Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
HiteshKumarMeghwar icon

expensive-tracker-mcp

by HiteshKumarMeghwar

Sec9

Provides a local Micro-Cortex Processor (MCP) server for tracking and managing personal or business expenses with a SQLite database.

Setup Requirements

  • ⚠️Requires `uv` package manager for setup and execution.
  • ⚠️Requires Python 3.11 or higher.
  • ⚠️The `fastmcp` library is a core dependency.
  • ⚠️Integration with `claude-desktop` is mentioned in the setup for streamlined usage.
Verified SafeView Analysis
The server uses parameterized SQLite queries, mitigating SQL injection risks. File paths for the database and categories are local and relative to the script. No hardcoded secrets or dangerous functions like `eval` or `os.system` are present. Dynamic SQL for `edit_expense` is safely constructed, ensuring only specified fields are updated with parameterized values.
Updated: 2025-11-27GitHub
0
0
Low Cost
christiesj11-ui icon

testdata-mcp-server

by christiesj11-ui

Sec2

A basic TCP server demonstrating client-server communication with a rudimentary authentication mechanism.

Setup Requirements

  • ⚠️Requires Java 17+ SDK
  • ⚠️Maven required for building
  • ⚠️Hardcoded 'testuser' and 'testpassword' for authentication
Verified SafeView Analysis
The server has critical security flaws: credentials ('testuser', 'testpassword') are hardcoded, and the 'authentication' uses Base64 encoding which is not encryption, making credentials sent over plain TCP entirely vulnerable. There is no rate limiting on login attempts, and no encryption for the communication channel. This makes the server highly insecure for any real-world use.
Updated: 2025-11-30GitHub
0
0
Medium Cost
iamsamuelfraga icon

mcp-holded

by iamsamuelfraga

Sec9

This MCP server enables AI assistants to interact with the Holded Invoice API for managing invoicing, contacts, products, treasuries, and other business operations.

Setup Requirements

  • ⚠️Requires a Holded API Key, which is sensitive and must be obtained from Holded settings.
  • ⚠️Requires Node.js 22.14 or higher to run.
Verified SafeView Analysis
The server correctly requires the HOLDED_API_KEY as an environment variable, preventing hardcoding and promoting secure configuration. There are no apparent uses of `eval` or similar dangerous dynamic code execution patterns. File uploads are forwarded to the external Holded API without local processing of file content, mitigating risks from malicious file payloads on the server itself. Overall security depends heavily on the user's secure handling of the API key and the inherent security of the upstream Holded API.
Updated: 2025-12-31GitHub
0
0
Medium Cost
HectorHernandez1 icon

ClaudeMCP

by HectorHernandez1

Sec9

This collection of Model Context Protocol (MCP) servers empowers Claude AI with real-time access to stock market data, weather information, news articles, personal financial data from a PostgreSQL database, and Gmail management capabilities.

Setup Requirements

  • ⚠️Requires registration for multiple external API keys (Alpha Vantage, OpenWeatherMap, NewsAPI, Google Cloud/Gmail API) which may have free-tier limitations.
  • ⚠️The Database server specifically requires a local PostgreSQL instance with a pre-configured 'budget_app' schema (e.g., from PersonalFinanceHub).
  • ⚠️The Gmail server setup involves a multi-step Google OAuth configuration as a 'Desktop app' and an interactive browser-based authentication on the first run, which can be a point of friction.
Verified SafeView Analysis
The project demonstrates a strong focus on security, especially in the database and Gmail servers. The database server hardcodes 'localhost' for database connections, explicitly prevents SQL injection through parameterized queries, and blocks dangerous SQL keywords (INSERT, UPDATE, DELETE, etc.). The Gmail server uses Google OAuth 2.0, handles credentials and tokens securely with explicit warnings not to commit them, and includes a safety limit for email deletion. All API keys are loaded from environment variables, preventing hardcoded secrets. Error handling for API rate limits and invalid keys is robust across all servers.
Updated: 2026-01-19GitHub
0
0
High Cost
HarshRohilla04 icon

Athena-MCP-RAG-server

by HarshRohilla04

Sec9

A Pinecone-based RAG server for Claude Desktop, designed for large-scale PDF ingestion, AI teaching tools, and RAG evaluation.

