Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
Brahhime icon
Sec9

This template facilitates the quick setup of a Modular Control Protocol (MCP) server using the Yokai Go framework, enabling easy customization and integration of server components.

Setup Requirements

  • ⚠️Docker is required to run the application using the provided `docker-compose.yaml`.
  • ⚠️Developers looking to extend or modify the server will need a Go development environment.
  • ⚠️Familiarity with the `ankorstore/yokai` framework is beneficial for advanced customization and understanding of the server's architecture.
Verified SafeView Analysis
The provided Go source code appears clean, utilizing the Yokai framework without explicit dangerous functions ('eval' or similar) or hardcoded secrets. The `docker-compose.yaml` mounts the entire project directory into the container (`.:/app`), which is standard for development environments but should be carefully reviewed for production deployments to mitigate potential host system exposure. All external links in the README (Download, Documentation, Issues, Contributing) uniformly point to the same `.zip` file. While this does not directly indicate a security flaw within the server's provided source code, it represents an unusual and potentially suspicious practice regarding repository hygiene and distribution methods.
Updated: 2026-01-19GitHub
0
0
Low Cost
hitosh308 icon

mcp-server-sample

by hitosh308

Sec9

A simple HTTP server demonstrating basic API endpoints for health checks, resource listing, and an echo tool, typical for MCP-style interactions.

Setup Requirements

  • ⚠️Requires Java Development Kit (JDK) to build and run.
  • ⚠️Requires Apache Maven to build the project.
Verified SafeView Analysis
The server uses `com.sun.net.httpserver.HttpServer` and `Google Gson` for JSON parsing. No 'eval' or similar dangerous dynamic code execution patterns are observed. Input from the echo endpoint is parsed as JSON and the 'message' field is extracted as a string, then simply concatenated into the response, preventing obvious injection vectors. There are no hardcoded secrets or direct file system interactions beyond standard HTTP I/O. The `readBody` method reads all request body bytes, which could theoretically be resource-intensive for extremely large malicious inputs, but is acceptable for a sample server.
Updated: 2025-12-14GitHub
0
0
High Cost
zhcsyncer icon

cc-plan-review

by zhcsyncer

Sec8

Provides a human review workflow for Claude Code's Plan Mode, allowing users to annotate and provide feedback on AI-generated plans via a web interface.

Setup Requirements

  • ⚠️Requires pnpm for dependency management and scripts.
  • ⚠️Requires Node.js v18+ (preferably v20+ as indicated by some dependencies).
  • ⚠️Operates by opening a web browser for the review UI, which implies a graphical environment.
Verified SafeView Analysis
The server runs locally (localhost:3030/3031) and opens a browser UI, which significantly limits external attack surface. File paths for review data are constructed using `path.join` and `encodeProjectPath` to mitigate path traversal risks. No `eval` or obvious obfuscation detected. While explicit web security headers or CSRF tokens are not present, this is less critical for a local-only developer tool not intended for public internet exposure.
Updated: 2025-12-24GitHub
0
0
Medium Cost
goyaladitya05 icon

omni-parser-mcp-server

by goyaladitya05

Sec8

Automates GUI interactions on any software by 'seeing' the screen with computer vision and executing actions based on LLM reasoning.

Setup Requirements

  • ⚠️Requires Google API Key (Paid) for Gemini LLM calls.
  • ⚠️Requires downloading large YOLO model weights (approx. 50MB) during setup via `python setup.py`.
  • ⚠️PyAutoGUI, used for screen interaction, may require specific OS dependencies (e.g., screencapture tools, X11 utilities on Linux) not explicitly listed in `requirements.txt`.
Verified SafeView Analysis
The system processes and executes actions based on LLM output, including mouse clicks and keyboard typing. While the JSON parsing helps mitigate direct code injection, a compromised or poorly prompted LLM could instruct the agent to perform malicious actions on the host machine. No direct 'eval' or hardcoded secrets were found. Temporary screenshot files are used and overwritten.
Updated: 2025-11-25GitHub
0
0
Medium Cost
Bazinga640 icon
Sec8

This server provides a comprehensive set of automated EVM blockchain interaction tools for development, testing, and analytics across multiple chains, focusing on wallets, DeFi, NFTs, and MEV.

