Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
Rizwan723 icon

MCP-Security-Proxy

by Rizwan723

Sec9

A security proxy for Model Context Protocol (MCP) to test and defend against vulnerabilities in LLM tool interactions within a cloud-native Dockerized environment.

Setup Requirements

  • ⚠️Docker is required for deployment and orchestration.
  • ⚠️A local GPU (NVIDIA driver) is required for optimal performance of the `custom-llm` service.
  • ⚠️OpenAI or Google API keys (`CLOUD_OPENAI_API_KEY`, `CLOUD_GOOGLE_API_KEY`) are needed if using cloud LLM services.
  • ⚠️Local LLM models (e.g., GGUF files) must be available in the `./models` directory for the `custom-llm` service.
Verified SafeView Analysis
The MCP Bridge (security proxy) is exceptionally well-designed for its purpose, incorporating multiple layers of defense: a rule-based detector for known attacks, a statistical anomaly detector, a semantic (DistilBERT) prototypical learning detector, and an optional MAML-based few-shot adaptation detector, all within a weighted ensemble that defaults to 'ATTACK' in ambiguous cases. Network isolation is enforced through internal Docker networks for tools, preventing direct external access. Input validation is performed using Pydantic, and ReDoS protection is present in regex-based rules. The primary security risk lies in the intentionally vulnerable 'MCP Tools' services (e.g., filesystem, fetch, sqlite) when their 'SAFE_MODE' flags are set to 'false' (which is the default in the provided `docker-compose.yml` for testing purposes). This design is a feature for vulnerability testing, not a flaw in the proxy's defensive capabilities. A minor theoretical risk is the `torch.load(..., weights_only=False)` call for model loading, which could allow arbitrary code execution if the model files themselves were compromised by an attacker, though in a research context generating its own models, this is standard. The LLM proxy endpoint ( `/v1/chat/completions`) performs basic forwarding without explicit security checks in the provided code, but it is configured to use internal LLM services by default.
Updated: 2026-01-19GitHub
0
0
High Cost
dshnayder icon

kubeapi-mcp

by dshnayder

Sec8

Enables AI agents to interact with Kubernetes and Google Kubernetes Engine (GKE) clusters using natural language prompts.

Setup Requirements

  • ⚠️Requires kubectl and gcloud CLI to be installed and configured with appropriate credentials and default project/location.
  • ⚠️The `install.sh` script may require `sudo` privileges to move the binary to `/usr/local/bin`.
  • ⚠️If using `--server-mode http`, the server listens on all network interfaces (0.0.0.0) and requires a firewall or other security measures to restrict access.
  • ⚠️Installing for Claude Code CLI (`install claude-code`) requires the `claude` command-line tool to be installed and in the system's PATH.
Verified SafeView Analysis
The server's HTTP mode binds to all network interfaces (0.0.0.0) by default, which is explicitly documented as requiring external firewalling for security. No 'eval', obfuscation, hardcoded secrets, or direct malicious patterns were identified. The tool relies on standard Kubernetes and gcloud authentication mechanisms (kubeconfig, Application Default Credentials). The ability to apply/delete Kubernetes resources is inherent to its administrative purpose and requires careful AI agent interaction, not a security flaw in the server itself.
Updated: 2025-11-26GitHub
0
0
High Cost
shanewwarren icon

mcp-google-slides

by shanewwarren

Sec9

Enables LLMs to create and manage Google Slides presentations via browser-based OAuth 2.1 authentication.

Setup Requirements

  • ⚠️Requires Bun runtime (not Node.js)
  • ⚠️Requires manual setup of Google Cloud OAuth 2.0 credentials (Desktop app type, Slides API, Drive API, OAuth consent screen configuration, test users)
  • ⚠️Requires environment variables MCP_GSLIDES_CLIENT_ID and MCP_GSLIDES_CLIENT_SECRET to be set with your Google OAuth credentials.
Verified SafeView Analysis
The server employs browser-based OAuth 2.1 with PKCE for authentication, which is a secure method for desktop applications. Tokens are stored locally with appropriate file permissions (0600). Environment variables (MCP_GSLIDES_CLIENT_ID, MCP_GSLIDES_CLIENT_SECRET) are used for OAuth credentials, which is best practice. However, the `src/auth/config.ts` file contains placeholder client ID/secret values directly in the code, which could be a theoretical risk if they were ever active and not overridden by environment variables. The application relies on Google's API to fetch images from provided URLs, shifting the security responsibility for URL validation and content fetching to Google's infrastructure. No direct use of `eval()` or arbitrary command execution from user input was found.
Updated: 2026-01-19GitHub
0
0
Medium Cost
rgeertsema icon
Sec1

Provides an MCP (Managed Code Provider) engine for managing book-related resources and tools, facilitating AI-driven content generation and editing.

