Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
f1nthelad icon
Sec9

Integrate Google Contacts with AI agents (e.g., Claude) using the Model Context Protocol (MCP) as a serverless connector.

Setup Requirements

  • ⚠️Requires an AWS account with AWS CLI configured and CDK installed.
  • ⚠️Requires a Google Cloud project with the People API enabled and OAuth 2.0 Web Application credentials configured (client ID and secret).
  • ⚠️Google OAuth credentials (client_id, client_secret) must be manually stored in AWS SSM Parameter Store after initial CDK deployment, ensuring the `GoogleCallbackUrl` from CDK outputs is added to Google Cloud Console's Authorized redirect URIs.
Verified SafeView Analysis
The server employs robust security practices including OAuth 2.1 with PKCE, storing sensitive Google API credentials in AWS SSM Parameter Store (which can be configured as SecureString for enhanced protection), and utilizing DynamoDB with AWS-managed encryption and TTL for session, client, and authorization code data. It explicitly states a privacy-first design where no contact data is stored on the server. CORS is correctly configured. A minor note is that the initial CDK deployment places placeholder Google credentials as a `StringParameter`; users must manually update this to a `SecureString` in SSM to fully leverage the client's `WithDecryption` capability as outlined in the setup guide. Otherwise, it demonstrates strong security awareness.
Updated: 2026-01-19GitHub
0
0
Low Cost
frstlvl icon
Sec9

Provides real-time Claude AI access to Obsidian vaults, enabling dynamic querying, searching, and writing of notes without typical token limitations by using the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️The OBSIDIAN_VAULT_PATH environment variable is required for operation.
  • ⚠️For large vaults (1,000+ notes) or when changing embedding models, initial indexing should be run standalone with increased memory allocation (e.g., `node --expose-gc --max-old-space-size=16384 dist/index.js`).
  • ⚠️Changing embedding models requires manually deleting the `.mcp-vector-store` directory and rebuilding the index to ensure compatibility.
Verified SafeView Analysis
The server demonstrates strong security practices including robust path validation (using `isPathSafe`) to prevent directory traversal attacks, explicit Zod schema validation for all tool inputs, and optional, opt-in write operations (`enableWrite: false` by default) that also employ strict path and existence checks, including a `confirm: true` parameter for deletions. Communication is via local stdio, and embedding generation is performed locally using Transformers.js, minimizing external network exposure. No 'eval' or other highly dangerous patterns were observed. The use of a detached indexing worker is standard practice.
Updated: 2025-12-02GitHub
0
0
Medium Cost
taborgreat icon

mcp-rizz-gamemaker

by taborgreat

Sec8

A browser-based multiplayer social AI game where players interact with an AI character to win her affection.

Setup Requirements

  • ⚠️Requires a Groq API Key for LLM interactions (paid service).
  • ⚠️The GameMaker HTML5 export (build output) must exist in the `frontend/GameMaker/build` directory, implying prior GameMaker development and export is necessary if it's not pre-built.
  • ⚠️Requires Node.js environment.
Verified SafeView Analysis
The server implements good practices like using environment variables for API keys, sanitizing user input for chat and game messages (stripping HTML, filtering bad words), and wrapping JSON parsing in try-catch blocks to prevent crashes. Basic spam control is also in place for chat messages. The GameMaker iframe integration relies on controlled JavaScript function calls and hardcoded style injections, mitigating direct XSS risks from dynamic content. While comprehensive input validation for all WebSocket message structures isn't explicitly detailed for every field, the existing sanitization and separation of concerns reduce common web vulnerabilities. No 'eval' or other highly dangerous patterns are used with dynamic, untrusted input.
Updated: 2025-12-03GitHub
0
0
Medium Cost
DrBalls icon
Sec9

Provides comprehensive management of n8n workflow automation directly from Claude Desktop by exposing all available n8n API operations.