Setup Requirements

  • ⚠️RPC/WebSocket RPC Configuration: Requires setting RPC URLs for all desired EVM chains (e.g., ETHEREUM_RPC_URL, POLYGON_RPC_URL) and optional WebSocket RPCs for mempool monitoring (e.g., MEMPOOL_WS_ETHEREUM_URL) as environment variables.
  • ⚠️API Keys for External Services: Full functionality for features like NFT image generation (AI services), IPFS uploads (Pinata/Web3.Storage), and Flashbots (MEV_TOOLS on Ethereum) depends on setting corresponding API keys as environment variables (e.g., PINATA_API_KEY, FLUX_API_KEY). These often involve paid services or API access.
  • ⚠️Testnet Limitations: Many advanced DeFi, Staking, and Lending tools are intentionally disabled on the default testnet server, returning messages indicating mainnet-only support for those protocols unless ENABLE_TESTNET_LENDING=true is explicitly set (and even then, testnet deployments for such complex protocols may not fully exist or be stable).
  • ⚠️Node.js Environment: Requires a Node.js runtime environment.
Verified SafeView Analysis
The server clearly distinguishes between testnet and mainnet functionalities, explicitly disabling certain DeFi/staking tools on testnets by default to prevent misuse. It uses environment variables for API keys (e.g., PINATA_API_KEY, AI service keys) and strongly warns against exposing or hardcoding private keys, which are passed as parameters but not persistently stored. The code explicitly uses `ethers.js`, a well-audited library, for most blockchain interactions. Potential risks include reliance on external RPC providers (rate limits, reliability) and third-party IPFS/AI services, which are external dependencies rather than inherent code vulnerabilities.
Updated: 2026-01-19GitHub
0
0
Low Cost
WhenMoon-afk icon

snapshot-mcp-server

by WhenMoon-afk

Sec9

A Model Context Protocol (MCP) server for saving and resuming AI conversations with token-efficient context preservation, working standalone or integrated with larger memory systems.

Setup Requirements

  • ⚠️Requires Node.js 18+ to be installed.
  • ⚠️Requires restarting Claude Desktop completely after installation or configuration changes.
  • ⚠️For manual Windows setup, requires `cmd /c` wrapper for npx in Claude config (though installer uses `node` directly).
Verified SafeView Analysis
The server uses `better-sqlite3` with prepared statements, mitigating SQL injection risks. Communication with the MCP client (e.g., Claude Desktop) is primarily via standard I/O (`StdioServerTransport`), which limits network exposure. The `install.js` script handles file system operations for setup, including creating directories and modifying the Claude Desktop configuration file. The server itself does not appear to execute arbitrary commands based on user input, nor does it contain obvious hardcoded secrets. The primary risk would be in the MCP SDK dependencies, but the server's implementation is robust for its scope.
Updated: 2025-12-02GitHub
0
0
Low Cost
paylinkmcp icon

basic-mcp-agent

by paylinkmcp

Sec8

Provides monetized arithmetic tools (add, subtract) via an MCP (Model Context Protocol) HTTP server, integrating with PayLink for automatic payment processing.

Setup Requirements

  • ⚠️Requires Python 3.13+
  • ⚠️Requires `uv` package manager
  • ⚠️Requires `MCP_WALLET_CONNECTION_STRING` for the server (from PayLink platform) in a `.env` file
Verified SafeView Analysis
The server exposes endpoints on `0.0.0.0:5003`, which makes it accessible from any network interface. While acceptable for development and examples, this requires careful consideration and potentially firewall restrictions in a production environment. Payment processing relies on the `PayLink` SDK and external PayLink infrastructure, assuming its security mechanisms are robust. No obvious malicious patterns or unsafe code execution (`eval`, `exec`) are found in the tool logic itself. Wallet connection string is expected via environment variables.
Updated: 2025-11-30GitHub
0
0
Low Cost
jck411 icon
Sec8

A Model Context Protocol (MCP) server for controlling Spotify playback, searching, queue management, and library access.

Setup Requirements

  • ⚠️Requires a Spotify Developer account and creation of a Spotify App to obtain Client ID and Client Secret.
  • ⚠️A one-time local OAuth flow must be completed using `scripts/get_spotify_token.py` to acquire a Spotify Refresh Token.
  • ⚠️For Cloud Run deployment, specific Google Cloud APIs (Cloud Run, Secret Manager, Cloud Build) must be enabled, and IAM permissions granted for the Cloud Run service account to access secrets.
Verified SafeView Analysis
The `scripts/get_spotify_token.py` utility contains hardcoded `CLIENT_ID` and `CLIENT_SECRET` values. While the primary server implementation correctly uses environment variables and Google Secret Manager for credentials, this script's hardcoded values could be a source of confusion or a potential security oversight if not replaced with user-specific credentials during the OAuth flow. The server itself manages refresh tokens and retrieves client credentials from secure environment variables. A `TODO` exists to persist new refresh tokens to a database/Secret Manager, which is a future enhancement but not a current security vulnerability.
Updated: 2025-11-27GitHub
0
0
Low Cost
oryce icon

mai-ml-5-sem

by oryce

Sec9

Building and training a decision tree model for binary classification tasks, handling both real and categorical features.

