Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
subsetsio icon

subsets-mcp-server

by subsetsio

Sec7

Provides a Model Context Protocol server for AI assistants to query and manage statistical datasets, either remotely from Subsets.io or locally via DuckDB.

Setup Requirements

  • ⚠️Requires a Subsets.io API Key (potentially paid) for remote mode functionality.
  • ⚠️Requires 'uv' (Python package installer) to be installed on the system.
  • ⚠️Requires Python 3.11 or higher.
  • ⚠️Initial setup involves downloading a 100MB+ semantic search embedding model and a keyword search index, requiring disk space and internet access.
Verified SafeView Analysis
The server's `execute_sql_query` tool directly executes arbitrary SQL queries provided as a string. While designed for AI-generated queries, this pattern can be a SQL injection vulnerability if the query parameter is not sanitized and comes from an untrusted source, potentially exposing or manipulating loaded datasets. The server relies on fetching and running code directly from a GitHub repository via `uvx`, introducing a supply chain risk if the repository were to be compromised. API keys and R2 credentials are read from files or environment variables, which is good practice.
Updated: 2026-01-07GitHub
0
0
Medium Cost
jonathan-vella icon
Sec9

The Azure Pricing MCP server provides AI agents with real-time Azure retail pricing information for cost estimation, comparison, and SKU discovery in infrastructure planning workflows.

Setup Requirements

  • ⚠️Requires Python 3.10+ (if not using Docker)
  • ⚠️Requires internet access to the Azure Retail Prices API (prices.azure.com)
  • ⚠️Requires installation of Python dependencies (`pip install -e .[dev]` or `pip install -r requirements.txt`)
Verified SafeView Analysis
The MCP server interacts with a public Azure pricing API. While no direct 'eval' or obfuscation is found, parameters passed to the Azure Retail Prices API's '$filter' are directly inserted into the OData query string. This assumes the Azure API sanitizes inputs robustly. However, as it's a read-only public API, the impact of a theoretical injection would be minimal (e.g., fetching incorrect data, not arbitrary code execution). No hardcoded credentials for external services are found.
Updated: 2026-01-19GitHub
0
0
Low Cost
jordimassaguerpla icon

mcp-server-uyuni-docs

by jordimassaguerpla

Sec10

This project provides documentation for an MCP Server integrated with the Uyuni system.

Verified SafeView Analysis
The provided 'SOURCE CODE' consists solely of a README.md file containing only the project title. There is no executable code to audit for security risks like eval, obfuscation, network issues, or hardcoded secrets. The README.md itself presents no security vulnerabilities.
Updated: 2025-12-05GitHub
0
0
Low Cost
ofrausto3 icon

MCP_Server_Project

by ofrausto3

Sec8

A foundational FastAPI server for integrating and managing Spark and PostgreSQL data operations and ETL pipelines.

Setup Requirements

  • ⚠️Requires a Python environment with dependencies installed from `requirements.txt` (e.g., FastAPI, uvicorn, pydantic-settings, asyncpg, pyspark).
  • ⚠️For actual database interaction, a running PostgreSQL server accessible at the configured host/port is needed.
  • ⚠️For actual Spark operations, a Spark environment is required (defaults to `local[*]`, which needs Spark binaries/dependencies).
  • ⚠️Expects a `.env` file for configuration, though default values are provided in `config.py`.
Verified SafeView Analysis
No 'eval' or obfuscation found. Environment variables are used for sensitive configurations (e.g., Postgres credentials, Spark settings) via `.env` file, which is good practice. The current 'tools' implementations are stubs and do not yet interact with real external systems, minimizing immediate data exposure risk. The `uvicorn` server is configured with `reload=True`, which is suitable for development but should be disabled in a production environment.
Updated: 2025-11-21GitHub
0
0
High Cost
acessosshmika icon

mcp-supabase-server

by acessosshmika

Sec7

Provides a Model Context Protocol (MCP) server for a sales agent, integrating with Supabase for data storage, Vertex AI for embeddings, and Cohere for re-ranking sales arsenal information. It aims to enhance N8N integrations with advanced AI capabilities.

Setup Requirements

  • ⚠️Requires a Google Cloud Platform project with Vertex AI enabled and a service account key (GCLOUD_SERVICE_KEY) configured for authentication and access.
  • ⚠️Requires a Supabase project with specific tables (`arsenal_vendas`, `leads`) and a custom PostgreSQL RPC function (`buscar_arsenal_vetorial`) for vector search, implying a pgvector setup.
  • ⚠️Requires a Cohere API key for the re-ranking functionality, which is a paid service and will incur usage costs.
Verified SafeView Analysis
Sensitive credentials (Supabase service key, Google Cloud service account key, Cohere API key) are correctly loaded from environment variables, preventing hardcoding. The `GCLOUD_SERVICE_KEY` is JSON parsed directly from an environment variable, which is a common pattern for Google Cloud credentials but requires that the environment variable's content is securely managed and not exposed or tampered with. The server utilizes default `cors()` (allowing all origins) and binds to `0.0.0.0`, which means it is publicly accessible by default unless deployed within a restricted network or behind a firewall. The use of a Supabase `SERVICE_KEY` grants elevated privileges and necessitates strict access control in production environments.
Updated: 2025-12-12GitHub
0
0
Low Cost
timsto-cas icon

mcp_test_repo

by timsto-cas

Sec1

A custom client-server application for network communication and remote execution of Python code.