Setup Requirements

  • ⚠️Requires Node.js 18 or later.
  • ⚠️Requires an n8n instance with API access enabled.
  • ⚠️Requires an n8n API key with appropriate permissions for all intended operations.
  • ⚠️Requires manual configuration in Claude Desktop's `claude_desktop_config.json` file.
Verified SafeView Analysis
The server employs robust input validation using Zod schemas, which significantly mitigates common injection vulnerabilities. API keys are sourced from environment variables, avoiding hardcoded secrets. Error handling provides informative messages without exposing sensitive internal details. The core security concern lies in the permissions granted to the n8n API key and the security of the connected n8n instance itself, as this server acts as a powerful interface to those resources. No `eval` or directly malicious patterns were identified in the provided source code.
Updated: 2025-12-06GitHub
0
0
High Cost
MjrTom icon
Sec4

An AI agent's debugging copilot that autonomously investigates software bugs through multi-threaded, hypothesis-driven exploration across Git branches.

Setup Requirements

  • ⚠️Requires OpenAI, Anthropic, Gemini, or OpenRouter API Key (Paid)
  • ⚠️Requires Node.js v18+ and Git
  • ⚠️Requires 'uvx' and 'ripgrep' CLI tools (auto-installed by setup, but may require manual intervention on failure)
  • ⚠️Requires '@wonderwhy-er/desktop-commander' MCP server for terminal/filesystem tools (auto-installed by setup on Windows, must be available on other OSs)
  • ⚠️Project is 'not actively maintained', install at your own risk.
Review RequiredView Analysis
The server exposes powerful system interaction capabilities (arbitrary command execution, file system modifications, process management) to AI agents via MCP tools. While intended for debugging, this grants high privileges. There are no clear sandboxing mechanisms for the AI agents themselves, making them capable of destructive actions if LLM behavior is unconstrained or misinterpreted. The project is explicitly marked as 'not actively maintained', which increases the risk of unpatched vulnerabilities. API keys are loaded from environment variables, which is good practice.
Updated: 2026-01-18GitHub
0
0
Low Cost
farisahmed123 icon
Sec2

A Spring Boot server providing weather data and a general database interaction API, following an MCP architectural pattern.

Setup Requirements

  • ⚠️Requires Java 17+
  • ⚠️Requires Gradle
Review RequiredView Analysis
CRITICAL SQL INJECTION VULNERABILITY: The DBController endpoints (e.g., /api/db/insert, /api/db/update, /api/db/delete, /api/db/query) accept raw SQL strings directly from the request body and execute them via JdbcTemplate without any sanitization or parameterized queries. This allows any user to inject arbitrary SQL commands, leading to full data compromise (read, modify, delete) and potentially remote code execution depending on the database configuration and permissions. The use of 'sa' user with an empty password for H2 by default further exacerbates this risk.
Updated: 2025-12-03GitHub
0
0
Low Cost
nicholaspoz icon

things_mcp

by nicholaspoz

Sec4

Provides an MCP server to interact with the Things3 task manager on macOS via AppleScript for creating, listing, updating, completing, and moving todos and projects.

Setup Requirements

  • ⚠️Requires macOS (AppleScript dependency)
  • ⚠️Things3 application must be installed and running
  • ⚠️Gleam programming language must be installed
  • ⚠️Erlang/OTP must be installed (typically bundled with Gleam)
  • ⚠️Requires manual configuration in Claude Desktop's `claude_desktop_config.json`
Review RequiredView Analysis
The server executes AppleScript commands via `osascript` using the `shellout` library, constructing these commands from user-provided input. This pattern inherently introduces a risk of AppleScript injection if the user input is not meticulously sanitized, potentially leading to arbitrary command execution on the user's machine. Without a full review of the AppleScript generation and sanitization logic in the source code, this is a critical security consideration.
Updated: 2026-01-19GitHub
0
0
Low Cost
pinax-network icon

mcp-token-api-rest

by pinax-network

Sec9

An MCP server that exposes The Graph's Token API through Claude and other AI assistants, automatically generating tools from the API's OpenAPI specification.

