Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
jack6249 icon
Sec9

Provides real-time weather information for specified cities via an MCP server, integrating with LLM agents.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Dependencies `requests`, `fastmcp`, and `smithery` must be installed (e.g., via `pip install requests fastmcp smithery`).
Verified SafeView Analysis
The server makes external HTTP requests to `wttr.in`, a known public weather API, with a 10-second timeout. No `eval` or similar dangerous patterns were found. There are no hardcoded secrets or sensitive information.
Updated: 2025-11-21GitHub
0
0
Medium Cost
ismaeldosil icon

benefisio-docs-mcp

by ismaeldosil

Sec9

Provides programmatic access to FinaShopping documentation for AI agents, enabling search, document retrieval, agent discovery, and template-based prompt generation for tasks like finding agents or creating tickets.

Setup Requirements

  • ⚠️Requires the `DOCS_PATH` environment variable to be set and point to an existing 'finashopping-docs' repository, which must follow a specific internal structure (e.g., '.claude/agents', 'finashopping', '_universal' directories, and a 'README.md').
  • ⚠️Requires Node.js version 20.0.0 or higher.
Verified SafeView Analysis
The server explicitly implements path traversal prevention in the `getDoc` tool by normalizing paths and ensuring they remain within the configured `DOCS_PATH`. File system operations using `glob` are restricted to the `docsPath` or subdirectories. Markdown parsing is used, not direct execution of user-provided content. No `eval` or direct command execution of user input was found. The use of environment variables for `DOCS_PATH` is standard and secure.
Updated: 2026-01-19GitHub
0
0
Medium Cost
nicsuzor icon

zotmcp

by nicsuzor

Sec8

MCP server for semantic search, literature review, and citation retrieval from a ChromaDB-indexed Zotero academic library.

Setup Requirements

  • ⚠️Requires GCP access (contact maintainer and run `gcloud auth application-default login`)
  • ⚠️Requires `uv` (uvx) or `docker` container runtime installed locally.
  • ⚠️First-time setup involves downloading ~8GB of ChromaDB vectors.
  • ⚠️Local development of the vectorization pipeline requires `poppler-utils` (e.g., `apt install poppler-utils`).
Verified SafeView Analysis
The OAuth client ID and secret for installed apps are hardcoded in `src/zotmcp/download.py`. While typical for public clients, this means they are not truly secret. Zotero API key is expected from environment variables and managed by Buttermilk's credential system (likely GCP Secret Manager), which is good practice. The HTTP server binds to `0.0.0.0` by default, which is standard for containerized applications but requires proper firewalling in production environments. No 'eval' or obvious obfuscation found.
Updated: 2026-01-07GitHub
0
0
Medium Cost

MCP-Server

by archis17

Sec8

Provides Git and GitHub workflow tools via an HTTP API for AI assistants to interact with local repositories and GitHub.

Setup Requirements

  • ⚠️Requires a valid Git repository path to be set via `GIT_MCP_REPO` environment variable, otherwise Git operations will fail.
  • ⚠️GitHub API tools require a `GITHUB_TOKEN` with `repo` scope to be set, otherwise GitHub operations are disabled.
  • ⚠️Requires Python dependencies installed via `pip install -r requirements.txt`.
Verified SafeView Analysis
The server uses `subprocess.run` with lists of arguments, which generally prevents shell injection. File paths for Git operations are validated to prevent path traversal outside the repository root. GitHub API interactions require an explicit `GITHUB_TOKEN` from environment variables, avoiding hardcoded secrets. The server itself does not implement authentication, relying on the security of the host environment and the AI assistant's configuration. Binding to `0.0.0.0` (if configured) allows network access, requiring external firewalling for production.
Updated: 2025-11-26GitHub
0
0
Low Cost
hackermanishackerman icon

hackermanishackerman.github.io

by hackermanishackerman

Sec10

Automate and streamline development tasks such as architectural reviews and Test-Driven Development (TDD) for improved coding workflows.

Setup Requirements

  • ⚠️The provided content is documentation for a client-side desktop application, not an MCP server. The actual application needs to be downloaded and installed separately.
  • ⚠️The described application requires a supported operating system (Windows 10+, macOS 10.15+, or recent Linux distribution), at least 4 GB RAM, 200 MB of free disk space, and an internet connection for initial download and updates.
Verified SafeView Analysis
The provided 'SOURCE CODE' is an `index.md` (Markdown) file, which serves as documentation for a client-side application called 'claude-skills-vault'. It contains no executable code, server-side logic, 'eval' calls, obfuscation, network risks, or hardcoded secrets. Therefore, based solely on this documentation file, there are no inherent security risks. A security audit of the described 'claude-skills-vault' application would require its actual source code.
Updated: 2026-01-19GitHub
0
0
Low Cost
abhxhekrathore5 icon

AI-Vibe-Check

by abhxhekrathore5

Sec9

Provides daily developer mood and anxiety scores by analyzing trending tech news from Hacker News, Reddit, and Dev.to using an AI.

Setup Requirements

  • ⚠️Requires 'GROQ_API_KEY' environment variable to be set (Groq API usage, which is a paid service).
  • ⚠️Requires installation of Python packages: 'requests', 'feedparser', and 'groq' (e.g., via `pip install requests feedparser groq`).
  • ⚠️A 'template.svg' file must exist in the same directory for the SVG output generation to work, but is not provided in the source.
Verified SafeView Analysis
The Python source code properly loads the GROQ_API_KEY from environment variables. It makes standard HTTP requests to public APIs (Hacker News, Reddit, Dev.to) and the Groq AI service. There are no uses of 'eval', no obfuscation, and no hardcoded secrets found within the provided Python code. Data processed is text for AI analysis, not for execution. The code writes 'history.json' and 'vibe.svg' locally. The README's mention of downloading and running `.exe`/`.dmg` files is external to this source code analysis, but the Python script itself appears safe.
Updated: 2026-01-19GitHub
0
0
Low Cost
marekdano icon

weather-mcp-server

by marekdano

Sec8

Provide current weather information for cities via an MCP server.

