Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
vuphandungha icon

mcp_server

by vuphandungha

Sec5

A general-purpose server component; its specific functionality is unknown due to missing source code for analysis.

Review RequiredView Analysis
A thorough security audit could not be performed as the source code was not provided for analysis. The score is a neutral placeholder. Common risks such as hardcoded secrets, injection vulnerabilities, 'eval' usage, or network-related security flaws cannot be assessed without access to the code.
Updated: 2025-11-29GitHub
0
0
Low Cost
Hugo-Pare icon
Sec4

Provides customer support and helpdesk capabilities with Basic Authentication and role-based access control.

Verified SafeView Analysis
CRITICAL: Hardcoded plaintext user credentials (passwords) are present in `src/auth.ts`, which is a severe security vulnerability for a production system. Default HTTP transport (port 5001) means Basic Auth credentials are sent unencrypted over the network, making them vulnerable to eavesdropping. The code explicitly notes that in production, passwords should be hashed and HTTPS must be used. For a local demo, this is acceptable, but not for any public-facing or production deployment.
Updated: 2026-01-13GitHub
0
0
High Cost
xumingjun5208 icon

aistudio-gemini-mcp

by xumingjun5208

Sec7

Acts as a bridge for MCP clients to interact with Google Gemini models, enabling multi-turn conversations, file/image analysis, and web search capabilities.

Setup Requirements

  • ⚠️Requires AIStudioProxyAPI backend running on `http://127.0.0.1:2048` or a configured URL.
  • ⚠️Requires `uv` package manager for dependency installation (recommended).
  • ⚠️Requires Google Gemini API access (mediated via AIStudioProxyAPI).
Verified SafeView Analysis
Relies on the external AIStudioProxyAPI for all AI interactions, requiring trust in that backend service. File access for prompts is limited to the server's current working directory and the configurable `GEMINI_PROJECT_ROOT`; malicious clients could potentially attempt to read local files within this scope if not carefully configured. No 'eval' or hardcoded secrets found.
Updated: 2025-12-03GitHub
0
0
Medium Cost
openascot icon

ckan-mcp

by openascot

Sec8

Exposes CKAN open-data portals to AI assistants and other MCP-aware clients for data discovery, analysis, retrieval, and local downloads.

Setup Requirements

  • ⚠️Requires Python 3.11+.
  • ⚠️Requires `curl` and the POSIX `file` command to be available on the system's PATH for dataset downloading.
  • ⚠️Uses `uv` or `pip` for Python dependency management. `uv` is recommended in the contributing guide.
Verified SafeView Analysis
The server uses `curl` and the `file` command via subprocesses for downloading and MIME type detection, which introduces a dependency on external binaries. While arguments are explicitly passed to mitigate command injection risks, it's a known vector. Archive extraction includes directory traversal protection (`_ensure_within_directory`). API keys are handled via environment variables or explicit tool arguments, not hardcoded. Overall, reasonable security practices are in place for the current scope.
Updated: 2025-11-30GitHub
0
0
Medium Cost
mikelovesrobots icon

bedrock-kb-mcp

by mikelovesrobots

Sec8

This server is designed to provide an API endpoint for a knowledge base, likely interacting with the Model Context Protocol.

Setup Requirements

  • ⚠️TypeScript Execution: The `start` script `node src/index.ts` will likely fail as Node.js cannot directly execute `.ts` files. It requires `ts-node` (not listed as a dependency) or a prior TypeScript compilation step (no explicit `build` script or `prestart` hook).
  • ⚠️Model Context Protocol Configuration: Interaction with `@modelcontextprotocol/sdk` will require specific configuration (e.g., API keys, endpoint URLs) for the Model Context Protocol, which are not defined in the provided code.
Verified SafeView Analysis
No explicit security risks like 'eval', code obfuscation, or hardcoded secrets were found in the provided truncated source code. It utilizes standard and common libraries like Express and Zod. The `@modelcontextprotocol/sdk` dependency includes `express-rate-limit`, which is a positive security practice for API servers. A full security audit would require access to the complete application logic.
Updated: 2025-11-23GitHub
0
0
Low Cost
datacool icon

MCP_Server

by datacool

Sec9

An MCP server designed to fetch real-time weather information based on the user's IP address by integrating with ipinfo.io and Open-Meteo APIs.

Setup Requirements

  • ⚠️Requires Python 3.x environment
  • ⚠️Requires `fastmcp` Python package
  • ⚠️Requires `requests` Python package
Verified SafeView Analysis
The server makes HTTP GET requests to external, well-known APIs (ipinfo.io and open-meteo.com). There are no 'eval' calls, obfuscated code, or hardcoded secrets. URLs are constructed with latitude and longitude derived from a trusted IP geo-location service, minimizing injection risks. Error handling is present for network requests.
Updated: 2025-12-13GitHub
0
0
Low Cost
MosJefOrg icon

mcp-server-test

by MosJefOrg

Sec10

To define and list available MCP (Multiplayer Compatibility Protocol) servers, serving as a configuration or discovery file for client applications.

