Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
cbxss icon

findmy-mcp

by cbxss

Sec9

Fast, concurrent Model Context Protocol (MCP) server discovery and analysis tool for security research.

Setup Requirements

  • ⚠️Requires Python 3.12+.
  • ⚠️uv is recommended for dependency management.
  • ⚠️Requires a Shodan API Key (can incur costs depending on usage and subscription).
Verified SafeView Analysis
The project is explicitly designed for security research, involving network scanning and interaction with external services (Shodan API, discovered MCP servers). It uses Pydantic for robust data validation, `httpx` for secure HTTP requests with configurable SSL verification, and `asyncio` with semaphores for controlled concurrency. Shodan API keys are properly managed via environment variables or `.env` files, preventing hardcoding. File operations for saving results use `pathlib.Path` which helps mitigate simple path traversal. No `eval` or similar dangerous patterns were found. The project clearly states ethical usage guidelines. The main 'risk' is inherent to its function as a scanning tool, which is properly mitigated by design choices and ethical disclaimers.
Updated: 2025-12-01GitHub
0
0
Low Cost
chrisjeane icon

Log4MCP

by chrisjeane

Sec4

A high-performance, thread-safe logging server for distributed, multi-tenant applications, and integrating logging capabilities into AI contexts using MCP over JSON-RPC 2.0.

Setup Requirements

  • ⚠️Requires Swift 6.2+
  • ⚠️Requires local clone of MCPServer repository due to local package dependency path.
  • ⚠️Full Xcode installation required for running tests on macOS, Command Line Tools are insufficient.
Verified SafeView Analysis
The server explicitly states it has no built-in authentication or authorization, binding by default to '0.0.0.0' (external-facing). It's suitable for trusted environments only. Production use requires external authentication (OAuth2, mTLS), rate limiting, input validation, and log sanitization/redaction as recommended by the developers. No 'eval' or obvious malicious patterns found, but the lack of fundamental security features makes it unsafe for untrusted networks.
Updated: 2025-11-27GitHub
0
0
Low Cost
toomy1992 icon

wealthfolio-mcp

by toomy1992

Sec8

An MCP server that integrates with Wealthfolio to provide portfolio data, valuations, and analytics to OpenWebUI and other MCP-compatible applications.

Setup Requirements

  • ⚠️Requires a Wealthfolio API Key
  • ⚠️Requires Python 3.10+
Verified SafeView Analysis
The server uses `pydantic_settings` to load API keys and base URLs from environment variables or a `.env` file, which is a good practice for secret management. No `eval` or `exec` functions were found. The `httpx` client handles HTTP errors appropriately with `raise_for_status`. FastAPI provides a robust framework with input validation (explicitly enhanced in custom OpenAPI schema for UUID formats). Error handling uses `HTTPException` for server-side issues. The `Dockerfile` uses a minimal Python base image. The project actively documents security best practices in `AGENTS.md`. Potential improvements could include explicit server-side UUID validation beyond OpenAPI hints, and implementing authentication/rate limiting as mentioned for future enhancements, but for its current scope, it is well-secured.
Updated: 2026-01-13GitHub
0
0
Medium Cost
PasanIS icon

mcp-server

by PasanIS

Sec8

This server acts as a Model Context Protocol (MCP) intermediary, enabling a chatbot (e.g., Claude) to interact with a Restaurant FastAPI backend for menu, order, customer, and analytics management.

Setup Requirements

  • ⚠️Requires a separate FastAPI backend server to be running and accessible.
  • ⚠️Requires Python 3.12 or newer.
  • ⚠️The BASE_URL for the FastAPI backend must be configured via a BASE_URL environment variable or by editing 'src/backend_mcp/server.py'.
Verified SafeView Analysis
The server uses httpx for making requests and pydantic-settings for configuration, allowing sensitive data like API keys to be loaded from environment variables or .env files, avoiding hardcoding. It acts as a proxy, so the ultimate security depends on the FastAPI backend it connects to. No 'eval' or other direct code execution vulnerabilities were found. Basic error handling is present for HTTP requests. Authentication details for customer/staff login are forwarded to the backend API.
Updated: 2026-01-19GitHub
0
0
Low Cost
Ethan-sonic icon

Data-store-engine

by Ethan-sonic

Sec8

A local, embedded key-value storage solution providing efficient data storage and retrieval with features like caching, data compaction, and probabilistic data structures.

