Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
Zehra-code743 icon

TASK-6

by Zehra-code743

Sec10

Connects GitHub to Google Gemini CLI for AI-powered automation and interaction with GitHub repositories.

Setup Requirements

  • ⚠️Requires a GitHub Personal Access Token (PAT) with `repo` (Read & Write) permissions.
  • ⚠️Requires Google Gemini CLI to be installed and configured locally.
  • ⚠️Requires manual configuration of `~/.config/gemini/settings.json`.
Verified SafeView Analysis
The provided source code (`main.py`) is a simple 'hello world' script and contains no inherent security vulnerabilities. The README describes a configuration process for Google Gemini CLI to interact with a hosted GitHub MCP server, which requires the user to securely manage a GitHub Personal Access Token (PAT). The instructions for PAT creation and storage in `.env` are standard security practices.
Updated: 2025-11-26GitHub
0
0
Low Cost
biral icon
Sec3

This repository serves as a testbed for setting up a Minecraft Protocol (MCP) server within a CI/CD pipeline using Azure DevOps.

Setup Requirements

  • ⚠️Requires VS Code environment for development/plugin interaction
  • ⚠️Assumes familiarity with GitHub for server builds
  • ⚠️Requires an Azure DevOps setup for CI/CD pipeline integration
Review RequiredView Analysis
Security analysis is incomplete. Only the README.md file was provided. No actual source code was available to check for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns. A full security audit requires access to the server's implementation code.
Updated: 2025-11-28GitHub
0
0
Low Cost
Harsh21-design icon

Dairy_Management_System

by Harsh21-design

Sec5

A full-stack dairy management system for collecting milk entries, managing customers, and generating bills using FastMCP, SQLite, and Streamlit.

Setup Requirements

  • ⚠️Requires Python 3.11+ as per pyproject.toml.
  • ⚠️The 'streamlit_client.py' is configured by default to connect to a remote FastMCP server URL; to run locally, the client configuration needs to be changed to 'client = Client(transport="http://localhost:8000/mcp")'.
Verified SafeView Analysis
The system prevents SQL injection by using parameterized queries and does not contain hardcoded secrets or dangerous functions like 'eval'. However, a significant security risk is the complete lack of authentication and authorization. Any client capable of connecting to the FastMCP server, whether locally or remotely, can execute all defined tools (e.g., add_customer, add_milk_entry, get_monthly_bill) without any credentials. This is a critical vulnerability if the server is exposed beyond a trusted local environment, especially since the README implies remote deployment and AI client integration.
Updated: 2025-11-25GitHub
0
0
Low Cost
vjkumran icon
Sec9

This project serves as a demonstration and example for automation related to MCP servers.

Verified SafeView Analysis
The provided 'SOURCE CODE' only contained the README.md file. No executable code was available for analysis regarding 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns. The high score reflects the absence of identified issues *in the provided content*, but a comprehensive security audit is impossible without the actual server code.
Updated: 2025-12-03GitHub
0
0
Medium Cost
mwilber icon

rtm-mcp

by mwilber

Sec9

Manages Remember The Milk tasks by exposing them as tools through a Model Context Protocol (MCP) server, accessible via HTTP or stdio transports.

Setup Requirements

  • ⚠️Requires manual, multi-step authentication with Remember The Milk to obtain RTM_API_KEY, RTM_SHARED_SECRET, and RTM_AUTH_TOKEN.
  • ⚠️The USER_TOKEN environment variable must be set for HTTP request authentication, otherwise the server will not start.
  • ⚠️Requires Node.js version 18 or higher.
Verified SafeView Analysis
The server correctly handles sensitive RTM API credentials (API Key, Shared Secret, Auth Token) and a user token for HTTP authentication by requiring them as environment variables, preventing hardcoding. It uses `crypto.createHash('md5')` for API signing, which is dictated by the Remember The Milk API's design rather than a server-specific vulnerability, but MD5 is generally considered cryptographically weak. Session management for HTTP transport uses `randomUUID()` for session IDs and properly cleans up sessions on close. Error handling is present, preventing internal details from being exposed in public error messages.
Updated: 2026-01-17GitHub
0
0
Medium Cost
tushargandhi77 icon

Model-Contex-Protocol

by tushargandhi77

Sec10

A lightweight, modular Model Context Protocol (MCP) setup designed for building AI-powered tools and extensions, providing a framework for creating, testing, and deploying AI capabilities.

Verified SafeView Analysis
Only the `README.md` file was provided for analysis. No executable source code was found to audit for potential security risks such as 'eval' usage, obfuscation, network vulnerabilities, hardcoded secrets, or malicious patterns. The provided README file itself contains no inherent security vulnerabilities.
Updated: 2025-12-02GitHub
0
0
High Cost
seeeeeeong icon

swagger-mcp-server

by seeeeeeong

Sec7

An MCP (Model Context Protocol) server that enables Large Language Models (LLMs) to understand and interact with external APIs by providing structured access to Swagger/OpenAPI documentation.

Setup Requirements

  • ⚠️Requires an upstream API server exposing its Swagger/OpenAPI documentation (e.g., at http://localhost:8080/v3/api-docs).
  • ⚠️Requires Java Development Kit (JDK) 17+ (typical for Spring Boot 3.x applications).
  • ⚠️OPENAI_API_KEY environment variable is needed if Spring-AI features for LLM interaction are fully utilized, as specified in `application.yml` and the technology stack.
Verified SafeView Analysis
The server fetches Swagger JSON from a configurable URL (`blog.api.url`) using RestTemplate. If this URL can be controlled by an attacker or points to an untrusted external source, it could lead to Server-Side Request Forgery (SSRF). The `getFullSwaggerJson` tool exposes the entire Swagger document, which might contain sensitive internal details if the server is exposed publicly and the Swagger specification is not filtered. Input validation is present for tool parameters, and there are no signs of 'eval', obfuscation, or hardcoded secrets (API keys are read from environment variables).
Updated: 2025-12-10GitHub
0
0
Medium Cost
javiersanchezmza icon

aws-security-mcp-server

by javiersanchezmza

Sec5

This server likely functions as a security management and control plane for Amazon Web Services (AWS) environments, enabling centralized oversight and enforcement of security policies and configurations.

