Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
xuhaibintd icon

teradata-mcp-server

by xuhaibintd

Sec8

A Model Context Protocol (MCP) server that provides AI agents with a comprehensive set of tools and prompts to interact with Teradata databases for data querying, analysis, management, and machine learning workflows.

Setup Requirements

  • ⚠️Requires access to a Teradata database with connection credentials specified via DATABASE_URI.
  • ⚠️Requires Python 3.12+.
  • ⚠️Optional modules (Feature Store, Teradata Vector Store, and Teradataml Analytic Functions) require additional Python packages to be installed (e.g., `uv tool install teradata-mcp-server[fs,tdvs]`).
Verified SafeView Analysis
The server implements robust authentication mechanisms including rate limiting, session caching, and input validation for basic/bearer tokens. It supports proxy users for database access and generates query bands for auditing. Credentials are expected to be managed via environment variables or .env files, reducing hardcoding risks. A minor concern is the use of `eval` in `src/teradata_mcp_server/app.py` for type hint resolution, though it is used in a controlled manner with a limited set of built-in types. Default demo credentials are present in `rest_config.yml` for internal REST API calls, which should be overridden in production.
Updated: 2025-12-03GitHub
0
0
Medium Cost
julian-najas icon

stripe-mcp-server

by julian-najas

Sec8

A production-ready Stripe payment server designed for AI agents, providing idempotent payment intent creation, verified webhook handling, and payment status retrieval via a Model Context Protocol (MCP) interface.

Setup Requirements

  • ⚠️Requires Python 3.12+
  • ⚠️Stripe test keys (STRIPE_API_KEY, STRIPE_WEBHOOK_SECRET) must be set in .env for development, or real keys for production.
  • ⚠️PostgreSQL is recommended for production database instead of default SQLite.
Verified SafeView Analysis
The server demonstrates good security practices including explicit webhook signature verification, persistent idempotency to prevent double charges, and requiring API keys for most operations (configurable for debug). Secrets like Stripe API keys and webhook secrets are correctly loaded from environment variables with safe defaults for development. A dedicated SECURITY.md outlines important production security considerations, such as not committing secrets, key rotation, and database best practices. However, it explicitly notes that rate limiting is not implemented and recommends HTTPS for webhooks, which are common to address in production deployments.
Updated: 2026-01-19GitHub
0
0
Medium Cost
smhajimirzaei icon

QUACK-MCP-SERVER

by smhajimirzaei

Sec7

An intelligent continuous integration server providing automated Python code analysis, linting, and static type checking, designed for seamless AI assistant integration via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️External tools (mypy, pylint) must be installed and accessible in the system's PATH where the server runs.
  • ⚠️The `TestProcessor` (which uses pytest) is present but not enabled by default; enabling it without strict sandboxing would pose a significant security risk as it runs user-provided code.
Verified SafeView Analysis
The server executes external command-line tools (mypy, pylint) on user-provided code by writing the code to temporary files and passing the file paths as arguments. This mitigates direct shell injection vulnerabilities. However, any intrinsic vulnerability within mypy or pylint that allows arbitrary code execution through crafted input files during static analysis could compromise the server. Additionally, the presence of `TestProcessor` (which runs `pytest` on user code) in the codebase is a critical security concern; while not registered in `quack/server.py` by default in the provided code, enabling it would allow arbitrary code execution, requiring robust sandboxing beyond the current implementation.
Updated: 2025-11-30GitHub
0
0
Medium Cost
linhnvv2 icon
Sec4

A desktop application and Chrome extension for AI-powered summarization, explanation, and translation of text, chat with local LLMs, and browser automation via agent commands and Model Context Protocol (MCP) tool integration.

Setup Requirements

  • ⚠️Requires a local LLM server (Ollama or LM Studio) to be running and a compatible model loaded.
  • ⚠️Requires Node.js to run the MCP filesystem server (via npx).
  • ⚠️The desktop application is designed for Windows 10/11.
Review RequiredView Analysis
CRITICAL: The Chrome extension component (`extension/src/sidepanel.js`) directly parses JSON-like strings from the LLM's streaming output and executes them as browser automation commands via `chrome.tabs.sendMessage` to `content_script.js` when `automation_enabled` is true. This creates a direct pipeline for LLM-generated commands to control the browser, allowing arbitrary actions (e.g., clicking links, typing, reading page content). This is a significant security risk, as a compromised or 'misaligned' local LLM could lead to data exfiltration, phishing, or other malicious activities without explicit user confirmation for each command. While the desktop app's MCP tool calls appear to be user-initiated via a UI panel, the browser extension's automation is direct.
Updated: 2025-12-08GitHub
0
0
Low Cost
nkxxll icon

timew-mcp

by nkxxll

Sec6

Develops a Model Context Protocol (MCP) server to integrate Claude Desktop with the Timewarrior time tracking application on macOS.