Setup Requirements

  • ⚠️Requires Python 3.x environment
  • ⚠️Requires `numpy` library (`pip install numpy`)
Verified SafeView Analysis
The code primarily implements a decision tree algorithm using standard Python libraries (numpy, collections). There are no indicators of network operations, file system access beyond typical module loading, use of `eval` or `exec`, hardcoded credentials, or other patterns commonly associated with severe security vulnerabilities. The `feature_types` input is validated. The risk is primarily related to the input data provided to the model, which is outside the scope of this code's direct control.
Updated: 2025-12-14GitHub
0
0
High Cost
mkmlab-hq icon

athena-mcp-servers

by mkmlab-hq

Sec7

A collection of essential AI microservices designed to power intelligent agents and automate development tasks through a multi-agent control protocol.

Setup Requirements

  • ⚠️Requires Python 3.11+.
  • ⚠️Requires `pip install -r requirements.txt` which includes many AI/DB dependencies (e.g., mcp SDK, psycopg2, qdrant-client, sentence-transformers, google-generativeai).
  • ⚠️Requires API keys for Google Gemini (GEMINI_API_KEY or GOOGLE_API_KEY) and potentially other third-party services.
  • ⚠️Requires active PostgreSQL and Qdrant vector databases (local or remote/VPS).
  • ⚠️Relies on external 'SPICE Hybrid Brain' infrastructure hosted by MKM Lab, accessed via a hardcoded IP address.
Verified SafeView Analysis
The project generally follows good security practices by using environment variables for API keys and sensitive configurations (e.g., POSTGRES_URL, GEMINI_API_KEY, QDRANT_URLs). However, some external service endpoints (e.g., GEMMA_VPS_URL, VPS_QDRANT_URL) are hardcoded with IP addresses, which introduces a reliance on specific external infrastructure and requires trusting the operators of those IPs. The default 'postgres:password' for POSTGRES_URL in example code is a common weak credential, which users must be careful to override in their .env for production environments. No 'eval' or obvious malicious patterns were found.
Updated: 2025-11-29GitHub
0
0
Low Cost
aiscibe-mcp-deployment icon

mcp-cf7b72a7-10c103b7-todo-list-mcp

by aiscibe-mcp-deployment

Sec8

Acts as a Model Context Protocol (MCP) server to provide a Todo List functionality by integrating with an external API.

Setup Requirements

  • ⚠️Requires the `mcp` Python library (e.g., `pip install -r requirements.txt`).
  • ⚠️No functional tools are implemented in the provided source code, requiring manual implementation for actual use by an MCP client.
  • ⚠️The `call_api` helper contains a bug where `conn_name='default'` is used, but 'default' is not defined in `API_CONNECTIONS`, making API calls non-functional as-is.
Verified SafeView Analysis
No hardcoded secrets or obvious malicious patterns found. The `call_api` function, while not directly exposed to user input in the provided code, could enable SSRF if tools are later implemented without proper input validation, allowing arbitrary API calls to `jsonplaceholder.typicode.com`. The `conn_name='default'` bug in `call_api` (which is not in `API_CONNECTIONS`) prevents it from being functional as-is, inadvertently reducing its attack surface. Error logging includes stack traces, which could reveal internal paths in production.
Updated: 2025-11-29GitHub
0
0
High Cost
Gitmy3 icon
Sec5

Develop a Python-based server that integrates Wazuh SIEM alerts with an LLM (preferably OpenAI) for enhanced security analysis and response.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid)
  • ⚠️Requires a running Wazuh SIEM instance for integration
  • ⚠️Requires Python environment setup
Review RequiredView Analysis
A comprehensive security audit cannot be performed as only the `README.md` file was provided. The project involves integration with an LLM and a SIEM, which typically entails network communication and API key handling. Without source code, it's impossible to check for 'eval', obfuscation, hardcoded secrets, or malicious patterns. Score is neutral due to lack of information.
Updated: 2025-11-24GitHub
PreviousPage 340 of 713Next