Setup Requirements

  • ⚠️Requires AWS credentials with appropriate IAM permissions (e.g., for EC2, S3, IAM, etc. depending on security scope).
  • ⚠️Requires a suitable server environment for deployment (e.g., a Linux-based VM, Docker container, or Kubernetes cluster).
  • ⚠️Potentially requires specific runtime (e.g., Node.js, Python, Java) depending on implementation language.
Review RequiredView Analysis
A comprehensive security audit is impossible as the source code was not provided for analysis. Without access to the code, specific risks like 'eval' usage, hardcoded secrets, potential network vulnerabilities, or malicious patterns cannot be identified or assessed. The score is neutral due to lack of information.
Updated: 2025-12-15GitHub
0
0
Medium Cost
15496-debug icon

vs-code-agents

by 15496-debug

Sec7

A collection of AI agents designed to enhance the coding experience and streamline workflows within Visual Studio Code, covering planning, implementation, QA, UAT, DevOps, security, and process improvement.

Setup Requirements

  • ⚠️Requires GitHub Copilot in VS Code (paid subscription for Copilot).
  • ⚠️Requires the Flowbaby VS Code extension for persistent memory (free to install, but Flowbaby requires an OpenAI/Anthropic API key for local summarization).
  • ⚠️Relies on various pre-installed developer tools for different languages and ecosystems (e.g., npm, pytest, go test, linters, static analysis tools like Semgrep/Gitleaks).
Verified SafeView Analysis
The agents are designed to execute powerful actions within a developer's environment, including running terminal commands, modifying files, and publishing releases. While the scripts for security checks, testing, and linting are benign, the `devops.agent.md` directly executes `git tag`, `git push`, and package publication commands. This grants significant control, carrying inherent risks if an agent misinterprets a prompt or if the system is maliciously prompted. However, the system includes explicit internal safeguards, such as mandatory user confirmation for releases (`devops.agent.md`) and an emphasis on manual approval for sensitive commands (as noted in the orchestration playbook). The design prioritizes auditability and traceable workflows, with no apparent intentional malicious patterns within the provided source code. The primary risk lies in the execution context and the potential for misuse or misconfiguration.
Updated: 2026-01-19GitHub
0
0
Medium Cost
aiscibe-mcp-deployment icon
Sec7

This server acts as a Model Context Protocol (MCP) gateway, exposing configured APIs as tools for AI models like Claude.

Setup Requirements

  • ⚠️Requires an OpenAI API Key (Paid service) for associated AI model usage, configured as an environment variable.
  • ⚠️Requires Python 3.9 for deployment on Vercel.
  • ⚠️Requires installing Python dependencies from requirements.txt.
Verified SafeView Analysis
The server constructs API calls using a hardcoded base URL and an 'endpoint' path, which could potentially allow for path traversal or unintended URL manipulation if the 'endpoint' is derived from untrusted AI model output without strict validation. Authentication details for connected APIs are configured within the application, and while currently set to 'none' or empty, these could become a hardcoded secret risk if populated directly in the code rather than through environment variables. No 'eval' or obvious malicious patterns were found.
Updated: 2025-12-02GitHub
0
0
Low Cost
Somnath1998-hub icon

expense_manager_mcp_server

by Somnath1998-hub

Sec9

Manages personal or business expenses via an MCP server, allowing LLM clients and applications to add, update, delete, list, filter, and summarize financial transactions.

Setup Requirements

  • ⚠️Requires Python 3.12 or newer.
  • ⚠️The `fastmcp` library must be installed (e.g., `pip install fastmcp`).
  • ⚠️The `expense_categories.json` file must be present in the directory where the script is executed.
Verified SafeView Analysis
The server correctly utilizes parameterized queries for all database operations, effectively preventing SQL injection vulnerabilities. No 'eval', 'exec', or similar dangerous functions are used. File paths for the database and categories are derived from the current working directory, limiting potential file system access risks. The server binds to 0.0.0.0, making it accessible from any network interface; while standard for servers, local deployment should consider firewall rules if exposed beyond a trusted network.
Updated: 2025-12-02GitHub
0
0
Low Cost
code4mk icon
Sec8

Provides AI-powered travel planning tools and real-time weather information for Cox's Bazar, Bangladesh.

Setup Requirements

  • ⚠️Requires Python 3.13+
  • ⚠️Requires uv package manager for installation and running
  • ⚠️Requires Redis server if GitHub OAuth is enabled
  • ⚠️Requires Node.js > 20.x.x for running the inspector tool
Verified SafeView Analysis
The server correctly uses environment variables (`os.getenv`) for sensitive configurations like GitHub OAuth credentials and Redis connection details. It relies on `FastMCP` for its core server logic and interacts with a legitimate external weather API (Open-Meteo). Input parsing for dates uses `python-dateutil`, and structured elicitation uses Pydantic models for validation, which are generally safe practices. No `eval` or obvious obfuscation detected. Potential risks would primarily stem from misconfiguration of OAuth providers or vulnerabilities within the `FastMCP` framework itself, which are external to this specific codebase's immediate scrutiny.
Updated: 2025-11-19GitHub
PreviousPage 373 of 713Next