Setup Requirements

  • ⚠️Requires Pinecone API Key and index setup (paid service after free tier).
  • ⚠️Requires OpenAI API Key for LLM usage (gpt-4o-mini is used, which is a paid service).
  • ⚠️Large PDFs are recommended for offline ingestion using `pinecone_ingestion.py`.
Verified SafeView Analysis
API keys are loaded from environment variables (`os.getenv`), preventing hardcoding. PDF processing utilizes `pdfplumber` and `base64` decoding for file uploads, which is standard but should be monitored for extremely large or malformed inputs to prevent resource exhaustion. No `eval` or direct command injection vulnerabilities were found.
Updated: 2025-12-21GitHub
0
0
Medium Cost
hithereiamaliff icon

mcp-github

by hithereiamaliff

Sec8

This server allows AI models to interact with the GitHub API through the Model Context Protocol (MCP), providing tools for repository management, code search, issue tracking, and pull request workflows.

Setup Requirements

  • ⚠️Requires a GitHub Personal Access Token (PAT) for authentication.
  • ⚠️Self-hosting primarily uses Docker and Docker Compose for deployment.
  • ⚠️For public-facing deployment, Nginx (or similar reverse proxy) is required for SSL termination and path routing.
Verified SafeView Analysis
Authentication relies on a GitHub Personal Access Token (PAT), which can be provided via query parameter, header, or environment variable. While query parameter transmission of tokens is generally less secure (potential logging), it's explicitly recommended for compatibility with certain MCP clients. The server uses Octokit for GitHub API interactions, reducing direct command execution risks. CORS is configured to allow all origins, typical for a public API gateway. No 'eval' or obvious code obfuscation found. Analytics dashboard HTML is generated directly by the server, not from user input, mitigating XSS risks there.
Updated: 2025-12-25GitHub
0
0
Medium Cost
pietrozullo icon

image_gen_mcp

by pietrozullo

Sec9

Generate and transform images using Google's Gemini AI model through the MCP protocol.

Setup Requirements

  • ⚠️Requires a Google AI API Key (Gemini) which is a paid service.
  • ⚠️Requires Python 3.11+
Verified SafeView Analysis
The server implements good security practices including loading API keys from environment variables, robust validation for uploaded and remote images (size, format, type), and protection against directory traversal for served images. It also converts uploaded images to PNG which can strip potentially malicious metadata. The `0.0.0.0` host binding is standard for cloud deployments but requires external network configuration (firewall/proxy) in production.
Updated: 2026-01-18GitHub
0
0
Low Cost
markwkiehl icon
Sec9

Provides a template for deploying a Model Context Protocol (MCP) Server using FastAPI on Google Cloud Run, demonstrating server deployment, client interaction, and GCS FUSE integration.

Setup Requirements

  • ⚠️Requires Python, Google CLI & SDK, and Docker to be installed.
  • ⚠️Requires a Google Cloud Platform account with billing configured.
  • ⚠️The `gcp_constants.bat` file must be updated with your Google account email (`GCP_USER`) and Google Cloud Billing Account Number (`GCP_BILLING_ACCOUNT`).
  • ⚠️An `OPENAI_API_KEY` environment variable (or in a `.env` file) is required for full functionality, though not directly used in the provided simple `/api/calculator` endpoint.
Verified SafeView Analysis
Secrets (like `OPENAI_API_KEY`) are correctly handled via environment variables, loaded from a `.env` file or Cloud Run environment. The code explicitly avoids logging full API keys. It demonstrates good practice by separating database storage (ephemeral `/tmp` directory) from GCS FUSE mounts due to the latter's characteristics. No `eval` or obvious malicious patterns were found in the provided source code.
Updated: 2025-12-11GitHub
0
0
Medium Cost
princeomar9009 icon

sciagent

by princeomar9009

Sec7

SciAgent is a CLI tool designed to help users record, analyze, and report on machine learning experiment training data without requiring technical skills.