Setup Requirements

  • ⚠️Requires `BOOK2_ROOT` environment variable or `--book2-root` CLI argument to define the book's working directory.
  • ⚠️Requires Python 3.8 or higher.
Review RequiredView Analysis
CRITICAL: The `resources/read` method in `bookwriting_server/server_stdio.py` (the primary server implementation invoked by `engine.json`) is vulnerable to path traversal. It constructs a `Path` object directly from the user-provided `file://` URI (e.g., `Path(uri.replace("file://", ""))`) without validating that the resulting path is contained within the designated `book2-root`. This allows an attacker to read arbitrary files on the host filesystem that are accessible to the server process, by simply crafting a URI like `file:///etc/passwd`. The `mcp_resources_read` function in `bookwriting_server/__main__.py` (used for selftests) has the same vulnerability. While `server_fastmcp.py` implements necessary path validation (`is_relative_to`), it is not the configured entry point for this engine.
Updated: 2025-12-01GitHub
0
0
Low Cost
GGoYoungHee icon

ai-mcp-server-test

by GGoYoungHee

Sec9

This boilerplate facilitates the rapid development of Model Context Protocol (MCP) servers in TypeScript, enabling them to expose various AI-powered tools and resources to MCP clients.

Setup Requirements

  • ⚠️Requires a Hugging Face API token (HF_TOKEN) for the image generation tool, which may incur costs from Hugging Face for usage.
  • ⚠️Requires Node.js version 18 or higher for execution (some development dependencies prefer Node.js 20+).
  • ⚠️For local testing with Cursor MCP, an absolute path to the 'build/index.js' file must be manually configured in './.cursor/mcp.json'.
Verified SafeView Analysis
Hugging Face API token is correctly retrieved from configuration or environment variables (HF_TOKEN), reducing the risk of hardcoded secrets. Input schemas for tools and prompts are validated using Zod, which helps prevent malformed inputs and potential injection attacks. No direct usage of 'eval' or other highly dangerous patterns was identified. The overall architecture delegates external AI model interactions to a well-known SDK.
Updated: 2025-11-28GitHub
0
0
Low Cost
nieuwoudt icon
Sec7

Provides an AI context server for educational data, integrating with the D6 school management platform to answer natural language queries about student information, academic records, and school operations for AI clients like Claude Desktop.

Setup Requirements

  • ⚠️Requires D6 API credentials (username, password, base URL) for full functionality, potentially requiring an authorized D6 account.
  • ⚠️Requires manual configuration within the Claude Desktop application (or other MCP client) via a specific JSON entry.
  • ⚠️Access to all real D6 API data endpoints (e.g., student marks, parent-child relationships) may still be limited or require activation from D6, despite the server's robust mock data fallbacks and optimized tools addressing client-side data truncation issues.
Verified SafeView Analysis
The server includes hardcoded test API credentials (username/password) as fallback values, which poses a security risk if not overridden by environment variables in production. Hardcoded JWT secret fallbacks are also present for development environments. However, the system implements robust security measures including environment variable prioritization, input validation with Zod, CORS configuration, and dedicated authentication and tenant-scoping middleware for Fastify-based deployments. Production deployments on Cloudflare Workers and Vercel Edge Functions prevent mock mode if configured for production environments, adding a layer of safety.
Updated: 2026-01-16GitHub
0
0
Low Cost
iampunnu icon
Sec9

Provides an MCP server that exposes simple utility functions as tools for multi-agent systems.

Setup Requirements

  • ⚠️Requires Python 3.13 or newer.
  • ⚠️Requires the 'mcp' Python package to be installed.
Verified SafeView Analysis
The provided source code is simple and does not contain obvious critical vulnerabilities like 'eval', direct OS command execution from user input, or hardcoded secrets. The tools' implementations (string formatting and basic arithmetic) are inherently low risk. Network exposure as an HTTP server means general network security practices should be followed, but no application-level exploits are evident in the given code.
Updated: 2025-12-02GitHub
0
0
Low Cost
bhakti259 icon
Sec9

Manages and tracks personal expenses, offering features like adding, listing, updating, deleting, and summarizing expenses with natural language date parsing and categorization.

Setup Requirements

  • ⚠️Requires Python 3.12 or newer
Verified SafeView Analysis
The server uses `aiosqlite` with parameterized queries, effectively preventing SQL injection vulnerabilities. No 'eval', 'exec', or other notoriously dangerous patterns were found. The database path is set to `/tmp/expense_tracker.db`, which is suitable for ephemeral environments like FastMCP Cloud, reducing risks of persistent data leakage on the host system. No hardcoded secrets or API keys are present in the provided source.
Updated: 2025-11-28GitHub
0
0
High Cost
AuraFriday icon

system_mcp

by AuraFriday

Sec7

Provides cross-platform desktop automation and management capabilities, optimized for AI access to interact with applications like a human.

