Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
High Cost
i11v icon
Sec8

Provides AI assistants with Model Context Protocol (MCP) access to Fastmail accounts for email management.

Setup Requirements

  • ⚠️Requires a Fastmail API Token with appropriate scopes (Mail read/write) to be generated manually.
  • ⚠️Requires configuring Claude Code's MCP settings with the server URL and API token in `~/.claude/claude_desktop_config.json` or `.mcp.json`.
  • ⚠️Requires `REDIS_URL` environment variable for caching, especially in production deployments like Vercel.
  • ⚠️Uses `pnpm` as the package manager, not `npm` or `yarn`.
Verified SafeView Analysis
The server correctly extracts the Fastmail API token from the Authorization header. It hashes this token before using it as a Redis key, avoiding storage of raw tokens in Redis keys. However, the full session JSON, which can contain sensitive account IDs, is cached in Redis. While given a TTL, a compromise of the Redis instance could expose this data. Input validation for tools is enforced using Zod schemas. The server explicitly warns users to keep their API tokens secure and not commit them to version control. The open CORS configuration (origin: '*') is typical for MCP but means no origin-based protection beyond the bearer token.
Updated: 2026-01-18GitHub
0
0
Low Cost
ashleyappadoo icon

timesfm-mcp

by ashleyappadoo

Sec6

Optimized time series forecasting server for cloud platforms like Railway/Render, offering trend and seasonality analysis via an HTTP API.

Setup Requirements

  • ⚠️The provided `timesfm_server.py` implements a custom 'pure Python' forecasting algorithm (seasonal trend decomposition + linear regression) and does not use Google Research's TimesFM model, despite the repository name and README claiming 'Vrai TimesFM 1.0'. This means the forecasting quality and methodology will differ significantly from actual TimesFM.
  • ⚠️Deployment to Railway/Render, as described in the README, requires manually replacing three specific files (`Dockerfile`, `requirements.txt`, `timesfm_server.py`) in the user's GitHub repository.
  • ⚠️The forecast horizon is capped at a maximum of 32 periods internally by the `timesfm_server.py`.
Verified SafeView Analysis
The server is implemented in pure Python using `http.server`, which is not typically recommended for production environments due to limitations in robustness, performance, and advanced security features (like TLS, advanced input validation, or DDoS protection) compared to WSGI servers. It lacks explicit authentication or authorization, meaning the API is open to anyone with the URL. Request logging from the base HTTP server is suppressed, though application-level logs exist. No malicious patterns, `eval` usage, or hardcoded secrets were identified.
Updated: 2026-01-16GitHub
0
0
Low Cost
spilchen icon
Sec9

An MCP (Model Context Protocol) server that provides AI assistants and other clients read-only access to Yahoo Fantasy Sports data.

Setup Requirements

  • ⚠️Requires valid Yahoo API credentials (either `oauth2.json` file or `YAHOO_CLIENT_ID` and `YAHOO_CLIENT_SECRET` environment variables). Registering an application with Yahoo Developer Network is necessary.
  • ⚠️Requires `YAHOO_LEAGUE_ID` environment variable set to a valid Yahoo Fantasy league ID. The server provides a helper to list available league IDs if not set.
  • ⚠️If using environment variables for credentials, an initial manual OAuth flow via browser is required to obtain tokens.
Verified SafeView Analysis
The server explicitly states it provides read-only access, significantly reducing risk. Authentication details (consumer keys, secrets, tokens) are handled via environment variables or a local `oauth2.json` file, which are standard and secure practices, avoiding hardcoding. The `stdio_transport` uses `pydantic.BaseModel.model_validate_json` for incoming JSON-RPC messages, which is robust against typical JSON parsing vulnerabilities. No `eval` or other highly dangerous functions are directly used for dynamic code execution. The main risks would be in the underlying `yahoo_fantasy_api` library or the Yahoo API itself.
Updated: 2025-11-23GitHub
0
0
Medium Cost
ermermermermidk icon

mcp-ai-memory

by ermermermermidk

Sec9

This server provides a Model Context Protocol (MCP) interface for managing an AI's semantic memory, enabling storage, retrieval, clustering, and consolidation of contextual knowledge.