Setup Requirements

  • ⚠️Requires a Go development environment (SDK) to build and run from source.
  • ⚠️The `main.go` imports `NASP_projekat/Engine`, implying a specific Go module path or directory structure must be set up correctly (e.g., in GOPATH or using `go.mod`).
Verified SafeView Analysis
The file permissions (0777) used for creating data files (`os.OpenFile`) are very permissive. While common for local data files, it might be a concern in multi-user environments. No other obvious critical security risks like network exposure, 'eval' usage, or hardcoded credentials were found in the provided source code.
Updated: 2026-01-19GitHub
0
0
Low Cost
mohanchandrass icon

QA-MCP-Server

by mohanchandrass

Sec9

A knowledge-powered Q&A and action bot that uses the Model Context Protocol (MCP) to provide configurable responses, deterministic intent resolution, and controlled action triggering, suitable for enterprise support.

Setup Requirements

  • ⚠️Requires Python 3.11+
  • ⚠️Requires Docker (for the recommended server deployment method)
  • ⚠️Requires a Gemini API Key (must be set as GEMINI_API_KEY environment variable)
Verified SafeView Analysis
The system employs a strong security posture by strictly limiting the LLM's role to language generation and decoupling it from critical decision-making (intent resolution, action triggering, escalation). All core logic is deterministic and configuration-driven. Configuration files are loaded using `yaml.safe_load`, and API keys are retrieved from environment variables. No 'eval' or direct code injection vulnerabilities were found. The server binds to `0.0.0.0:8000`, a standard practice for Dockerized services, but requires proper network segmentation/firewalling in production.
Updated: 2026-01-17GitHub
0
0
High Cost
developer-zht icon

mcp-servers

by developer-zht

Sec9

Provides AI assistants with the ability to summarize video and audio content, specifically Bilibili videos.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0.0 and pnpm >= 8.0.0.
  • ⚠️Requires API keys for chosen LLM provider (e.g., OpenAI or Gemini), which are typically paid services.
  • ⚠️May require a Bilibili session token (AUTHORIZATION_BILIBILI_SESSION_KEY) for accessing certain video subtitles, potentially involving manual cookie extraction.
  • ⚠️Configuration relies on a `.env` file, which must be created and populated manually from `.env.example`.
Verified SafeView Analysis
Sensitive API keys (for LLMs and Bilibili sessions) are correctly managed via environment variables, reducing the risk of hardcoded secrets. External API calls are directed to trusted services (Bilibili, OpenAI, Gemini). The use of `JSON.parse` in a script is for processing trusted API stream data, not arbitrary user input. The project adheres to a monorepo structure with good practices for dependency management and TypeScript, which helps maintain code quality and prevent common vulnerabilities.
Updated: 2025-12-31GitHub
0
0
Medium Cost
a-fleury icon

journal-me

by a-fleury

Sec3

An AI-powered conversational journaling application that helps users track life events, summarize activities, and get reminders by interacting with an LLM.

Setup Requirements

  • ⚠️Requires Java SDK 21 and sbt
  • ⚠️Requires Docker and Docker Compose for database setup
  • ⚠️Requires Cursor IDE for full MCP integration
Verified SafeView Analysis
CRITICAL: The application is explicitly designed to receive user credentials (email, password) and session tokens directly within LLM prompts (Model Context Protocol). This method is noted as a 'playful twist' for a 'school project' and 'Not recommended for production use'. However, this design fundamentally leaks sensitive information to the LLM and its provider, making it highly insecure for any real-world use case. Session tokens are also passed in the prompt, further increasing the risk of exposure.
Updated: 2025-12-15GitHub
0
0
Low Cost
chatkausik icon

mcpserverexample

by chatkausik

Sec9

Provides a Model Context Protocol (MCP) server that exposes a simple 'add' tool for numerical operations.

