Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
JINGFENGZ icon

ubem-mcp

by JINGFENGZ

Sec7

Provides tools for Urban Building Energy Model (UBEM) analysis and EnergyPlus simulations, integrating with AI via Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires EnergyPlus v25.1.0 (or compatible version) installed locally.
  • ⚠️Requires `ENERGYPLUS_ROOT` environment variable to be set, or EnergyPlus to be installed in common default locations for auto-detection to work.
Verified SafeView Analysis
The server uses `subprocess.run` to execute external EnergyPlus and ExpandObjects binaries. While arguments are passed as a list (mitigating direct shell injection), the paths for IDF files, weather files, and output directories are directly derived from user-supplied tool parameters. In a malicious or compromised MCP client environment, crafted paths could potentially lead to unintended file system operations or execution of arbitrary code if the external binaries or the operating system's path resolution are vulnerable to specific path manipulations (e.g., symlink attacks, directory traversal with executable names). The project assumes a trusted local execution environment (e.g., LLM client on the same machine). No hardcoded secrets or direct network risks were identified.
Updated: 2025-12-19GitHub
0
0
Low Cost
PayMCP icon
Sec9

Provides a Model Context Protocol (MCP) server that gates access to AI tools based on active Stripe subscriptions and OAuth/OIDC authentication.

Setup Requirements

  • ⚠️Requires external setup with an OAuth/OIDC provider (Auth0 or Keycloak) including API/client creation and specific configuration steps.
  • ⚠️Requires external setup with Stripe, including creating a product and a recurring price plan to obtain the `STRIPE_SUBSCRIPTION_ID`.
  • ⚠️Requires multiple sensitive environment variables (e.g., Stripe keys, OAuth client secrets) to be explicitly configured in a `.env` file.
Verified SafeView Analysis
The server uses robust security libraries (jose for JWT, MCP SDK for auth middleware) and strictly relies on environment variables for secrets. CORS is set to '*' for demo purposes, which is a security risk in production and would require hardening. The token verifier explicitly warns and skips audience validation if the 'aud' claim is missing from the JWT, which is a potential misconfiguration from the identity provider.
Updated: 2025-12-05GitHub
0
0
Medium Cost
seanshin0214 icon

quantmaster-mcp-server

by seanshin0214

Sec8

An AI-powered quantitative research assistant that provides statistical analysis, causal inference guides, power calculations, and generates analysis code across multiple programming languages.

Setup Requirements

  • ⚠️Requires Node.js 18+
  • ⚠️Requires specific JSON configuration within Claude Desktop for discovery and operation.
  • ⚠️Optional: Configuring the CHROMA_PATH environment variable for persistent ChromaDB storage in a desired location.
Verified SafeView Analysis
No direct critical vulnerabilities like 'eval' or hardcoded secrets were found. File operation tools ('write_analysis_file', 'create_project_structure') are currently placeholder implementations (they return status messages, not actual file system interactions). If these were to be fully implemented, strict input sanitization and path validation would be crucial to prevent directory traversal or arbitrary file write vulnerabilities. The ChromaDB is configured to run in embedded mode, storing data locally at a path derived from an environment variable or a default, which is configurable.
Updated: 2025-11-28GitHub
0
0
Low Cost
mtebusi icon

ha-addons

by mtebusi

Sec3

Enables Claude Desktop to interact with Home Assistant instances using the Model Context Protocol (MCP) for smart home control and automation.

Setup Requirements

  • ⚠️Requires Home Assistant version 2024.1.0 or later.
  • ⚠️Requires the Claude Desktop application to leverage its full functionality.
  • ⚠️Requires SSL certificates for secure remote access (highly recommended, though optional for local HTTP).
  • ⚠️Requires Home Assistant API access, either through a `SUPERVISOR_TOKEN` (when run as a Home Assistant add-on) or a Long-Lived Access Token and explicit `HA_URL` (for standalone deployments).
Review RequiredView Analysis
The server's OAuth2 authentication handler (`auth.py`) uses a hardcoded JWT secret ('secret') for signing and validating tokens. The code explicitly notes this is for 'development' and that 'in production, this would be the actual access token from HA', but its presence as-is makes the server critically vulnerable to token forgery by anyone aware of the hardcoded secret. This is a severe security flaw for any deployment where authentication is required. While other aspects like `yaml.safe_load`, structured logging, and network handling appear reasonable, the hardcoded secret fundamentally compromises the security of the authentication mechanism.
Updated: 2026-01-19GitHub
0
0
Medium Cost
pravinakarunanithi icon

