Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
Mkhubaiib icon

mcp_calculator

by Mkhubaiib

Sec9

A beginner-friendly Model Context Protocol (MCP) server exposing a simple calculator tool (add, subtract, multiply, divide) over WebSocket using FastAPI.

Setup Requirements

  • ⚠️Requires Python 3.9 or higher.
  • ⚠️Dependencies must be installed via pip (e.g., 'pip install -e .').
Verified SafeView Analysis
The server demonstrates strong security practices for its scope: it uses Pydantic for robust inbound message validation, handles errors gracefully by returning structured error messages without exposing internal details, and explicitly catches division-by-zero errors. No 'eval' or similar dangerous functions are used. There are no hardcoded secrets, and dependencies are standard. The server primarily performs arithmetic, limiting the attack surface. A basic HTML demo page is exposed on `/demo`, which might typically be removed in a production environment, but is benign in this context.
Updated: 2025-11-27GitHub
0
0
Medium Cost
horison-ai icon

outlook-mcp

by horison-ai

Sec9

Provides Microsoft Outlook/Graph API integration as an MCP server, enabling email management and calendar event scheduling.

Setup Requirements

  • ⚠️Requires a separate 'connectivity service' to be running and accessible, typically at http://localhost:8001, to obtain user credentials.
  • ⚠️Requires Python 3.11 or higher.
  • ⚠️Depends on a 'shared' Python module for `credential_cache`, implying it's part of a larger project structure and not a standalone utility.
Verified SafeView Analysis
The server securely handles credentials by fetching them from an external 'connectivity service' via environment variables, avoiding hardcoded secrets. It uses `httpx` for API calls and raises exceptions on HTTP errors. No 'eval' or obvious malicious patterns were found.
Updated: 2025-11-22GitHub
0
0
Medium Cost
akbad icon
Sec9

Provides AI-enhanced code search capabilities by integrating with a Sourcegraph instance via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires access to a Sourcegraph instance (self-hosted or sourcegraph.com).
  • ⚠️Requires Python 3.10+.
  • ⚠️Requires configuration of `SRC_ENDPOINT` environment variable.
Verified SafeView Analysis
Uses environment variables for sensitive data like API tokens. Employs `yaml.safe_load` for parsing prompt configurations, mitigating YAML deserialization risks. Performs network requests to user-configured Sourcegraph endpoints. Server binds to `0.0.0.0` (all interfaces) by default, standard for a server application.
Updated: 2026-01-19GitHub
0
0
Medium Cost
bitovi icon
Sec8

Provides an MCP tool for AI agents to search enterprise codebases and documentation for development context.

Setup Requirements

  • ⚠️Requires `WEBHOOK_URL` environment variable for the `search` tool to function.
  • ⚠️Requires an MCP client (e.g., VSCode with Cline extension) and specific client-side JSON configuration to load the server.
Verified SafeView Analysis
The server makes an HTTP POST request to a configurable `WEBHOOK_URL`. The security and trustworthiness of this external webhook endpoint are critical, as it processes AI agent inputs and returns content. Ensure the `WEBHOOK_URL` points to a trusted and secured service. No 'eval' or obvious hardcoded secrets found.
Updated: 2026-01-16GitHub
0
0
High Cost
openpharma-org icon

sec-mcp

by openpharma-org

Sec9

Provides comprehensive access to SEC EDGAR for searching, retrieving, and analyzing public company filings, financial statements, and dimensional XBRL data.

Setup Requirements

  • ⚠️Requires Node.js 18.0.0 or higher.
  • ⚠️The default `User-Agent` email address `your-email@domain.com` in `src/edgar-api.js` should be replaced with a valid email for SEC API compliance and best practices.
  • ⚠️SEC EDGAR APIs have rate limits (e.g., 10 requests/second). Frequent or unoptimized calls may result in temporary blocks or errors.
Verified SafeView Analysis
The server uses official SEC EDGAR API endpoints (data.sec.gov, www.sec.gov) and includes a `User-Agent` header as required by SEC guidelines. It uses `axios` for HTTP requests with timeouts, preventing indefinite hangs. Input validation is present for tool call arguments. No `eval`, dynamic code execution, hardcoded sensitive credentials, or obvious malicious patterns were found. The tool relies on parsing public SEC documents, including iXBRL HTML, which could theoretically contain unexpected structures, but operates within the bounds of publicly available, official data.
Updated: 2025-12-22GitHub
0
0
High Cost
Bwizrd icon