Setup Requirements

  • ⚠️Requires macOS due to dependency on Claude Code Desktop and specific log paths.
  • ⚠️Requires the Timewarrior application to be installed and available on the system.
  • ⚠️The server likely needs to be built from source (presumably OCaml/Dune based on the `_build` path) before execution.
Verified SafeView Analysis
The project is in an early development stage, with the README explicitly noting 'error handling is a mess (is better now)' and other TODOs related to robustness. The integration with 'timew' implies external command execution, which, without access to the actual source code, poses a potential command injection risk if user inputs are not rigorously sanitized before being passed to `timew` commands. Without a full source code review, a definitive security assessment is not possible beyond the self-identified issues.
Updated: 2025-11-19GitHub
0
0
Low Cost
anteriovieira icon

osc-mcp-server

by anteriovieira

Sec4

Enables AI (specifically Claude Desktop) to control digital audio mixers (Behringer X32/Midas M32) via OSC using natural language commands.

Setup Requirements

  • ⚠️Requires Node.js 18 or higher.
  • ⚠️Requires an absolute path to the `dist/index.js` file in the Claude Desktop configuration (`claude_desktop_config.json`).
  • ⚠️Requires the IP address (`OSC_HOST`) and port (`OSC_PORT`) of a Behringer X32/Midas M32 mixer on the same network, and correct firewall configuration (UDP port 10023).
Review RequiredView Analysis
The server uses `child_process.exec` and `child_process.spawn` to execute external programs (e.g., opening X32-Edit, starting the X32 emulator binary). This capability allows the AI to trigger system-level commands, posing a significant risk if the AI's behavior is unconstrained or if the commands/paths could be manipulated. Additionally, the `osc_custom_command` tool exposes raw OSC command sending, granting the AI full, unvalidated control over the mixer's API, which could lead to disruptive or potentially damaging actions if misused. While these are features, they grant a high level of control that requires careful sandboxing and trust in the AI.
Updated: 2025-12-02GitHub
0
0
Medium Cost
ranggarifqi icon

mcp-weather

by ranggarifqi

Sec7

Hosts a Model Context Protocol (MCP) server to provide weather information.

Setup Requirements

  • ⚠️Requires .NET 8.0 SDK or later.
  • ⚠️Requires configuration for external weather APIs (e.g., API keys), which are essential for functionality but not detailed in the README's setup.
Verified SafeView Analysis
The provided content is a README and project structure overview; no executable source code was provided for a comprehensive security audit. A full analysis for vulnerabilities like input validation, proper handling of external API keys, or absence of dangerous functions (e.g., 'eval') cannot be performed. Assuming standard .NET secure coding practices based on the Domain-Driven Design (DDD) architecture. Network exposure is inherent for a server application.
Updated: 2025-11-30GitHub
0
0
Low Cost
kapilthakare-cyberpunk icon

notification-agent-server

by kapilthakare-cyberpunk

Sec8

A 24/7 server to receive and store notifications from an Android work phone, offering statistics and management features.

Setup Requirements

  • ⚠️The provided installation script is tailored for Debian/Ubuntu-based Linux systems (e.g., Linux Mint Cinnamon), specifically using `apt-get` and `ufw` commands.
  • ⚠️Requires manual configuration of the Android client with the server's URL and the securely generated API key.
  • ⚠️Node.js version 16.0.0 or higher and npm version 8.0.0 or higher are prerequisites.
Verified SafeView Analysis
The server uses an API key for authentication, which is generated securely by the installation script and sourced from environment variables. CORS is set to `*`, which is overly permissive if a web dashboard is intended to be public, but acceptable for a private API interacting with a mobile client. No `eval` or other obvious code injection patterns are present. Data is stored in a local JSON file, mitigating typical database injection risks.
Updated: 2025-12-01GitHub
0
0
Low Cost
ankit-raj00 icon
Sec9

Provides an API for tracking and summarizing personal expenses.