auto-favicon-mcp

by pravinakarunanithi

Sec8

Automatically generate a complete set of favicons, including multiple sizes and manifest.json, from a PNG image file or URL.

Setup Requirements

  • ⚠️Requires Python 3.12 or newer.
  • ⚠️This is an MCP (Model Context Protocol) server, designed to be integrated into an MCP agent or orchestrator, not as a standalone web application with a user interface, despite the README's misleading descriptions of `http://localhost:3000` and `npm install` steps.
  • ⚠️The `pyproject.toml` lists `pathlib2` as a dependency, which is redundant for Python 3.12+ where `pathlib` is standard and improved.
Verified SafeView Analysis
The server takes absolute paths for input and output, which requires the calling agent to provide safe, controlled directories to prevent potential overwrites of sensitive system files. Input paths are validated for absoluteness and existence, and output paths for absoluteness and creatability. Downloading images from arbitrary URLs carries inherent risks like SSRF or DoS, though `aiohttp` is a robust library. No 'eval', hardcoded secrets, or obvious command injection vulnerabilities were found in the Python code. The code itself, being an MCP server, primarily operates via stdio and does not expose a direct HTTP interface.
Updated: 2026-01-19GitHub
0
0
Medium Cost
rbdevx icon
Sec9

An AI agent that provides Wikipedia search and information retrieval capabilities via an LLM.

Setup Requirements

  • ⚠️Requires Hugging Face API key (HUGGINGFACEHUB_API_TOKEN), which can incur costs depending on usage and model.
  • ⚠️Requires 'wikipedia', 'mcp', 'langchain-huggingface', 'langgraph', and 'langchain-mcp-adapters' Python packages to be installed.
Verified SafeView Analysis
No obvious malicious patterns, hardcoded secrets, or dangerous functions like 'eval' or 'exec' were found. The 'HUGGINGFACEHUB_API_TOKEN' is handled via 'getpass', preventing hardcoding. Communication between client and server is local via stdio, minimizing network attack surface.
Updated: 2025-12-09GitHub
0
0
Medium Cost
kawayiYokami icon

what-happen-mcp

by kawayiYokami

Sec5

Provides a backend data service for a news aggregation platform, offering news from various sources via an MCP server or CLI.

Setup Requirements

  • ⚠️Requires proper configuration of numerous environment variables for optimal and stable operation, especially API URLs and keys, though many have default fallback URLs.
  • ⚠️The `FISHP_API_COOKIE` is hardcoded in `src/apis/fishpi.ts` and should be moved to an environment variable or removed for secure and customizable deployment.
  • ⚠️Web scraping is inherently fragile; changes to target website structures may break specific data fetching functions and require code updates.
Review RequiredView Analysis
The server primarily scrapes public web pages using Axios and Cheerio. Environment variables are used for most API endpoints, which is good practice. However, `src/apis/fishpi.ts` contains a hardcoded `FISHP_API_COOKIE` (a significant security risk for production deployment without modification) and `deviceId=xxx` placeholder. Relying on numerous external web sources introduces inherent risks if those sources change their structure or become malicious. The `proxyPicture` utility functions securely generate image proxy URLs with optional signing, but the proxy service itself would need to be securely implemented.
Updated: 2025-11-23GitHub
0
0
Medium Cost
mrdr79 icon

mcp-server

by mrdr79

Sec8

Provides an API to search YouTube for a song query and return a direct audio stream URL.