Trading-MCP

by Bwizrd

Sec2

This MCP server provides a comprehensive platform for backtesting trading strategies, visualizing results with interactive charts, managing technical indicators, and integrating with external systems like Notion and SSH for reporting and diagnostics. It supports both code-based and JSON-configured DSL strategies, such as the Stochastic Quad Rotation.

Setup Requirements

  • ⚠️Requires external API servers running on `localhost:8000` (cTrader/InfluxDB) and `localhost:8020` (VPS Tick Data). An additional API server is started on `localhost:8001` for Notion/SSH integrations.
  • ⚠️Requires numerous environment variables to be configured (e.g., `CTRADER_API_URL`, `VPS_API_URL`, `INFLUXDB_URL`, `VPS_API_KEY`).
  • ⚠️Requires Python 3.10+ and a comprehensive list of dependencies from `requirements.txt` (including `pandas`, `httpx`, `plotly`, `pydantic`, `mcp`, `ta`, `pytz`, `uvicorn`, `fastapi`, `pexpect`, `dotenv`, `influxdb_client`).
Review RequiredView Analysis
CRITICAL: The `eval()` function is used in `shared/strategies/dsl_interpreter/dsl_strategy.py` to dynamically evaluate comparison expressions from JSON configurations. This allows for arbitrary code execution if a malicious DSL configuration is introduced, making the server highly vulnerable to injection attacks. Additionally, the use of `pexpect` for SSH uploads in `api_server.py` (which itself runs on localhost:8001) could pose risks if not handled with extreme care regarding credential management and command sanitization. Diagnostic logs written to `/tmp/` could potentially expose sensitive data if file permissions are not strictly controlled. Extensive use of `httpx` for external API calls (`VPS_TICK_URL`, `CTRADER_API_URL`, InfluxDB) could lead to SSRF or data leakage if URLs or parameters are not properly validated.
Updated: 2026-01-16GitHub
0
0
Low Cost
arnaucast icon

MCP_SERVER

by arnaucast

Sec9

Defines tools for an AI agent to query an SQLite database, specifically for human resources data and database schema exploration.

Setup Requirements

  • ⚠️Requires an agent framework to interpret and execute the defined tools.
  • ⚠️A local SQLite database file named 'dummy_db.sqlite' must exist.
  • ⚠️The 'dummy_db.sqlite' database must contain a 'users' table with 'name', 'salary', and 'department' columns for tools to function effectively.
Verified SafeView Analysis
The SQL statements utilize parameterized queries for user input ('?'), which effectively mitigates common SQL injection vulnerabilities. The 'get_db_catalog' tool exposes the database schema, which is a standard feature but should be noted for access control considerations if used in a sensitive context. No 'eval', obfuscation, hardcoded secrets, or direct network risks (beyond the local database) are present in the provided configuration.
Updated: 2025-12-06GitHub
0
0
High Cost
consigcody94 icon

vault-weaver

by consigcody94

Sec9

Vault Weaver enables AI-powered knowledge management for Obsidian vaults, allowing users to create, search, link, and visualize notes through natural language.

Setup Requirements

  • ⚠️Requires Node.js 18+ to be installed.
  • ⚠️Requires an existing Obsidian vault (local folder) with read/write permissions.
  • ⚠️The `OBSIDIAN_VAULT_PATH` environment variable must be set to an absolute path of your Obsidian vault for the server to function.
Verified SafeView Analysis
The server primarily interacts with the local file system within the `OBSIDIAN_VAULT_PATH` specified by the user. Filenames are sanitized, and content is written as markdown. There are no direct `eval` calls, arbitrary command execution from user input, or external network calls beyond the standard MCP transport. The main security consideration is the `OBSIDIAN_VAULT_PATH` environment variable; users must configure this to a trusted and isolated Obsidian vault to prevent unintended file system access.
Updated: 2025-11-25GitHub
0
0
Low Cost
Originate-Group icon

common-mcp-server

by Originate-Group

Sec9

Provides a reusable framework for building HTTP Model Context Protocol (MCP) servers with FastAPI, supporting OAuth 2.1 and Personal Access Token (PAT) authentication.

