Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost

bach-excel-mcp-server

by BACH-AI-Tools

Sec8

An MCP server for AI agents to manipulate Excel files without needing Microsoft Excel installed.

Setup Requirements

  • ⚠️Requires 'uvx' (or 'uv' and Python) for installation and execution.
  • ⚠️The 'EXCEL_FILES_PATH' environment variable is mandatory for SSE and Streamable HTTP transports to define where Excel files are read/written.
  • ⚠️Optional 'FASTMCP_PORT' environment variable to configure the server's listening port.
Verified SafeView Analysis
The server primarily handles file operations, which inherently carries a risk if file paths (EXCEL_FILES_PATH) are not securely configured or if the server is exposed to untrusted clients. Proper environment variable management for file access is crucial, especially for SSE and Streamable HTTP transports. No obvious 'eval' or malicious obfuscation detected.
Updated: 2025-11-20GitHub
0
0
Medium Cost
amuyakkala icon

mcp-cro-analyzer

by amuyakkala

Sec8

Asynchronously analyze web pages for Conversion Rate Optimization (CRO) issues using structural metrics and an Ollama-hosted Large Language Model.

Setup Requirements

  • ⚠️Python 3.12+ required
  • ⚠️Ollama server must be running locally or remotely with an accessible model (defaults to llama3)
  • ⚠️Requires an MCP client (e.g., Cursor, ChatGPT Desktop) to invoke tools
Verified SafeView Analysis
The server uses `httpx` for fetching URLs, `BeautifulSoup` for parsing, and `ollama` client for LLM interaction. It handles configuration via environment variables, avoiding hardcoded secrets. `safe_json_parse` attempts to defensively parse LLM output. The primary risk is resource exhaustion from fetching very large or complex web pages, or potential hallucinated malicious recommendations from the LLM, though the code does not execute these recommendations directly. No 'eval' or direct arbitrary code execution from user input or LLM output is apparent.
Updated: 2025-11-25GitHub
0
0
Medium Cost
matbel91765 icon

GIS-MCP-Server

by matbel91765

Sec6

A Model Context Protocol (MCP) server providing geospatial tools for AI agents, enabling geocoding, routing, spatial analysis, and file operations.

Setup Requirements

  • ⚠️Relies on external APIs (Nominatim, OSRM, Open-Elevation) which have their own rate limits and uptime. For production, self-hosting some services (e.g., OSRM, Pelias, Valhalla) is recommended.
  • ⚠️Optional dependencies (`matplotlib`, `folium`, `libpysal`, `esda`) are required for visualization and spatial statistics tools, needing installation via `pip install locusync-server[all]` or specific extras.
  • ⚠️File I/O and raster operations directly interact with the local file system, requiring appropriate read/write permissions to configured directories (e.g., `GIS_TEMP_DIR`).
Review RequiredView Analysis
The `raster_calculator` tool uses `eval()` to process mathematical expressions on raster data. While it restricts `__builtins__` and whitelists characters, sophisticated injection attacks or resource exhaustion attacks could still be possible if user-provided input for 'expression' is not fully trusted. External API keys (Pelias, Valhalla) are correctly loaded from environment variables. Network requests to external services are implemented with timeouts and rate limiting, enhancing robustness.
Updated: 2025-12-05GitHub
0
0
Medium Cost
iamjoewills icon

gmail-mcp-server

by iamjoewills

Sec8

Manages Gmail operations including sending, reading, searching, modifying, deleting emails, and managing labels and filters through an AI assistant with auto-authentication.