Setup Requirements

  • ⚠️Requires Node.js 18.x.
  • ⚠️Reliability is dependent on YouTube's website structure; `ytdl-core` might require updates if YouTube changes its layout.
Verified SafeView Analysis
The server uses `encodeURIComponent` for search queries and a robust regex to extract video IDs from YouTube's HTML, mitigating direct injection risks. It relies on `ytdl-core` for video information and format selection, which is a well-maintained library. No direct use of `eval` or hardcoded secrets. The primary risk is the inherent reliance on YouTube's ever-changing front-end and potential `ytdl-core` vulnerabilities or breakage.
Updated: 2025-12-07GitHub
0
0
Medium Cost
manojmk04 icon

job_recommender

by manojmk04

Sec8

A local Streamlit application that analyzes PDF resumes using a local Ollama model to summarize, identify skill gaps, and create career roadmaps, while also fetching job recommendations from LinkedIn and Naukri via Apify.

Setup Requirements

  • ⚠️Requires local Ollama instance running.
  • ⚠️Requires Ollama model `gemma3:1b` to be pulled.
  • ⚠️Requires Apify API Key (Apify is a paid service with free tier limits).
Verified SafeView Analysis
The application loads API keys from environment variables. It interacts with a local Ollama instance by default for LLM inference and an external Apify service for job fetching. User-provided resume text is sent to the local Ollama, and derived keywords are sent to Apify. No direct 'eval' or obvious malicious patterns found. The primary risks involve the security of the local Ollama setup and the trusted use of the Apify service with an API key.
Updated: 2025-11-19GitHub
0
0
High Cost
RicardoBorja icon

localmcp

by RicardoBorja

Sec8

Hosts a multiplayer Minecraft server, allowing players to connect and interact in a persistent world.

Setup Requirements

  • ⚠️Requires Java Runtime Environment (JRE) 17+ (or compatible version for Minecraft)
  • ⚠️Requires open network ports (default 25565 for game, 25575 for RCON) and potentially firewall configuration.
  • ⚠️Relies on `server.properties` for configuration, which must be correctly set up and secured.
Verified SafeView Analysis
Standard Minecraft server implementation using Netty for networking. RCON authentication relies on a password loaded from `server.properties`, which should be strong and unique. RCON is known to transmit passwords with basic security, so network isolation (e.g., firewall rules) or strong password practices are crucial. No 'eval' or obvious hardcoded secrets found in the provided snippets.
Updated: 2025-11-24GitHub
0
0
Low Cost
CyprianFusi icon
Sec8

A Model Context Protocol (MCP) server for intelligent research data management using vector embeddings and semantic search.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid)
  • ⚠️Python 3.13+
  • ⚠️AWS EC2 instance (for deployment)
Verified SafeView Analysis
The server correctly externalizes sensitive API keys via environment variables or a .env file. User inputs for topic names are sanitized, preventing path traversal attacks from the `delete_research_topic` tool that uses `shutil.rmtree`. No `eval` or direct command injection vulnerabilities were found. Critical security considerations for production deployments, such as implementing authentication, securing EC2 instances with appropriate security groups, and using IAM roles/AWS Secrets Manager, are highlighted in the README.
Updated: 2025-12-13GitHub
0
0
Medium Cost
emeinardus icon
Sec6

Enables an AI agent to create, analyze, fix, and run Flutter projects following Clean Architecture patterns locally.

Setup Requirements

  • ⚠️Requires Flutter SDK (3.0.0+)
  • ⚠️Requires Android Studio for Android features
  • ⚠️Manual configuration of Claude Desktop with an absolute path is required
  • ⚠️Untested on macOS and Linux, potential for platform-specific issues
Verified SafeView Analysis
The server executes local commands (e.g., `flutter`, `dart`, `gradle`) and performs file system operations (read, write, create) based on input from the AI client. While running locally and configured by the user, this inherent capability introduces a risk of unintended or malicious command execution if the AI client's input is compromised or malformed. Input validation and sanitization are critical for parameters like `path` and `file_path` to prevent directory traversal or command injection.
Updated: 2025-12-14GitHub
PreviousPage 421 of 713Next