Setup Requirements

  • ⚠️Windows is fully implemented, but macOS and Linux support for some advanced UI features (like full UI element scanning and detailed interaction) is explicitly 'in progress' or basic.
  • ⚠️On Windows, UAC Elevation prevents interaction with elevated windows from a non-elevated process.
  • ⚠️On macOS, 'Accessibility Permissions' are required for full automation features, requiring user approval.
  • ⚠️On Linux, specific external tools like `wmctrl`, `scrot`, `ImageMagick`, or `gnome-screenshot` may need to be installed if the preferred `pywinctl` library is not available or insufficient for certain operations.
  • ⚠️Performance considerations exist for UI scanning (100-500ms) and screenshots (50-200ms), which could impact real-time AI interactions.
Verified SafeView Analysis
The server's core functionality involves direct operating system interaction, including command execution via `subprocess.Popen`, file system operations (read/write), and direct UI manipulation. This grants very powerful control over the user's machine. Security relies heavily on the `tool_unlock_token` and the host system's permissions. If the token is compromised, an attacker could gain full control. The code itself does not show immediate signs of malicious intent or 'eval' of untrusted input, and input parameters are validated. However, due to its inherent power, misuse or compromise of the token poses a high risk. It is safe to run only if the environment is secure and the unlock token is protected.
Updated: 2025-12-02GitHub
0
0
Low Cost
softwarewrighter icon

game-mcp-poc

by softwarewrighter

Sec8

This project implements a Tic-Tac-Toe game with dual interfaces (web UI and MCP server) for human and AI agent interaction, including trash talk.

Setup Requirements

  • ⚠️Requires Rust 2024 Edition, although build scripts assist with installing necessary WASM targets and tools (trunk, wasm-bindgen-cli).
  • ⚠️Python 3 is necessary for executing the provided AI agent example scripts and for JSON pretty-printing via `jq`.
  • ⚠️Manual configuration of Claude Desktop's settings is required to register and use the stdio MCP server binary.
  • ⚠️Specific environment variables (OPENAI_API_KEY, GOOGLE_API_KEY) are needed to run the respective AI agent examples, but not for the server itself.
Verified SafeView Analysis
No 'eval' or obvious malicious patterns found. Hardcoded secrets are not present in the Rust code; AI agent examples explicitly rely on environment variables (e.g., OPENAI_API_KEY, GOOGLE_API_KEY). Network exposure on port 3000 (HTTP API, SSE, HTTP MCP endpoint) and default permissive CORS (allow_origin(Any)) are typical for development but require hardening (e.g., specific CORS_ORIGIN, rate limiting) for production deployment, as acknowledged in the documentation. Database path configurability is good, but misconfiguration could lead to risks if 'GAME_DB_PATH' points to an insecure or sensitive location on the host system.
Updated: 2025-11-20GitHub
0
0
Low Cost
Rutu-A icon
Sec1

This application facilitates fetching up-to-date documentation from specified API endpoints.

Setup Requirements

  • ⚠️Requires Windows 10+ or macOS 10.14+
  • ⚠️Requires an active Internet connection
  • ⚠️Distributed as a pre-compiled executable, requiring users to download and run a binary from an untrusted source, which carries inherent security risks and limits auditability.
Review RequiredView Analysis
A full security audit cannot be performed as only the `README.md` was provided as 'source code'. The project directs users to download a `.zip` file containing an executable application from `raw.githubusercontent.com`, which is an atypical and less auditable distribution method compared to GitHub Releases. Running pre-compiled executables from unverified sources carries significant inherent security risks, including potential for malware, data exfiltration, or other malicious behavior, especially without the ability to inspect the actual source code. The `README` describes running a desktop application ('double-click the file to run the application') rather than deploying a server from source. This lack of transparency and an unusual distribution method make it impossible to deem safe.
Updated: 2026-01-19GitHub
0
0
Medium Cost
yushulx icon
Sec8

Provides documentation, code snippets, and API guidance for Dynamsoft barcode and document scanning SDKs (Mobile, Python, Web) to AI assistants for code generation.

Setup Requirements

  • ⚠️Requires Node.js version 18 or higher.
  • ⚠️Relies on local 'data' and 'code-snippet' directories; ensure the repository is correctly cloned or packaged with npx.
  • ⚠️Trial license requires network connection for validation.
Verified SafeView Analysis
The server's core functionality involves reading local files from predefined 'data' and 'code-snippet' directories. Input validation using Zod helps mitigate some risks. The 'generate_project' tool performs file system walks and reads file content, but it's constrained to a maximum depth and explicitly filters out sensitive build directories (e.g., 'node_modules', '.git') and large files, reducing the risk of accidental exposure or resource exhaustion. The trial license included is public and not a sensitive secret. The primary communication mechanism via StdioServerTransport limits external network attack surface for the core server. While local file system interaction always carries some inherent risk, the current implementation shows reasonable precautions.
Updated: 2026-01-19GitHub
PreviousPage 423 of 713Next