Verified SafeView Analysis
The provided source code is a static JSON configuration file. It contains no executable code, 'eval' statements, obfuscation, or hardcoded secrets. Its inherent security risk is minimal. Any potential security risks would stem from how a client application consumes and utilizes the 'url' fields, not from the file itself.
Updated: 2025-11-19GitHub
0
0
Low Cost
rvibek icon

mcp_unhcr

by rvibek

Sec9

Provides AI agents with access to UNHCR data on forcibly displaced persons for population statistics, asylum applications, and decisions.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires installation of Python packages 'mcp', 'fastmcp', 'requests', and 'smithery'.
Verified SafeView Analysis
The server code does not use 'eval' or 'exec'. It makes HTTP requests to a known external API (api.unhcr.org) without requiring an explicit API key in the provided code. No obvious hardcoded credentials are present. The 'os.environ["ALLOWED_HOSTS"] = "*"' setting, while broad for a traditional web application, is common for MCP servers or local development and does not inherently introduce code injection vulnerabilities. Input parameters are used in API requests but not directly in command execution or file paths.
Updated: 2025-12-13GitHub
0
0
Low Cost
thijs-hakkenberg icon

mcp_todo

by thijs-hakkenberg

Sec8

A Git-based Model Context Protocol (MCP) server for collaborative todo management, accessible via Claude Desktop/Code, a web-based Kanban board, and an upcoming Telegram bot.

Setup Requirements

  • ⚠️Requires manual initialization of a local Git repository for todo storage (git init, initial commit).
  • ⚠️The Telegram bot component, when fully implemented, will require a local Ollama instance (gemma2:2b model) for natural language processing.
  • ⚠️The Telegram bot component requires a Telegram Bot Token and an Authorized User ID for access control.
Verified SafeView Analysis
The server executes local 'node' and 'git' commands based on user-configured environment variables (e.g., TODO_REPO_PATH). While this is fundamental to its functionality and good practices like non-root container execution, input validation (UUIDs), and XSS prevention for web UI are in place, a compromised environment or malicious configuration of these variables could pose a risk. No direct 'eval' or obvious malicious patterns were found in the source code.
Updated: 2026-01-19GitHub
0
0
Low Cost
frcooper icon

mm2024-mcp

by frcooper

Sec4

Provides a Model Context Protocol server to automate MediaMonkey 5/2024 on Windows via its COM interface, enabling control and plugin development.

Setup Requirements

  • ⚠️Requires Windows host with MediaMonkey 5+/2024 installed.
  • ⚠️Requires Python 3.11+.
  • ⚠️Relies on `pywin32` for COM automation, which is Windows-specific.
  • ⚠️Requires an MCP host (e.g., VS Code with Copilot) to interact with the server.
Verified SafeView Analysis
The `run_javascript` tool executes arbitrary JavaScript code within the MediaMonkey application's context. While designed for advanced automation and plugin development by trusted MCP hosts, this capability poses a significant security risk if untrusted inputs are passed or the hosting environment is compromised. A malicious script could potentially access local files, network resources, or interact with other applications through MediaMonkey's JS bridge. Other COM interactions are limited to documented MediaMonkey APIs.
Updated: 2025-12-21GitHub
0
0
Medium Cost
chrisbrickey icon

greenroom

by chrisbrickey

Sec9

Provides entertainment recommendations and analysis utilities to agents via a Model Context Protocol (MCP) server, integrating with TMDB and leveraging LLMs.

Setup Requirements

  • ⚠️Python 3.10+ required (README suggests 3.12)
  • ⚠️TMDB API Key required (free registration at themoviedb.org)
  • ⚠️Ollama local server required for multi-agent LLM comparisons (e.g., 'llama3.2:latest' model)
Verified SafeView Analysis
The server correctly uses os.getenv for API keys and httpx for external API calls, including setting timeouts to prevent hanging connections. Pydantic models are used for data validation from TMDB API responses, which helps prevent malformed data processing. No direct 'eval' or 'os.system' calls are present. The LLM interaction (ctx.sample and Ollama calls) involves sending user-provided prompts to external/local LLMs, which carries inherent risks like prompt injection and potential for generating harmful or biased content, though this is a general risk of LLM applications rather than a specific code vulnerability within the server's implementation. The ctx.sample feature allows the client's LLM to process data, which is noted as 'security-sensitive' by the project itself, requiring client support.
Updated: 2025-12-21GitHub
0
0
Low Cost
jaideepsai-narayan icon

my_mcp

by jaideepsai-narayan

Sec4

Provides DuckDuckGo search and Open-Meteo weather information as MCP tools for agent integration.

Setup Requirements

  • ⚠️Requires `mcp` library (FastMCP) for `weather.py` and `duckduckgo_mcp_server.py`
  • ⚠️Requires `fastapi` and `uvicorn` for `duckduckgo_mcp_http.py`
  • ⚠️All network requests use `verify=False`, disabling SSL certificate verification.
Review RequiredView Analysis
Multiple `requests.get` calls across different files (`duckduckgo_mcp_http.py`, `weather.py`, `duckduckgo_mcp_server.py`) explicitly disable SSL certificate verification (`verify=False`). This makes the application vulnerable to Man-in-the-Middle attacks, allowing an attacker to intercept and potentially modify communications with external APIs (DuckDuckGo, Open-Meteo). Additionally, `urllib3` warnings are disabled in `duckduckgo_mcp_http.py`, suppressing a critical security alert.
Updated: 2025-12-04GitHub
PreviousPage 322 of 713Next