Setup Requirements

  • ⚠️Requires manual Google Cloud Project setup to enable Gmail API and obtain OAuth 2.0 credentials (`gcp-oauth.keys.json`).
  • ⚠️Requires Node.js and npm to be installed on the host system.
  • ⚠️Port 3000 must be available for the local OAuth authentication callback process.
Verified SafeView Analysis
The server uses standard OAuth2 for Gmail authentication and stores credentials securely in the user's home directory. File system operations for attachments (reading files for sending, writing files for downloading) are performed locally. While the server itself does not contain obvious 'eval' or malicious code patterns, a potential risk exists with the attachment feature if a malicious AI prompt were to instruct the server to access or exfiltrate arbitrary files from the local filesystem. This risk is inherent to tools that provide file system access to an AI; the server's implementation handles paths and file existence checks, but robust sandboxing or strict AI prompt filtering would be necessary in a high-security deployment.
Updated: 2025-12-11GitHub
0
0
Medium Cost
marswong icon
Sec8

This MCP server provides a tool for generating images from text prompts using the FLUX 2 Pro model via the KIE.AI API.

Setup Requirements

  • ⚠️Requires KIEAI_API_KEY environment variable for authentication with the KIE.AI service.
  • ⚠️Relies on the external KIE.AI API (which is a paid service).
  • ⚠️Requires Node.js version ^20.19.0 or >=22.12.0.
Verified SafeView Analysis
The server uses 'process.env.KIEAI_API_KEY' for authentication with an external AI service, preventing hardcoded secrets. Input to the 'text_to_image_flux_2_pro' tool is rigorously validated using Zod schemas, mitigating input-based vulnerabilities. The server acts as a proxy to an external AI API ('https://api.kie.ai'), thus inheriting any security considerations or data handling practices of that third-party service. 'p-retry' is used for robust API calls. No 'eval' or obvious code obfuscation is present.
Updated: 2025-12-05GitHub
0
0
Low Cost
vincentporte icon

MCP_tutorial_series

by vincentporte

Sec9

This project provides a tutorial series demonstrating how to build a Microservice Communication Protocol (MCP) server and clients using the fastmcp framework, showcasing tool, resource, and prompt exposure, and integrating with local LLMs.

Setup Requirements

  • ⚠️Requires 'uv' for dependency management and virtual environment setup.
  • ⚠️Requires Python 3.12 or newer.
  • ⚠️Running the LangChain example client (`mcp_clients/langchain.py`) requires a local Ollama server running on `http://localhost:11434` with the specified 'qwen3:8b' model.
Verified SafeView Analysis
The server uses hardcoded sample data for users, pickups, and shipments in `mcp_server/datas.py`. While this is acceptable for a tutorial, it would be a critical vulnerability in a production environment requiring dynamic data sources and proper authentication. All network communication is configured for `localhost`, mitigating external attack surface for local execution. No 'eval' or malicious patterns were identified. The LLM client uses a local Ollama instance, avoiding external API key exposure.
Updated: 2025-12-12GitHub
0
0
Low Cost
agmalaga2020 icon

ine-universal-mcp

by agmalaga2020

Sec9

Provides an MCP server to access Spanish INE (Instituto Nacional de Estadística) data with semantic search and intelligent aggregation for LLMs.

Setup Requirements

  • ⚠️Requires Python 3.11+.
  • ⚠️Requires a one-time semantic search index build (`uv run python scripts/build_index.py`) which takes 10-20 minutes and creates ~500MB of data. Without it, semantic search falls back to keyword search.
  • ⚠️For cloud deployment (e.g., Render, Hugging Face Spaces), the FAISS index (~500MB) needs to be persisted using Git LFS, cloud storage (S3), or a persistent disk (paid tiers) due to non-persistent ephemeral storage on free tiers.
Verified SafeView Analysis
The project uses httpx for external API calls with robust error handling, timeouts, and retries. Environment variables are used for sensitive configurations (e.g., REDIS_URL), and no hardcoded secrets or malicious patterns were found. FastEmbed (ONNX) is used for embeddings, avoiding potential issues with less secure machine learning frameworks.
Updated: 2025-11-26GitHub
0
0
Medium Cost
Akungapaul icon

