Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
seeeeeeong icon

mcp-server

by seeeeeeong

Sec9

A template for building custom Model Context Protocol (MCP) servers to extend AI model capabilities.

Setup Requirements

  • ⚠️Requires Python 3.12 or higher
  • ⚠️Requires `uv` package manager
Verified SafeView Analysis
The provided source code is a template and implements a very simple example tool. It does not contain 'eval' or similar dangerous functions. Communication is handled via standard I/O (stdio_server), limiting direct network exposure. The `handle_call_tool` processes arguments from client input, but in a controlled manner (dictionary lookup, string formatting) without obvious code injection vulnerabilities. Customization with new tools or resources could introduce security risks if not carefully implemented, but the current code is secure.
Updated: 2025-12-02GitHub
0
0
Low Cost
prefrontal-systems icon

mcp-smart-reader

by prefrontal-systems

Sec8

Enables token-efficient interaction with large documents for LLM agents by providing automatic summarization and granular section extraction.

Setup Requirements

  • ⚠️Requires Python 3.10+
  • ⚠️Requires fastmcp library
  • ⚠️Requires tiktoken library
Verified SafeView Analysis
The server's `smart_read`, `read_section`, and `list_sections` tools accept a `file_path` argument, allowing it to read arbitrary local files on the system where it's running. While this is core functionality for a document reader, it means the server should be run in a trusted, isolated, or sandboxed environment if exposed to untrusted input to prevent unauthorized file access. No 'eval', obfuscation, hardcoded secrets, or directly malicious patterns were found in the provided code.
Updated: 2025-12-06GitHub
0
0
Medium Cost
vilashkardate icon

MCP-server-

by vilashkardate

Sec1

Hosts or manages a Minecraft game server.

Setup Requirements

  • ⚠️Requires Java Runtime Environment (JRE) for execution (typical for Minecraft servers).
  • ⚠️No specific setup instructions provided due to missing source code.
Review RequiredView Analysis
CRITICAL: No source code was provided for analysis. Therefore, a comprehensive security audit could not be performed. The score reflects an inability to verify safety, making it inherently risky to run any unknown code.
Updated: 2025-11-20GitHub
0
0
Low Cost
okorie2 icon
Sec7

Provides AI assistants with tools to fetch user Gmail profiles and send emails through API interactions.

Setup Requirements

  • ⚠️Requires a Google Cloud Project with Gmail API enabled.
  • ⚠️OAuth 2.0 Client IDs (GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET) must be configured as environment variables.
  • ⚠️Requires initial user authentication via a web browser, and re-authentication on every server restart as tokens are not persisted.
  • ⚠️Node.js (v18+ recommended).
Verified SafeView Analysis
The server handles sensitive Google OAuth tokens. `GOOGLE_CLIENT_ID` and `GOOGLE_CLIENT_SECRET` are read from environment variables, which is a good practice. OAuth tokens are *not* persisted to disk (the `fs.writeFileSync` call is commented out), which significantly reduces the risk of static token compromise but necessitates re-authentication on every server restart. The requested Gmail API scopes (`gmail.send`, `gmail.readonly`) grant broad access to user emails, which is a high-sensitivity area. Error messages logged to console could expose internal details if the server is improperly secured or monitored.
Updated: 2025-11-23GitHub
0
0
Medium Cost
tomique34 icon

slovlex-mcp-server

by tomique34

Sec5

This project appears to be a custom server implementation for the Minecraft protocol, likely used for hosting custom game experiences.

Review RequiredView Analysis
Source code was not provided for analysis, preventing a comprehensive security audit. A score of 5 is assigned as a neutral placeholder. Specific vulnerabilities like hardcoded secrets, 'eval' usage, or malicious patterns could not be identified. Running this project without code review is not recommended.
Updated: 2025-12-01GitHub
0
0
Medium Cost
isakskogstad icon

foretagsinfo-mcp

by isakskogstad

Sec5

Provides an MCP server for accessing Swedish company information, financial data, and annual reports via Bolagsverket API and a Supabase cache.

Setup Requirements

  • ⚠️Requires Bolagsverket API credentials (requires application/registration).
  • ⚠️Requires a Supabase project (Pro plan recommended for data size and reliability, ~$25/month).
  • ⚠️For database import, requires Python with `pyarrow`, `pandas`, `shapely`, `pyproj` in a virtual environment.
Review RequiredView Analysis
The provided source code for `src/utils/validators.ts` contains an XSS vulnerability in `SearchQuerySchema`'s `.refine` method. The regex `/<script|javascript:|onerror=|onclick=/i.test(val)` is insufficient to block several common XSS attack vectors, including onload/onfocus events, SVG, iframe, and eval patterns. This is explicitly identified and remediated in the `REMEDIATION-GUIDE.md` but not reflected in the main `src/utils/validators.ts` file. SQL injection prevention is robust for common payloads. No hardcoded secrets were found, and environment variables are used for credentials. The `import-parquet.ts` script uses `child_process.spawn` to execute a Python script, which is generated dynamically, posing a potential (though currently controlled by static inputs) code execution risk. Overall score is lowered significantly due to the unpatched XSS vulnerability.
Updated: 2025-12-02GitHub
0
0
High Cost
jieyefriic icon