Setup Requirements

  • ⚠️Requires Python installed.
  • ⚠️Secure key management for the `auth_key` is critical but not provided in the source code.
  • ⚠️Network port must be open and accessible for client-server communication.
Review RequiredView Analysis
CRITICAL: The server and client both use `eval()` on network-received data (`message['data']` and `response['data']`) without any apparent sanitization. This allows arbitrary remote code execution by a connected party, posing an extremely severe security vulnerability.
Updated: 2025-11-24GitHub
0
0
High Cost
Ryttis icon

mcp-server

by Ryttis

Sec3

A minimalist, stable kernel server providing a bounded execution environment for various tools via JSON-RPC over WebSocket, strictly separating business logic from side effects, primarily intended for AI agent integration.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid Service)
  • ⚠️Requires a running MySQL database with connection details via environment variables
  • ⚠️Requires ETNOLENTOS_PATH and FACTURACORE_PATH environment variables to enable project-specific tools
Review RequiredView Analysis
Critical vulnerabilities for Command Injection (`core.runCommand`), Arbitrary File Read/Write (`core.readFile`, `core.writeFile`), and potential SQL Injection (`core.dbQuery`). The `core.runCommand` tool passes user-controlled input directly to `child_process.exec` without sanitization. The `core.readFile` and `core.writeFile` tools allow reading/writing to arbitrary paths on the file system without proper root confinement. The `core.dbQuery` passes unsanitized SQL queries to the database. These tools lack necessary input validation and path confinement, making the server highly exploitable if exposed.
Updated: 2026-01-13GitHub
0
0
Low Cost
rroldan icon
Sec10

This project contains a minimal Rust 'Hello World' program, serving as a basic boilerplate or placeholder.

Verified SafeView Analysis
The provided source code consists solely of a 'Hello, world!' program. It performs no network operations, file I/O, external dependency calls, uses no 'eval' or similar functions, and contains no hardcoded secrets or malicious patterns. It is extremely safe.
Updated: 2025-12-06GitHub
0
0
Low Cost
EigenPriyam icon
Sec9

Provides a remote API for tracking and summarizing personal or business expenses.

Setup Requirements

  • ⚠️Requires Python 3.11 or higher.
  • ⚠️The 'categories.json' file must be present in the same directory as 'main.py' for the server to function correctly.
Verified SafeView Analysis
Uses parameterized queries throughout the database operations, effectively preventing SQL injection vulnerabilities. No 'eval' or similar dangerous functions, and no hardcoded secrets were found. The server binds to '0.0.0.0', making it accessible from all network interfaces; users should ensure proper firewalling if exposing it to untrusted networks.
Updated: 2025-12-02GitHub
0
0
Medium Cost
Saiashrita icon
Sec8

An AI-powered development assistant that integrates GitHub, Jira, Slack, and Documentation tools through the Model Context Protocol (MCP) for intelligent orchestration and manual tool execution.

Setup Requirements

  • ⚠️Requires an LLM API Key (Anthropic, Gemini, or OpenAI), which may incur costs depending on usage.
  • ⚠️Requires a GitHub Personal Access Token with `repo` and `read:user` scopes.
  • ⚠️Requires Node.js 18+ and must be run as two separate processes (backend and frontend).
Verified SafeView Analysis
The project correctly uses environment variables for sensitive API keys (e.g., GITHUB_TOKEN, LLM_API_KEY), preventing hardcoded secrets. Inter-process communication via JSON-RPC is handled by parsing standard JSON, which avoids `eval` risks. The `cors()` middleware in the backend is broadly applied (`app.use(cors())`), which is common for development but would require stricter configuration (e.g., specific origins) in a production deployment to mitigate potential cross-origin attacks.
Updated: 2026-01-16GitHub
0
0
Low Cost
hoyeoy icon

my-mcp-server

by hoyeoy

Sec7

A backend API server providing 'tools' for key-value storage, email sending via multiple providers, and Google Sheets data retrieval, likely for integration with AI agents or other applications.

Setup Requirements

  • ⚠️Requires RESEND_API_KEY environment variable for Resend email functionality.
  • ⚠️Requires GMAIL_USER and GMAIL_PASS environment variables (Gmail app password) for Nodemailer/Gmail functionality.
  • ⚠️Requires GOOGLE_SERVICE_ACCOUNT_JSON environment variable (a JSON string for a Google Cloud service account key) for Google Sheets access.
  • ⚠️Relies on Vercel KV for key-value storage, suggesting a Vercel deployment environment.
  • ⚠️Project includes both Node.js and Python API functions, necessitating a polyglot serverless deployment environment (e.g., Vercel).
Verified SafeView Analysis
Broad CORS ('Access-Control-Allow-Origin: *') is enabled on all Node.js API endpoints, which allows requests from any origin. While common for public APIs or development, it generally reduces security if not specifically needed. The 'tool_calls' mechanism in 'api/mcp.js' is implemented safely by checking specific tool names, but dynamic function dispatch patterns should always be carefully reviewed. All secrets are correctly handled via environment variables.
Updated: 2025-11-25GitHub
0
0
Low Cost
ricardofauch icon

pokemon-tcg-pocket-mcp

by ricardofauch

Sec9

Provides access to Pokemon TCG Pocket data through the TCGdex API for Model Context Protocol (MCP) clients.

Setup Requirements

  • ⚠️Requires Node.js 18 or higher
  • ⚠️Requires an MCP-compatible client (e.g., Claude Desktop)
  • ⚠️Manual absolute path configuration for client integration is needed (e.g., in claude_desktop_config.json)
Verified SafeView Analysis
The server primarily acts as a proxy for the TCGdex API. It uses standard Node.js/TypeScript practices and the Model Context Protocol SDK. There are no indications of 'eval' usage, obfuscation, or hardcoded sensitive credentials. The main security consideration is the reliance on an external API (TCGdex), which is a common and generally trustworthy data source for Pokémon TCG data.
Updated: 2026-01-19GitHub
PreviousPage 407 of 713Next