Setup Requirements

  • ⚠️Requires OpenWeatherMap API Key
  • ⚠️Requires Node.js 18+
Verified SafeView Analysis
The server uses dotenv for environment variable loading, and Zod for API response validation, which are good security practices. External API calls are made to OpenWeatherMap. The 'greeting' resource directly embeds user input into a text field, which could pose a minor XSS risk if the output is rendered unsafely in a web UI, but is less of a concern within the Model Context Protocol where consumption is typically by an AI model. No 'eval' or malicious patterns were found.
Updated: 2025-12-01GitHub
0
0
Low Cost
Abhijendra icon
Sec10

Provides an API for performing basic arithmetic operations such as addition, subtraction, multiplication, division, modulus, and power.

Setup Requirements

  • ⚠️Requires Python 3.12 or newer.
  • ⚠️Requires the 'fastmcp' library to be installed.
Verified SafeView Analysis
The server performs basic arithmetic operations. It explicitly handles type conversion to numbers and includes checks for division by zero. No 'eval', shell commands, or other dangerous functions are used. There are no hardcoded secrets or evident network-specific vulnerabilities beyond standard API exposure. Input handling is robust for its intended numeric purpose.
Updated: 2025-11-23GitHub
0
0
Medium Cost
ItamiForge icon
Sec7

This server provides AI agents with accurate, version-aware documentation, code scaffolding, and migration guidance for React Native, Expo, and related libraries.

Setup Requirements

  • ⚠️Requires `git` to be installed and accessible in the system PATH for documentation fetching.
  • ⚠️Requires internet access to `git clone` documentation repositories on demand and to download the ML embedding model from Hugging Face.
  • ⚠️Can consume significant disk space for cached documentation (in `docs/`) and the vector index (`./docs/.vector-index`), especially for multiple libraries and versions.
Verified SafeView Analysis
The server executes `git clone` commands based on URLs configured in `docs-sources.json` to fetch documentation. A malicious modification to this configuration file or an upstream compromise of a configured repository could lead to downloading and processing untrusted code. It also dynamically imports and downloads an ML embedding model from Hugging Face, which introduces a supply chain dependency. No `eval` or direct arbitrary command execution from user input was identified.
Updated: 2025-12-02GitHub
0
0
Medium Cost
venkatmadala9 icon

McpServerRestAPI

by venkatmadala9

Sec2

A Spring Boot REST API server that integrates with external logistics/shipment APIs, secures communication via OAuth2, and provides natural language processing capabilities using Spring AI with tool calling.

Setup Requirements

  • ⚠️Requires a local Ollama server or compatible LLM configured for Spring AI to use the PromptTools functionality.
  • ⚠️Requires comprehensive configuration of OAuth2 properties (e.g., `security.oauth2.token-uri`, `client-id`, `client-secret`, `grant-type`).
  • ⚠️Requires `api.base.url` to be configured for the external logistics API.
Review RequiredView Analysis
The application explicitly disables SSL certificate validation and hostname verification (`TrustAllStrategy.INSTANCE`, `NoopHostnameVerifier.INSTANCE`) for all `RestClient` instances configured via `RestClientConfig`. This is a critical security vulnerability, making the application highly susceptible to Man-in-the-Middle attacks against both the OAuth2 token endpoint and the external API. It should not be used in production or with sensitive data. Additionally, the `APIService` contains a hardcoded internal IP address (`http://dbslsp-stg01-fr4:8083`) and a `getShipment` method with a literal `Bearer ${token}` authorization header, which would prevent successful authentication if that particular tool were enabled and called.
Updated: 2025-12-11GitHub
0
0
High Cost
Sec1

A server application intended for tracking and managing football-related data or events.

Review RequiredView Analysis
Source code was not provided for analysis. Therefore, a comprehensive security audit cannot be performed. Running any software without access to its source code carries significant inherent risks and it should be considered unsafe.
Updated: 2025-11-25GitHub
0
0
Medium Cost
jonathangetonapod icon

gmail-reply-tracker-mcp

by jonathangetonapod

Sec9

Manages and automates personal productivity across Gmail, Google Calendar, and Fathom AI using natural language via Claude Desktop.

Setup Requirements

  • ⚠️Requires manual setup of a Google Cloud Project, enabling Gmail and Calendar APIs, and configuring an OAuth Consent Screen.
  • ⚠️Requires downloading `credentials.json` from Google Cloud and placing it in a specific local directory.
  • ⚠️Requires modifying Claude Desktop's `claude_desktop_config.json` with absolute file paths, which can be a common source of error for new users.
  • ⚠️Fathom AI API key is required for Fathom-related tools.
Verified SafeView Analysis
The server demonstrates good security practices by loading sensitive API keys and paths from environment variables (`.env` file) which are gitignored. OAuth tokens (`token.json`) are saved locally with restricted file permissions (0o600). Email sending and replying tools require explicit `confirm=True` to prevent accidental actions. There is no use of `eval` or code obfuscation. Network risks are limited to legitimate API calls to Google and Fathom. A minor friction point arises from Claude Desktop's client-side configuration requiring hardcoded absolute paths and `FATHOM_API_KEY` directly in its JSON config, which is outside the server's control but noted for user awareness.
Updated: 2025-12-14GitHub
PreviousPage 342 of 713Next