Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
dsblank icon

gramps-ez-mcp

by dsblank

Sec8

Provides an MCP server to enable AI assistants to query and interact with Gramps genealogy family tree data using natural language.

Setup Requirements

  • ⚠️Requires Gramps genealogy software to be installed and an existing Gramps family tree database.
  • ⚠️Requires `pip install gramps` (or Gramps installed system-wide).
  • ⚠️The provided database name must exactly match an existing Gramps database tree (case-sensitive).
Verified SafeView Analysis
The server exposes direct database operations (e.g., `open_database`, `get_raw_person_data`) via external inputs (`dbname`, tool arguments). The `open_database(dbname, force_unlock=True)` call in `session.py` could be a vulnerability if `dbname` is not sufficiently validated by the Gramps library, potentially allowing path traversal or unauthorized database access. The direct mapping of tool names to Python functions and argument passing means the security heavily relies on the robustness of the underlying Gramps functions against potentially malicious inputs from the AI assistant or direct HTTP requests to the SSE endpoint. No obvious hardcoded secrets or direct `eval` calls.
Updated: 2025-12-05GitHub
0
0
Low Cost
Ramakrishna-Gedala icon

mcp_emi_server

by Ramakrishna-Gedala

Sec9

This server exposes loan Equated Monthly Installment (EMI) calculation endpoints to MCP clients, acting as a proxy to a backend REST API.

Setup Requirements

  • ⚠️Requires Python 3.10+ and 'uv' package manager for environment management and execution.
  • ⚠️A separate EMI calculation REST API backend must be running and accessible at the `EMI_API_BASE_URL` (defaults to http://localhost:8000/api) for the server to function.
Verified SafeView Analysis
The server functions as a lightweight proxy and does not appear to contain malicious patterns, 'eval', or hardcoded sensitive secrets. It relies on an external, configurable backend for actual calculations, meaning its overall security is also dependent on the security of the proxied API. Input sanitization is implicitly handled by the backend API it calls.
Updated: 2025-11-27GitHub
0
0
Medium Cost
bunnyf icon

pcb-mcp

by bunnyf

Sec9

Facilitates AI-assisted PCB design workflow by providing an MCP (Model Context Protocol) server for KiCad 9.x.

Setup Requirements

  • ⚠️Requires a Virtual Private Server (VPS) with Ubuntu 22.04+ or Debian 12+.
  • ⚠️Requires KiCad 9.0.6+, Python 3.10+, Java 17+ (for FreeRouting), and xvfb (for headless rendering) installed on the VPS.
  • ⚠️Requires an MCP client (e.g., Claude Code with MCP support) and SSH access configured to the VPS.
Verified SafeView Analysis
The server demonstrates strong security practices for its operations. It explicitly implements path validation (`is_safe_path`, `validate_file_path`) to prevent directory traversal attacks and restricts file reading to designated project and task directories. Shell injection is prevented by using `shlex.quote()` when constructing commands for background tasks (e.g., auto-routing). The server does not use `shell=True` for `subprocess.run` by default and does not contain obvious hardcoded secrets. It relies on SSH for secure communication, as it interacts via stdin/stdout rather than directly opening network ports. The main residual risk would stem from vulnerabilities in the underlying KiCad CLI, pcbnew API, or FreeRouting, but the server itself aims to interface with these tools securely.
Updated: 2026-01-17GitHub
0
0
Medium Cost
Homalos icon

homalos-mcp

by Homalos

Sec8

A complete futures data analysis MCP service providing K-line data, technical indicators (KD, MACD), real-time updates via WebSocket, and historical data persistence in SQLite.

Setup Requirements

  • ⚠️Requires Node.js 20+ runtime environment.
  • ⚠️Relies on an external API (Sina Finance) for real-time data, which may have rate limits or availability issues.
  • ⚠️Requires `npm install` and `npm run build` before `npm start`.
Verified SafeView Analysis
The server fetches data from a third-party JSONP API (Sina Finance) and uses string manipulation followed by JSON.parse, which is safer than direct 'eval'. Futures contract symbols are concatenated into the API URL, which has a limited attack surface given the typical format of such symbols. WebSocket messages are also JSON parsed, and actions are restricted to known types ('subscribe', 'unsubscribe', 'ping'), minimizing arbitrary code execution risks. No apparent hardcoded secrets or malicious patterns.
Updated: 2025-11-27GitHub
0
0
Low Cost
Khushil-21 icon

demo-mcp-server

by Khushil-21

Sec9

A simple Model Context Protocol (MCP) server providing utility tools for dice rolling and number addition for MCP-compatible clients like Claude Desktop.