Setup Requirements

  • ⚠️Requires PostgreSQL with the `pgvector` extension enabled.
  • ⚠️Requires Node.js 20+ or Bun runtime environment.
  • ⚠️Optional: Redis is highly recommended for caching and asynchronous job queuing (e.g., embedding generation, batch processing, clustering).
Verified SafeView Analysis
The server demonstrates strong security practices, including comprehensive input validation and sanitization using Zod schemas for all API inputs, which helps prevent common vulnerabilities like injection attacks. It uses Kysely ORM for database interactions, providing built-in protection against SQL injection. Sensitive configurations like database and Redis URLs are loaded from environment variables (dotenv), avoiding hardcoded secrets. There's no observable direct use of `eval` or unsafe `child_process` calls. The `SECURITY.md` outlines best practices for deployment (e.g., strong credentials, SSL/TLS for DB/Redis), acknowledging that external infrastructure security is critical.
Updated: 2026-01-19GitHub
0
0
Medium Cost
Gooseus icon

mcp-nats

by Gooseus

Sec9

Exposes NATS messaging capabilities (publish, subscribe, JetStream, KV, Object Store) to LLMs, enabling AI assistants to interact with real-time and persistent data infrastructure.

Setup Requirements

  • ⚠️Requires a NATS server with JetStream enabled.
  • ⚠️Requires Node.js 20+ (or Bun for development).
Verified SafeView Analysis
The server uses Zod for input validation on all tool parameters, which significantly reduces the risk of injection attacks or unexpected input. NATS authentication details are handled via environment variables or a credentials file, avoiding hardcoded secrets. File system access for embedded documentation is restricted to a specific `docs/nats` directory, preventing arbitrary file reads. The SSE transport sets permissive CORS headers (`Access-Control-Allow-Origin: *`), which is common for tools intended for LLM integration but should be considered in a broader network deployment context.
Updated: 2025-12-16GitHub
0
0
Low Cost
mbocsi icon

gohab

by mbocsi

Sec3

A home automation server for managing IoT devices and sensors using a message-based architecture.

Setup Requirements

  • ⚠️Requires Go toolchain for building from source (uses `make` commands).
  • ⚠️LoRa transport (if enabled) requires a concrete `server.HardwareInterface` implementation for physical radio communication, as the provided `SX1276Radio` uses a mock interface.
  • ⚠️Default WebSocket transport allows all origins (`CheckOrigin: true`) which is a security risk in production environments.
Review RequiredView Analysis
Critical security vulnerabilities exist. The server lacks explicit authentication and authorization mechanisms for client (device) connections, allowing any client to connect and declare capabilities. The WebSocket transport `websocket.Upgrader` explicitly sets `CheckOrigin: true`, which disables same-origin policy enforcement and makes it vulnerable to Cross-Site WebSocket Hijacking (CSWH) if not mitigated by external security. This combination makes the system highly insecure for deployment in any exposed or production environment without significant security enhancements.
Updated: 2025-12-27GitHub
0
0
Medium Cost
Nard1975 icon
Sec9

Manages ActiveCampaign email campaigns by providing tools to create, retrieve, and list campaigns.

Setup Requirements

  • ⚠️Requires ACTIVECAMPAIGN_URL environment variable to be set.
  • ⚠️Requires ACTIVECAMPAIGN_API_KEY environment variable to be set.
  • ⚠️Requires 'fastmcp' and 'requests' Python packages to be installed.
Verified SafeView Analysis
The server correctly uses environment variables for API keys and URLs, preventing hardcoded secrets. It performs standard HTTP requests to a configured ActiveCampaign API endpoint. There is no usage of 'eval' or other highly dangerous functions. The primary security consideration would be ensuring the ACTIVECAMPAIGN_URL is configured to a trusted endpoint to prevent potential SSRF, though this is typically a static setup.
Updated: 2025-11-20GitHub
0
0
High Cost
j0hanz icon
Sec9

The server fetches web pages, extracts readable content using Mozilla Readability, and returns AI-friendly Markdown for LLM summarization, context retrieval, knowledge base ingestion, and AI agents.

Setup Requirements

  • ⚠️Requires Node.js version 20.18.1 or higher.
  • ⚠️HTTP mode requires authentication via an API key (`API_KEY` or `ACCESS_TOKENS`) or a full OAuth 2.0 configuration.
  • ⚠️Remote access in HTTP mode (setting `ALLOW_REMOTE=true`) is only supported when OAuth 2.0 is fully configured.
Verified SafeView Analysis
The server demonstrates strong security practices, including extensive URL validation, SSRF protection with comprehensive IP and hostname blocklists (private IP ranges, cloud metadata endpoints, internal domain suffixes), and robust HTTP host/origin validation. It implements rate limiting and requires authentication (API key or OAuth) for HTTP mode, using timing-safe comparisons for static tokens. Content transformation is handled in worker threads, mitigating some types of exploitation. No 'eval' or obvious malicious patterns were found in the provided code. However, as noted in the README, caution is advised when deploying in sensitive environments, as it can access external URLs on behalf of AI assistants.
Updated: 2026-01-18GitHub
0
0
Medium Cost
democratize-technology icon

fuzzing-mcp-server

by democratize-technology

Sec9

Provides property-based testing and fuzzing capabilities to AI assistants for automated discovery of edge cases and bugs in Python functions.