Setup Requirements

  • ⚠️Requires Python 3.13 or higher (pyproject.toml specifies >=3.13, while README states 3.8+).
  • ⚠️Requires the 'uv' package manager for installation and local development.
  • ⚠️Installation and running directly from a Git URL using uvx requires an active internet connection.
Verified SafeView Analysis
The provided source code is minimal and implements a basic 'add' function. No 'eval', 'exec', shell command injection, hardcoded secrets, or obfuscation were found. The security score reflects the simplicity of the logic and the absence of obvious vulnerabilities in the presented code. The underlying 'FastMCP' framework's security is assumed but not audited here.
Updated: 2025-12-02GitHub
0
0
Low Cost
chrisllontop icon

mcp-toolkit

by chrisllontop

Sec7

A desktop application for organizing and securely managing Model Context Protocol (MCP) servers and their configurations for various AI tools across different projects.

Setup Requirements

  • ⚠️Requires OS-native keychain access (macOS Keychain, Windows Credential Manager, Linux Secret Service).
  • ⚠️For development, requires a Rust toolchain, Node.js (v20+), and pnpm.
  • ⚠️When running tests, the development server (`pnpm dev`) must be running separately.
Verified SafeView Analysis
Uses OS-native keychain for storing the master encryption key, which is a strong security practice (AES-256-GCM encryption). A `MCP_TEST_MODE` environment variable can bypass keychain interaction and use a deterministic test key, explicitly marked for non-production use. The application's core functionality involves executing user-defined `command` and `args` for `Binary` and `Docker` MCP types, relying on user trust in configured MCPs. The frontend `tauri.conf.json` sets `csp: null`, which removes Content Security Policy, potentially increasing risk if an XSS vulnerability were to exist in the UI.
Updated: 2025-12-11GitHub
0
0
Medium Cost
czabriskie icon

mcp-server

by czabriskie

Sec7

A generic, extensible Model Context Protocol (MCP) server providing weather and time tools, with an optional web interface for interactive testing with AWS Bedrock Claude models.

Setup Requirements

  • ⚠️Requires an AWS Account and configured AWS Bedrock access (paid services).
  • ⚠️Anthropic Claude models, necessary for MCP tool support, require filling out a 'Use Case form' in the AWS Bedrock console and typically have a ~15 minute approval time.
  • ⚠️Requires Python 3.10 or newer.
Verified SafeView Analysis
The `web_app` component is explicitly marked as 'not production-ready' in its README and source code, featuring broad CORS (`allow_origins='*'`), binding to all interfaces (`0.0.0.0`), and lacking authentication/authorization. This poses significant security risks if deployed in a production environment. The `TimeTools` module uses `http://ip-api.com/json` for geolocation, which is unencrypted HTTP, although the data transferred is not highly sensitive. The server is designed to run locally via stdio, limiting direct network exposure for the core components. AWS credentials must be configured securely via environment variables or AWS CLI, not hardcoded. Client IP injection into tools is handled with some sanitization (skipping private IPs) but does not prevent arbitrary public IP queries.
Updated: 2025-11-22GitHub
0
0
High Cost
mrvivekkr icon
Sec6

Generates AI-powered Markdown and HTML documentation for GitHub repositories by analyzing their structure, open issues, pull requests, and branches.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid)
  • ⚠️Requires GitHub Personal Access Token (with 'repo' and 'user' scopes)
  • ⚠️Requires manual building and copying of custom Go binaries (`github-mcp-server` and `mcpcurl`)
Verified SafeView Analysis
The system executes external Go binaries (`mcpcurl` and `github-mcp-server`) using `subprocess.Popen` with arguments constructed from user input (GitHub owner, repo, path). While `subprocess` is used with a list of arguments (mitigating shell injection), the security relies heavily on the robustness of these external binaries against argument injection or malicious input parsing. Additionally, a hardcoded Django `SECRET_KEY` and `DEBUG = True` are present, which are unsuitable for production environments.
Updated: 2025-11-24GitHub
PreviousPage 317 of 713Next