Setup Requirements

  • ⚠️Requires a running instance of The Graph's Token API, either locally or at a remote URL via `TOKEN_API_BASE_URL`.
  • ⚠️If connecting to a secured Token API, authentication details (e.g., `TOKEN_API_AUTH_TOKEN`) may be required and must be provided as an environment variable.
  • ⚠️Requires Python 3.11 or higher.
Verified SafeView Analysis
The server dynamically generates tools from an external OpenAPI specification. While the implementation handles basic Python keyword conflicts and uses standard secure practices (e.g., environment variables for config, `httpx` for requests), the overall security relies on the trustworthiness of the upstream Token API (`TOKEN_API_BASE_URL`) and its OpenAPI spec. No direct code-level vulnerabilities like `eval` or hardcoded secrets were identified within the server's own source.
Updated: 2025-11-19GitHub
0
0
Medium Cost
darkbard81 icon

fvtt-mcp

by darkbard81

Sec9

Relays events and messages between a Large Language Model (LLM), an MCP server, and Foundry VTT, including features for AI-driven text-to-speech and image generation.

Setup Requirements

  • ⚠️Requires Node.js 20+ and npm 10+.
  • ⚠️Requires `MCP_SERVER_API_KEY` for core relay functionality and `GOOGLE_GENAI_API_KEY` for AI features (TTS, image generation).
  • ⚠️OAuth features (e.g., GitHub authentication) require `GITHUB_CLIENT_ID`, `GITHUB_CLIENT_SECRET`, `GITHUB_REDIRECT_URI`, and `CHATGPT_REDIRECT_URI` environment variables.
Verified SafeView Analysis
The server demonstrates good security practices including input validation with Zod, use of environment variables for API keys and secrets, and a `safeResponse` utility to sanitize outgoing data (removing keys like 'privateKey', 'apiKey', 'password'). WebSocket connections are authenticated using an API key. OAuth 2.0 routes are present with client ID/secret validation. A deduplication middleware helps prevent replay attacks for specific POST requests. A minor potential misconfiguration risk exists with the default `CORS_URL` being `*`, though its impact is limited to static asset serving in the current setup.
Updated: 2026-01-01GitHub
0
0
Medium Cost
thuhang2510 icon

test_mcp_server

by thuhang2510

Sec8

A local server exposing personal profile and zodiac compatibility tools for an AI agent to consume and interact with.

Setup Requirements

  • ⚠️Requires ANTHROPIC_API_KEY (paid API) for the client component.
  • ⚠️Requires 'mcp', 'anthropic', and 'python-dotenv' Python packages.
  • ⚠️The client expects the server to be running on 'http://127.0.0.1:8000'.
Verified SafeView Analysis
No critical vulnerabilities like 'eval' or command injection were found. Input parsing uses regular expressions and string methods robustly. The server runs locally on '127.0.0.1:8000', limiting network exposure. Personal data for 'PEOPLE' is hardcoded within the source file, which is not ideal for real-world applications but acceptable for a demo. The client handles API keys via environment variables, which is good practice.
Updated: 2026-01-19GitHub
0
0
Medium Cost
Fiza-Nazz icon

figma-mcp-autocode

by Fiza-Nazz

Sec1

Facilitates automated code generation or interactions related to Figma designs, likely serving as a backend server.

Setup Requirements

  • ⚠️Source code missing, cannot identify specific setup requirements or dependencies.
Review RequiredView Analysis
Security audit is impossible as no source code was provided for analysis. Running any server without inspecting its code is inherently unsafe.
Updated: 2025-12-01GitHub
0
0
Low Cost
singhadiya icon
Sec5

Provides configuration files and settings for an MCP (likely Minecraft or Multi-Cloud Platform) server.

Review RequiredView Analysis
Cannot perform a detailed security audit as no source code was provided for analysis beyond the repository name and README.md content. No 'eval', obfuscation, hardcoded secrets, network risks, or malicious patterns could be identified due to the absence of code.
Updated: 2026-01-19GitHub
PreviousPage 417 of 713Next