code-context

by jieyefriic

Sec9

This project provides an MCP (Model Context Protocol) server that automatically scans codebases to extract and manage API endpoint specifications in a vector database for AI coding assistants, enabling instant lookup, semantic search, and complete specifications.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires API keys for LLM providers (e.g., OpenAI, Google Gemini, Anthropic Claude, DeepSeek, Qwen), which are typically paid services.
  • ⚠️If using a non-OpenAI LLM for content generation, a separate OpenAI API key is additionally required for generating text embeddings (specifically for the `text-embedding-3-large` model).
Verified SafeView Analysis
The server primarily operates locally (localhost:18765). Sensitive API keys are stored in `~/.code-context/config.json` with restrictive permissions (0o600). External LLM API calls utilize user-provided keys, posing a data privacy consideration but not a direct vulnerability in the server itself. `subprocess.run` is used for CLI integrations and log tailing, but arguments appear to be safely constructed from internal logic rather than direct, unsanitized user input. PID file management is implemented for singleton server instances and graceful shutdown, reflecting good operational security practices.
Updated: 2025-11-25GitHub
0
0
Medium Cost
Ryno-Crypto-Mining-Services icon

braiins-pool-mcp-server

by Ryno-Crypto-Mining-Services

Sec9

A Model Context Protocol (MCP) server providing seamless integration with the Braiins Pool API for Bitcoin mining operations, enabling AI assistants to interact with mining pool data through natural language.

Setup Requirements

  • ⚠️Requires a Braiins Pool API Key (BRAIINS_API_KEY environment variable).
  • ⚠️Requires Node.js v18.0.0 or higher to run directly, or Docker for containerized deployment.
  • ⚠️Optional Redis server recommended for production caching to meet performance targets (Docker Compose with Redis provided).
Verified SafeView Analysis
The project demonstrates strong security practices: extensive input validation using Zod, secure API key handling via environment variables (with sensitive data redaction in logs), cache key sanitization to prevent injection, and built-in retry/rate limiting for API resilience. The SECURITY.md outlines responsible disclosure, automated scanning, and best practices. No apparent malicious patterns or 'eval' usage without justification were found.
Updated: 2026-01-13GitHub
0
0
Low Cost
yascalil icon
Sec9

Provides automated static analysis for code, writing, and design documents, delivering detailed critiques and metrics.

Setup Requirements

  • ⚠️Requires Node.js (modern version, supporting ES modules) to run.
  • ⚠️Designed to run as a child process, communicating via standard I/O (stdin/stdout) rather than a network port.
  • ⚠️Requires `npm install` (or equivalent) to set up dependencies.
Verified SafeView Analysis
The server itself appears robust against common vulnerabilities. It primarily performs static analysis using regex patterns and string manipulation, without executing user-provided code. It actively *detects* potential security flaws (like `eval` usage or exposed secrets) within the content it reviews. Communication is handled via StdioServerTransport, limiting direct network exposure. The `sanitizeForOutput` function is a good practice for preventing path disclosures. No obvious hardcoded secrets or malicious patterns in the server's own logic. A score of 9 (instead of 10) is given as no system is perfectly infallible and continuous vigilance is required.
Updated: 2025-12-11GitHub
0
0
Medium Cost
caoshuo594 icon

nano_banana

by caoshuo594

Sec9

Acts as an MCP (Model Context Protocol) server to proxy OpenRouter API calls, enabling AI chat and image generation functionalities for MCP clients like Claude Code CLI/Desktop.

Setup Requirements

  • ⚠️Requires an OpenRouter API Key, which incurs usage costs based on model and token consumption.
  • ⚠️Python 3.10 or higher is required.
  • ⚠️Optimal use requires an MCP client (e.g., Claude Code CLI or Claude Desktop) for integration.
Verified SafeView Analysis
The server retrieves API keys from environment variables, preventing hardcoding. It uses standard HTTP libraries (httpx) for API calls and the MCP SDK for communication, avoiding direct execution of user-controlled input or dangerous functions like 'eval'. No obfuscation or malicious patterns were identified. Network risks are standard for external API interactions.
Updated: 2025-12-02GitHub
0
0
High Cost
satyamkumar420 icon

yt-ninja-mcp

by satyamkumar420

Sec8

Provides AI-powered analysis, playback control, and transcript management for YouTube videos through an MCP server.

Setup Requirements

  • ⚠️Requires a Google Gemini API key, which needs to be obtained from Google AI Studio and set as an environment variable (GEMINI_API_KEY).
  • ⚠️Requires Node.js >= 18.0.0 and npm >= 9.0.0.
  • ⚠️Optional: VLC Media Player (for VLC playback, though current code indicates it's not yet supported/implemented) and FFmpeg (for advanced media processing features not fully exposed in the current server.ts, but mentioned in `package.json` dependencies and `CHANGELOG`).
Verified SafeView Analysis
The server handles API keys via environment variables, avoiding hardcoding. It leverages `spawn` for launching local applications (browsers), which is generally acceptable for a local server, but careful validation of URLs is critical to prevent arbitrary command execution. The `YouTubeURLValidator` is used for relevant tools, mitigating this risk. No 'eval' or obvious malicious patterns found. Dependencies are standard and well-known.
Updated: 2025-11-29GitHub
0
0
Low Cost
AjayiMike icon
Sec8

This server provides a Model Context Protocol (MCP) backend for a responsive React-based todo list widget that can be embedded and interacted with inside ChatGPT.

Setup Requirements

  • ⚠️The widget bundle must be built (`npm run build`) before running the MCP server (`npm start` or `npm run start:all`).
  • ⚠️Requires Node.js version 18 or higher.
  • ⚠️Connecting to ChatGPT requires enabling Developer Mode and configuring a Model Context Protocol connector in ChatGPT settings.
Verified SafeView Analysis
The code generally follows good practices for a web server and React application. Input validation is performed for tool arguments. IDs generated using `Math.random()` are not cryptographically secure but are acceptable for a simple todo application. The server sets `Access-Control-Allow-Origin: *` for CORS, which is necessary for integration with ChatGPT, but in other contexts, it would be considered broad. No critical vulnerabilities like `eval` or command injection were found.
Updated: 2025-12-14GitHub
PreviousPage 428 of 713Next