Setup Requirements

  • ⚠️Requires Python >= 3.11
  • ⚠️Requires UV package manager for installation and running
  • ⚠️Manual path configuration for UV may be needed for Claude Desktop integration if UV is not in system PATH.
Verified SafeView Analysis
The server exposes two simple, non-destructive tools: 'roll_dice' and 'add_numbers'. There are no indications of 'eval' usage, hardcoded secrets, or complex logic that could be exploited. The `mcp.run` binds to `0.0.0.0` for remote accessibility, which is standard for a server but requires a secure deployment environment.
Updated: 2026-01-17GitHub
0
0
Medium Cost
jrainbolt icon

McpServer

by jrainbolt

Sec9

Provides a REST API endpoint to proxy requests to OpenAI's chat models, serving as a backend for AI-powered chat functionalities.

Setup Requirements

  • ⚠️Requires an OpenAI API Key (Paid usage may apply).
  • ⚠️Requires Java Development Kit (JDK 17+) to build and run.
  • ⚠️Requires Maven or Gradle to build the Spring Boot application.
Verified SafeView Analysis
The application securely loads the OpenAI API key from environment variables or application properties, avoiding hardcoding. It uses WebClient with configured timeouts, retries for rate limits (429) and server errors (5xx), and comprehensive error logging, enhancing resilience and preventing unhandled API failures. No 'eval' or malicious patterns were found. The primary security risk involves proper management of the OpenAI API key outside the application.
Updated: 2025-11-24GitHub
0
0
Medium Cost
BACH-AI-Tools icon

tavily-mcp

by BACH-AI-Tools

Sec9

Provides an MCP server to enable AI models with real-time web search, data extraction, website mapping, and crawling capabilities via the Tavily API.

Setup Requirements

  • ⚠️Requires a Tavily API key (can be obtained from tavily.com).
  • ⚠️Node.js v20 or higher is required.
  • ⚠️Potential for high token cost if `include_raw_content` is enabled or extensive crawl/extraction results are returned.
Verified SafeView Analysis
The server uses `process.env.TAVILY_API_KEY` for API key management, preventing hardcoded secrets. It relies on `@modelcontextprotocol/sdk` for schema validation of tool inputs, which helps mitigate injection risks. Network requests are handled by `axios`, a standard and secure HTTP client. No direct `eval` or shell command execution from user input was identified. Error handling for API calls is present. The server's primary function is to proxy requests to a third-party API (Tavily), limiting direct processing of arbitrary user input beyond defined tool schemas.
Updated: 2025-12-04GitHub
0
0
Medium Cost
Meshyarn icon

kairo

by Meshyarn

Sec7

A codebase intelligence and automation tool, providing functionalities for semantic search, code analysis, architectural understanding, and automated code modifications across multi-repository and multi-language environments.

Setup Requirements

  • ⚠️Requires downloading or pre-positioning large embedding models (e.g., 'multilingual-e5-small') from Hugging Face for local execution, which can consume significant disk space and bandwidth during initial setup.
  • ⚠️Relies on Tree-sitter WASM grammar files for AST parsing and a native Rust core module (`core_rs.node`) for performance-critical tasks. This may require specific build environments or pre-built binaries to be available for the target platform.
  • ⚠️Builds and maintains several persistent indexes (symbols, documents, embeddings, trigrams) on disk within a `.kairo` directory. For large codebases, this can consume substantial disk space and incur I/O overhead.
Verified SafeView Analysis
The server uses `child_process` for system-level commands (e.g., `prettier`, `grep`, custom alert commands in `AlertDispatcher`), which introduces a potential vector for command injection if inputs are not properly sanitized. Network activity is present for metrics/alerts but is not central to data processing. No direct use of `eval` or obvious hardcoded secrets. The architecture emphasizes offline-first operation, reducing external network attack surfaces for core logic.
Updated: 2026-01-19GitHub
0
0
Low Cost
fairyto2 icon
Sec4

Provides a Model Context Protocol (MCP) service for AI assistants to securely manage SSH connections, execute commands, perform file operations, and maintain multi-turn interactive sessions on remote servers.