wp-blocks-mcp

by Akungapaul

Sec7

This server provides a set of tools to interact with WordPress block patterns and reusable blocks via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires WORDPRESS_URL environment variable.
  • ⚠️Requires WORDPRESS_USERNAME environment variable.
  • ⚠️Requires WORDPRESS_APP_PASSWORD (WordPress Application Password) environment variable.
Verified SafeView Analysis
The server uses environment variables (WORDPRESS_URL, WORDPRESS_USERNAME, WORDPRESS_APP_PASSWORD) for authentication, which is good practice. However, it requires write access to the WordPress instance (e.g., to create/delete posts for rendering, create reusable blocks). A compromise of this server or its environment variables could lead to manipulation of the connected WordPress site. Input validation for tool arguments is performed using Zod, which helps mitigate direct injection risks for these specific inputs. The `JSON.parse` operation in `parse_blocks` relies on content from the WordPress API; while standard for block attributes, it could be a vector if the WordPress content itself is maliciously crafted by an attacker.
Updated: 2025-11-28GitHub
0
0
Medium Cost
aplaceforallmystuff icon

moneywiz-mcp

by aplaceforallmystuff

Sec5

A server component likely designed for managing or integrating financial data, possibly serving an API for a larger application.

Review RequiredView Analysis
Source code not provided for analysis. Unable to perform a comprehensive security audit, check for 'eval', obfuscation, hardcoded secrets, or other malicious patterns. Therefore, a neutral score is assigned, and safety cannot be guaranteed.
Updated: 2025-11-30GitHub
0
0
Low Cost
romeoscript icon

MCP_CLI

by romeoscript

Sec9

Scaffolds Model Context Protocol (MCP) servers quickly with TypeScript or JavaScript, including example tools and resources.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0.0
  • ⚠️Requires npm >= 9.0.0
Verified SafeView Analysis
The CLI itself does not expose network services or handle sensitive data beyond project creation metadata. It uses standard file system operations (fs-extra) and input sanitization for project names. The generated server code (from templates) does initialize an HTTP server on port 6000, which is standard for an MCP server, but the CLI toolkit itself is not responsible for securing the generated server's deployment. No 'eval' or obvious malicious patterns found in the CLI's source.
Updated: 2025-11-20GitHub
0
0
Medium Cost
jonathansalzer icon

arena-mcp-server

by jonathansalzer

Sec9

Enables Claude to interact with Arena PLM for searching and retrieving product lifecycle management data via a natural language interface.

Setup Requirements

  • ⚠️Docker required
  • ⚠️Arena PLM account and API access required
  • ⚠️Requires Python 3.10+
Verified SafeView Analysis
The server uses environment variables for sensitive Arena PLM credentials (email, password), which is a good security practice. API calls are made to a specific, hardcoded base URL. Input to tools is defined with `inputSchema`, providing some level of validation. No 'eval' or other dynamic code execution patterns were found. The `_wrap_wildcard` function is for search query formatting, not an injection vector. Operational limitations like lack of session expiration handling or retry logic are noted but not direct security vulnerabilities.
Updated: 2026-01-19GitHub
0
0
Medium Cost
bigmonmulgrew icon

MCP-AI-swarm

by bigmonmulgrew

Sec7

An AI orchestration and microservices framework designed to route, manage, and distribute LLM requests to various AI backends for tasks like data extraction from unstructured text and generating visual output.

Setup Requirements

  • ⚠️Requires Docker and Docker Compose for full system deployment.
  • ⚠️Requires a local Ollama server (provided by `docker-compose.yml`) for LLM functionality.
  • ⚠️Highly benefits from, and is configured for, an NVIDIA GPU with appropriate drivers for Ollama performance.
  • ⚠️Multiple Python virtual environments are managed by the `setup_envs.py` script for individual service dependencies.
Verified SafeView Analysis
The `setup_envs.py` script uses `subprocess.run(..., shell=True)` which can be a security risk if the `cmd` or `cwd` arguments are derived from untrusted input. However, in this specific context, the commands are hardcoded or constructed from internal paths, mitigating immediate exploitability for the setup script itself. The main server components (FastAPI) use Pydantic for request body validation, which helps prevent injection attacks. No direct 'eval' or obvious hardcoded secrets are present in the core application logic. Inter-service communication is via HTTP, suggesting a need for proper network isolation and authentication mechanisms in a production environment.
Updated: 2026-01-14GitHub
PreviousPage 372 of 713Next