub
0
0
Medium Cost
fw2274 icon

flight_agent

by fw2274

Sec8

A multi-agent system enabling voice or text-activated flight searches using LLMs, real-time APIs, and local speech recognition.

Setup Requirements

  • ⚠️Requires Rust to build the local voice-to-text MCP server.
  • ⚠️Requires a functional microphone for voice input.
  • ⚠️Requires Amadeus API credentials (free tier available, but registration needed).
  • ⚠️Requires a Google API key for Gemini LLM calls (free tier available, but registration needed).
  • ⚠️Requires downloading a Whisper AI model (~75MB-466MB disk space).
Verified SafeView Analysis
The project uses environment variables for API keys (GOOGLE_API_KEY, AMADEUS_API_KEY, AMADEUS_API_SECRET), which is a good practice. Communication with the local Rust-based voice-to-text MCP server happens over stdin/stdout via JSON-RPC, which is relatively secure for local inter-process communication. External API calls (Amadeus, Google Gemini) inherently introduce third-party risks, but are standard practice. No obvious 'eval' or malicious patterns found in the provided Python code.
Updated: 2025-12-05GitHub
0
0
Medium Cost
Darkstar326 icon

mcp-dst

by Darkstar326

Sec9

An MCP server that exposes Danmarks Statistik's API as programmable resources for integration with Large Language Models and AI applications, enabling natural language data analysis.

Setup Requirements

  • ⚠️Requires Python 3.9+
  • ⚠️Requires `mcp`, `requests`, `pydantic`, `httpx` Python packages
Verified SafeView Analysis
The server attempts to programmatically install the `requests` library if missing using `pip.main()`. While functional, relying on `pip.main()` is not recommended for robust dependency management in deployed applications; dependencies should be managed and installed beforehand. No other significant security risks were identified.
Updated: 2025-11-28GitHub
0
0
Medium Cost

hoopie-infra

by ruibrasfernandes

Sec8

Provides a backend infrastructure for a service, likely integrating with AI models for server management or related tasks.

Setup Requirements

  • ⚠️Requires Python (version likely specified in .python-version file)
  • ⚠️Requires 'uv' for dependency management (uv sync or uv install)
  • ⚠️Requires Anthropic Claude API Key (Paid service)
Verified SafeView Analysis
No obvious 'eval' or obfuscation from file names. Multiple .env files (.env, .env.dev, .env.prod, .env.stag) indicate good practice for managing environment-specific configurations. 'deploy.sh' suggests automated deployment, which can be secure if implemented correctly. Actual code review would be necessary for a full security assessment.
Updated: 2025-11-19GitHub
PreviousPage 311 of 713Next