Setup Requirements

  • ⚠️Requires Docker for the recommended 'container-first' development and production pattern.
  • ⚠️Full OAuth 2.1 functionality requires an external Keycloak or OIDC-compatible identity provider with specific client configurations (e.g., public client, PKCE, specific redirect URIs).
  • ⚠️Personal Access Token (PAT) authentication requires the developer to implement a custom asynchronous `verify_function` (e.g., querying a database) to validate tokens.
  • ⚠️The server is a framework; developers must implement tool definitions and handlers specific to their application logic.
Verified SafeView Analysis
The server design generally follows good security practices for OAuth 2.1 and PAT handling. OAuth token validation uses `python-jose` and fetches JWKS for signature verification, including checks for expiration and claims. PAT authentication relies on a user-provided asynchronous `verify_function` to integrate with a database or external service, which is crucial for secure PAT management. OAuth proxy endpoints are clearly defined and adhere to RFCs for discovery and client registration (returning a pre-configured public client ID with no secret). There are no obvious signs of `eval`, code obfuscation, or hardcoded secrets beyond what's expected in an example's `verify_pat` function, which explicitly notes to use a database in production.
Updated: 2025-12-12GitHub
0
0
Medium Cost
ysonawan icon
Sec9

This server provides tools for managing and accessing financial portfolio data from Famvest.

Setup Requirements

  • ⚠️Requires Python 3.14 or newer (as specified in pyproject.toml, note that Python 3.14 is not yet released and this may be a typo for an earlier version).
  • ⚠️Requires manual login to famvest.online to obtain a JWT token, which must then be manually added to the Authorization header for subsequent tool calls.
  • ⚠️Relies on the external 'famvest.online' API for all financial data retrieval.
Verified SafeView Analysis
The server includes a BearerAuthMiddleware that enforces authentication for most tools, requiring a JWT token in the Authorization header. No hardcoded secrets, 'eval', or obfuscation are present in the provided code. All external API calls use HTTPS to `famvest.online` and include a 10-second timeout. The overall security is also dependent on the security of the external Famvest API.
Updated: 2026-01-17GitHub
0
0
Medium Cost
lambda-tuber icon

bokicast-mcp-server

by lambda-tuber

Sec9

This MCP server assists bookkeeping study sessions by AITubers, visualizing journal entries, T-accounts, and balance sheets/income statements.

Setup Requirements

  • ⚠️Requires Windows OS.
  • ⚠️Requires Claude (an MCP client) to be running.
  • ⚠️Requires VOICEVOX for speech synthesis functionality.
  • ⚠️Requires a YAML configuration file to be provided at startup.
Verified SafeView Analysis
The server primarily handles UI visualization and data processing from a well-defined JSON schema provided by the MCP client. It uses `yaml.safe_load` for configuration, mitigating YAML injection risks. Communication is via standard I/O (stdio), reducing network attack surfaces. No direct `eval` or `exec` on untrusted input was found. The use of `json.loads` on tool arguments is standard for MCP, and the defined data structure limits potential abuse to data content rather than code execution.
Updated: 2025-12-27GitHub
0
0
Medium Cost
hafshari icon

OpenLV

by hafshari

Sec5

Facilitates analysis, transpilation, and AI/LLM insights for LabVIEW VIs by converting them into textual models and ASTs.

Setup Requirements

  • ⚠️Requires LabVIEW environment or SDK for VI Scripting.
  • ⚠️May require an API key for a commercial LLM provider (e.g., OpenAI).
Review RequiredView Analysis
The provided source code is limited to the README, making a comprehensive security audit impossible. No malicious patterns, 'eval', hardcoded secrets, or network risks could be identified or ruled out from the available information. A 'built-in MCP server' implies network exposure, but specific implementation details are unknown.
Updated: 2025-12-04GitHub
PreviousPage 395 of 713Next