Setup Requirements

  • ⚠️Requires Python 3.9+ to run locally from source.
  • ⚠️Requires specific configuration for MCP clients (e.g., Claude Desktop) or environment variables for HTTP transport, as it is not a simple plug-and-play server.
  • ⚠️Docker or Kubernetes environment setup is required for robust production deployments, managing security and resource isolation.
Verified SafeView Analysis
The server intentionally uses `exec()` for dynamic code execution, which is generally a high-risk operation. However, this is heavily mitigated by a robust, multi-layered sandbox built upon the professionally audited `asteval.Interpreter` library. Key security measures include AST validation, strict whitelisting of allowed modules, comprehensive blocking of dangerous built-in functions, frame access blocking, and enforced resource limits (memory, time, recursion). The Docker and Kubernetes configurations also demonstrate strong hardening with non-root users, read-only filesystems, dropped capabilities, and strict resource controls. A comprehensive security audit is claimed to be completed and approved for production, significantly reducing the inherent risks of dynamic code execution.
Updated: 2025-12-14GitHub
0
0
High Cost
developerlabsai icon

mcp-cloudformation-builder

by developerlabsai

Sec9

An AI-native CloudFormation/Terraform generator that creates and self-heals infrastructure templates from GitHub repositories, designed for DeveloperLabs AI internal products.

Setup Requirements

  • ⚠️Requires Anthropic, OpenAI, and Pinecone API keys (Paid APIs).
  • ⚠️Requires an AWS account with specific permissions for CloudFormation, IAM, Service Quotas, STS, and Pricing API.
  • ⚠️Requires manual Supabase database setup and migration application.
Verified SafeView Analysis
The server correctly uses environment variables for all sensitive API keys and secrets. It interacts with various external APIs (GitHub, AWS, Supabase, Anthropic, OpenAI, Pinecone, internal Scaffold API) as expected for its functionality. The `generateSandboxCredentials` function handles temporary AWS credentials and console sign-in URLs, which is a sensitive operation but appears to be intended for internal, authorized use within the application's scope. There are no obvious signs of eval, obfuscation, or malicious patterns.
Updated: 2025-11-26GitHub
0
0
Medium Cost
SUMAIRA-SHAIKH icon
Sec6

Implements or proxies the Minecraft Client Protocol (MCP), likely for custom game logic, data interception, or alternative server implementations.

Setup Requirements

  • ⚠️Requires Node.js installed
  • ⚠️Requires `npm install` to set up dependencies.
  • ⚠️Compatibility might be tied to specific Minecraft client and/or server versions.
Verified SafeView Analysis
As a custom network server handling a complex and often low-level protocol like Minecraft's, there are inherent risks related to input validation, buffer handling, and protocol compliance. Without access to the full source code, a comprehensive audit for 'eval', obfuscation, hardcoded secrets, or specific vulnerabilities is impossible. The score assumes a typical implementation without explicit malicious patterns but acknowledges the complexity and potential for common server-side vulnerabilities.
Updated: 2025-11-26GitHub
0
0
Medium Cost
jelmersnoeck icon

mcp-fitness-coach

by jelmersnoeck

Sec9

Integrates intervals.icu with AI assistants for workout analysis, planning, and calendar management.

Setup Requirements

  • ⚠️Requires Node.js 18+ runtime.
  • ⚠️OAuth authentication for multi-user applications requires prior registration with intervals.icu (email 'david@intervals.icu').
  • ⚠️Requires manual generation and configuration of an intervals.icu API key and athlete ID for personal use (or OAuth credentials).
Verified SafeView Analysis
The server uses environment variables for sensitive API keys and OAuth credentials, preventing hardcoding. The OAuth authentication flow correctly implements CSRF protection using a 'state' parameter. File-based token storage is secured with appropriate file permissions (0600). Input validation for tool arguments is performed using Zod. No direct 'eval' or obvious code injection vulnerabilities were found. Standard network request practices are followed.
Updated: 2026-01-18GitHub
PreviousPage 364 of 713Next