Setup Requirements

  • ⚠️Requires Python 3.9 or later.
  • ⚠️AI analysis features require an LLM API Key (e.g., OpenAI, DeepSeek, etc.) which is typically a paid service.
  • ⚠️Git must be installed for comprehensive code change tracking and fingerprinting features.
Verified SafeView Analysis
The tool's core functionality involves executing user-provided commands via subprocess (`subprocess.Popen` in `sciagent/guardian.py`), which poses a risk if untrusted commands are executed. AI analysis features send experiment data (prompts) to third-party LLM providers, which could be a data privacy concern for sensitive information. However, there are no explicit 'eval' usage or hardcoded secrets detected, and API keys are managed through environment variables, which is good practice.
Updated: 2026-01-19GitHub
0
0
Low Cost
krisrowe icon

notes

by krisrowe

Sec9

Manages notes across multiple backends using a CLI and an MCP server for integration with LLM clients like Claude Code and Gemini CLI.

Setup Requirements

  • ⚠️Requires AppSheet App ID and API Key (AppSheet API access may incur costs or require specific AppSheet plans).
  • ⚠️Requires an existing AppSheet application with a 'Note' table (and optionally 'Attachment' table) conforming to specific column names and types.
  • ⚠️Python 3.10+ and pipx are prerequisites for installation.
Verified SafeView Analysis
API keys and application IDs are loaded from `~/.config/notes/config.json` or environment variables, not hardcoded. The `show_config` MCP tool intentionally redacts API keys. User query parsing builds an Abstract Syntax Tree (AST) which is then transformed into AppSheet API selectors, avoiding direct code execution from user input. Relies on the security of the AppSheet API for data handling and injection prevention. Configuration file permissions (chmod 600) are recommended in documentation but not enforced by the application itself.
Updated: 2025-12-15GitHub
0
0
Medium Cost
otolab icon
Sec8

An AI voice synthesis operator system integrating with COEIROINK, designed to assign specific voice characters to terminal sessions for long-text audio output, available via both CLI and MCP server interfaces, with optional terminal background images.

Setup Requirements

  • ⚠️Requires Node.js 18+.
  • ⚠️Requires COEIROINK application to be installed and running on `http://localhost:50032`.
  • ⚠️The native `speaker` module requires a manual build approval during `pnpm install` if not globally installed, which can be a point of friction.
  • ⚠️Critical memory leak detected in continuous synthesis tests (AssertionError: expected 16074112 to be less than 1048576), indicating potential instability or high resource usage under sustained load.
  • ⚠️Performance issues detected in handling large numbers of audio chunks (AssertionError: expected 1 to be greater than 10), which could impact long text processing.
Verified SafeView Analysis
The project uses `child_process.execSync` for specific terminal information retrieval (e.g., `itmux current`, `tmux display-message`). While `execSync` carries inherent risks, the usage appears to be controlled with input sanitization. Network requests are made to the local COEIROINK server (localhost:50032) and potentially AWS services for voice synthesis/recognition. The `ConfigManager.deepMerge` function includes explicit checks to prevent prototype pollution attacks. An optional terminal background feature relies on spawning Python scripts, adding another layer of dependencies.
Updated: 2026-01-14GitHub
0
0
Medium Cost
mdwillman icon

avalogica-x-mcp

by mdwillman

Sec9

The Avalogica X MCP server provides integration with X (Twitter) for clients to link accounts, post updates, fetch recent posts, and summarize posting history, following the Model Context Protocol (MCP) specification.

Setup Requirements

  • ⚠️Requires an OpenAI API Key for summarization (Paid Service).
  • ⚠️Requires X (Twitter) OAuth client credentials (X_CLIENT_ID, X_CLIENT_SECRET) from a developer account.
  • ⚠️Requires Firebase project setup and appropriate Google Application Credentials for persisting X account credentials (e.g., via Cloud Run's default service account or GOOGLE_APPLICATION_CREDENTIALS locally).
Verified SafeView Analysis
The server uses secure OAuth2 PKCE flow for X authentication. Credentials for X (access and refresh tokens) are securely stored and refreshed using Firebase Admin SDK, implying a managed backend like Firebase Firestore for persistence. Environment variables are used for API keys and client secrets, which is a good practice. The server explicitly uses its configured redirect URI for OAuth callback, ignoring client-provided ones, which enhances security. Minor logging of OAuth code and codeVerifier could be a concern in very strict environments but is typically short-lived and non-persistent.
Updated: 2025-11-22GitHub
PreviousPage 413 of 713Next