Setup Requirements

  • ⚠️Requires Python 3.12 or newer, as specified in `pyproject.toml`.
  • ⚠️The SQLite database is stored in a temporary directory, meaning data is ephemeral and will not persist across restarts or system cleanups, which is not suitable for production expense tracking without modification.
Verified SafeView Analysis
The server primarily uses parameterized SQL queries to prevent SQL injection vulnerabilities. No 'eval', 'os.system', or hardcoded secrets were identified. The server binds to '0.0.0.0', making it network accessible, which requires proper firewalling and access control if deployed in a public-facing environment.
Updated: 2025-12-18GitHub
0
0
High Cost
AritriPodde2210 icon

Finance_MCP_Server

by AritriPodde2210

Sec9

An AI-powered finance dashboard to fetch financial news, stock prices, and company information for any company or topic.

Setup Requirements

  • ⚠️Requires Groq API Key (Paid Service)
  • ⚠️Reliance on external financial data sources (yfinance) and LLM APIs (Groq)
Verified SafeView Analysis
The application uses environment variables for API keys (GROQ_API_KEY), which is good practice. It interacts with external APIs (Groq, yfinance) over HTTPS. No direct 'eval' or other highly dangerous patterns are observed. Inter-process communication via FastMCP's PythonStdioTransport is handled internally by the application, minimizing external exposure. Input sanitization for LLM prompts is implicitly handled by the LLM itself to some extent, but direct injection vulnerabilities are unlikely due to the nature of the tool calls.
Updated: 2025-11-19GitHub
0
0
High Cost
yjcyxky icon
Sec6

The server converts raw text into TSV tables by extracting entities with GLiNER and leveraging an OpenAI-compatible vLLM endpoint, facilitating structured data extraction for research and analysis.

Setup Requirements

  • ⚠️Requires a running vLLM OpenAI-compatible endpoint, demanding significant GPU resources (e.g., 48GB VRAM for 30B models).
  • ⚠️Requires a GLiNER entity extraction service (local with GPU/CPU or remote HTTP service).
  • ⚠️Python 3.10+ is mandatory for the embedded Python tooling and plugins.
  • ⚠️API keys for services like Hugging Face (for model authentication), Google Scholar (SerpAPI), and optionally others (PubMed, Semantic Scholar, CORE) must be provided via environment variables.
Review RequiredView Analysis
The server's Rust core integrates Python plugins for PDF downloading, which utilize `playwright` for headless browser automation. Running a full browser introduces a significant attack surface, potentially vulnerable to browser-based exploits if interacting with malicious or compromised web content during PDF retrieval. While the Rust code implements robust security practices for network requests (HTTPS-only, TLS validation, user-agent rotation) and file handling (path sanitization, integrity verification, size limits), the dynamic nature of web interaction through `playwright` inherently elevates risk. Reliance on external Python environments and services like GROBID (potentially containerized) also adds to the complexity and potential attack vectors if not meticulously secured. API keys for services like Google Scholar, PubMed, Semantic Scholar, CORE, and arXiv are expected via environment variables, not hardcoded. The project also incorporates circuit breakers and rate limiting for external services, enhancing stability but not directly mitigating the browser-based risks.
Updated: 2025-12-23GitHub
0
0
Low Cost
vtion001 icon
Sec9

Manages n8n workflows and Docker environment directly from the terminal, avoiding the web interface.

Setup Requirements

  • ⚠️Requires Docker to be installed and running.
  • ⚠️Requires Node.js and npm for n8n-cli installation.
  • ⚠️Requires manual generation of an n8n API key via the web interface during first-time setup.
  • ⚠️Modifies the user's shell configuration (.bashrc or .zshrc) to add aliases and functions.
Verified SafeView Analysis
The server setup utilizes official n8n Docker images and CLI tools. It prompts the user for a manually generated API key, avoiding hardcoded secrets. Shell configuration modifies the user's .bashrc to source a local script, which is common practice but implies trust in the provided shell-config.sh. No 'eval' or malicious obfuscation patterns were found in the provided source code.
Updated: 2026-01-19GitHub
PreviousPage 349 of 713Next