Setup Requirements

  • ⚠️Requires Python 3.13+
  • ⚠️Requires 'uv' package manager for installation and running commands.
  • ⚠️Default remote server config (config/remote_config.json) has authentication disabled; MUST be configured for secure use.
Review RequiredView Analysis
The default remote server configuration (`config/remote_config.json`) sets `enable_auth: false`, which is a critical security vulnerability for any network-exposed service. It also uses a placeholder `jwt_secret`. In `SSHConnectionManager`, `paramiko.AutoAddPolicy()` is used, automatically adding new host keys without verification, which is susceptible to Man-in-the-Middle attacks. Command execution directly uses input arguments from MCP requests, making robust authentication to the MCP server itself paramount. It's not safe for production use without configuring authentication and strong secrets.
Updated: 2026-01-19GitHub
0
0
Medium Cost
mbrown007 icon

sm3_agent

by mbrown007

Sec6

An intelligent AI chat agent for multi-customer monitoring infrastructure, supporting natural language queries and proactive anomaly detection across Grafana, AlertManager, and Genesys Cloud.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid)
  • ⚠️Docker & Docker Compose are essential for quick start and development setups
  • ⚠️Frontend requires backend server running on `http://localhost:8000`
Verified SafeView Analysis
The development Docker Compose configuration mounts `/var/run/docker.sock` into the agent container. This is a significant security risk as a compromise of the agent container could lead to host compromise. The agent also uses an LLM to interpret commands and interact with the monitoring infrastructure, which presents a general risk of prompt injection or unintended actions if the LLM generates malicious tool inputs. However, command execution is restricted by a configurable allowlist (`MCP_COMMAND_ALLOWLIST`) and defaults to a 'suggest' mode (`MCP_EXECUTION_MODE=suggest`), mitigating arbitrary command execution. Environment variables are validated using Pydantic, which is a good practice.
Updated: 2026-01-19GitHub
0
0
High Cost
williamayal icon

wetrack-mcp-server

by williamayal

Sec2

Provides an MCP (Model Context Protocol) server for AI models to generate and execute MongoDB aggregation pipelines on financial event data.

Setup Requirements

  • ⚠️Requires an OpenAI API Key (paid service) for pipeline generation.
  • ⚠️Requires a running MongoDB instance and database URI.
  • ⚠️For remote access, requires Ngrok or similar tunnelling solution.
Review RequiredView Analysis
Critical vulnerability: The main '/mcp' endpoint, which handles AI tool calls, has its authentication mechanism explicitly commented out (disabled) in `src/server_http.py`, making it publicly accessible regardless of `.env` settings. OAuth2 and Bearer tokens are stored in a local JSON file (`oauth_tokens.json`) for persistence, which is insecure for production. CORS is set to allow all origins ('*'). The server executes LLM-generated MongoDB pipelines directly, posing a risk if the LLM is compromised or misaligned, as it could generate destructive operations (though aggregation views typically mitigate some direct write risks).
Updated: 2025-12-01GitHub
0
0
Low Cost
Khushi-c-sharma icon
Sec9

Provides AI-powered budgeting, smart expense tracking, and affordability insights via the Model Context Protocol (MCP) for financial management.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires specific configuration in Claude Desktop for integration, including an absolute path to the 'server.py' file.
Verified SafeView Analysis
The server uses parameterized queries for SQLite database interactions, effectively preventing SQL injection vulnerabilities. Input validation is present for categories, dates, and amounts across various tools. Sensitive data (budgets, expenses) is stored locally in SQLite and JSON files, which is secure for a single-user local application but requires secure system management. No hardcoded API keys or external network risks were identified as it runs via stdio transport (FastMCP). The flexible date/category parsing handles invalid inputs gracefully without crashing or exposing errors.
Updated: 2025-12-05GitHub
PreviousPage 315 of 713Next