Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
bioanywhere icon

chivas13

by bioanywhere

Sec9

Accessing and processing news data from the World News API.

Setup Requirements

  • ⚠️Requires an API key from World News API (Paid service).
  • ⚠️Python client requires Python 3.7+.
  • ⚠️C++ client requires Qt for building and runtime.
Verified SafeView Analysis
This repository provides client libraries for the World News API, not a server. The code is auto-generated by OpenAPI Generator and appears to follow standard best practices for client-side API interaction. No 'eval', obfuscation, or obvious malicious patterns were found. API keys (e.g., 'apiKey', 'headerApiKey') are loaded dynamically and must be securely managed by the user of the library (e.g., via environment variables, not hardcoded). OAuth flows, if implemented in a specific language client, might involve a local callback server, which is a standard pattern but requires proper handling in the user's environment. The primary security consideration lies in the consumer's application logic for credential management and data handling.
Updated: 2025-12-13GitHub→
0
0
Medium Cost
Son012375 icon

notion-mcp-server

by Son012375

Sec9

Automating Notion page creation, retrieval, and updates for project documentation and knowledge management, integrated with Claude Code CLI.

Setup Requirements

  • ⚠️Requires a Notion API Key and Database ID, which must be manually configured in a `.env` file.
  • ⚠️The Notion database must have specific properties (e.g., '이름' as Title, '날짜' as Date, '카테고리' as Select, '상태' as Status, '태그' as Multi-select) with exact Korean names for full functionality.
  • ⚠️Requires Claude Desktop to be configured to run this MCP server, or manual execution if used standalone.
Verified SafeView Analysis
The server primarily uses Notion's official API client and parses markdown to Notion block structures. There are no direct `eval` or `exec` calls on user input that would allow code injection into the server's runtime. Sensitive API keys are loaded from `.env` files, which is standard practice for environment variables. The primary security consideration for users is to secure their `.env` file and ensure proper Notion integration permissions are set, as the server will have write access to the specified Notion database.
Updated: 2026-01-19GitHub→
0
0
Medium Cost
xianglq18 icon

mcp-playwright

by xianglq18

Sec1

Provides web automation capabilities, likely through an API, leveraging Playwright for browser control and testing.

Setup Requirements

  • ⚠️Source code not provided for analysis, preventing identification of specific setup requirements.
  • ⚠️Likely requires a Node.js environment and Playwright's browser dependencies to be available.
Review RequiredView Analysis
Full source code was not provided for analysis. Therefore, a comprehensive security audit could not be performed. Without inspecting the code for 'eval', hardcoded secrets, network vulnerabilities, or malicious patterns, the system must be considered unsafe to run.
Updated: 2025-12-15GitHub→
0
0
Medium Cost
mschuchard icon

vault-mcp-server

by mschuchard

Sec9

Provides an interface for managing HashiCorp Vault server resources, including secret engines, authentication engines, audit devices, and ACL policies.

Setup Requirements

  • ⚠️Requires an operational HashiCorp Vault server to connect to.
  • ⚠️Requires Docker for containerized execution (recommended in README).
  • ⚠️Requires a valid Vault authentication token (`VAULT_TOKEN`) with appropriate permissions for the actions performed.
  • ⚠️Requires Python 3.12 or newer for direct execution outside of Docker.
Verified SafeView Analysis
The server acts as a client wrapper around the 'hvac' library, which is the official Vault Python client. It explicitly retrieves VAULT_URL and VAULT_TOKEN from environment variables, validating the URL format and applying a regular expression check to the token for valid characters, which helps prevent simple injection. No 'eval', 'exec', 'os.system', or similar dynamic code execution patterns were found. The system relies on Vault's inherent security for policy and certificate parsing.
Updated: 2026-01-08GitHub→
0
0
Medium Cost
jlwainwright icon

spec-kit

by jlwainwright

Sec7

The Spec-Kit MCP Server provides a comprehensive toolkit for specification-driven development, automating workflows from feature specification and planning to task breakdown, domain analysis, and guided implementation.

Setup Requirements

  • ⚠️Requires Python 3.11+ (CLI) or 3.8+ (MCP Server)
  • ⚠️Requires 'uv' or 'pip' for package management
  • ⚠️Requires Git for version control and branch management
  • ⚠️Requires a supported AI coding agent (e.g., Claude Code, GitHub Copilot, Gemini CLI)
  • ⚠️GitHub token (GH_TOKEN/GITHUB_TOKEN) is recommended to avoid API rate-limiting for template downloads and GitHub interactions
  • ⚠️Manual configuration of Claude Desktop (or other IDE/agent) is required to register the MCP server endpoint
  • ⚠️Setting `SPECIFY_FEATURE` environment variable is needed for non-Git repositories for context
Verified SafeView Analysis
The project extensively uses `subprocess.run` for Git commands and script execution. While many calls use list-based arguments which are safer, some shell scripts (e.g., those parsing `{ARGS}` or using `eval $(...)`) could be vulnerable to command injection if malicious input bypasses internal sanitization, especially in untrusted environments. File system operations for templates and outputs are common but appear to be handled with standard Python libraries. No hardcoded secrets were found, and GitHub token handling uses environment variables or explicit arguments. It's a development tool, so some trust in the operating environment is inherent.
Updated: 2025-12-30GitHub→
0
0
High Cost
L0stInFades icon

Cocode-Precise

by L0stInFades

Sec9

An MCP server for precise code symbol retrieval, returning exact source code for functions, classes, and methods by name, and offering semantic search capabilities.

Setup Requirements

  • ⚠️Requires Python 3.10 or later.
  • ⚠️Requires PostgreSQL with the `pgvector` extension installed.
  • ⚠️Requires an API key for one of the following embedding providers: OpenAI (`OPENAI_API_KEY`), Jina (`JINA_API_KEY` with `USE_LATE_CHUNKING=true`), or Mistral (`MISTRAL_API_KEY`). At least one is mandatory for embeddings.
  • ⚠️Initial indexing of large codebases can be slow due to embedding generation.
Verified SafeView Analysis
The server employs robust security practices, including parameterized SQL queries to prevent injection, path validation (resolving absolute paths, checking for symlinks, verifying directory existence, and ensuring files are within the repository) to prevent directory traversal attacks, and strict environment variable usage for API keys instead of hardcoding secrets. Input length limits (e.g., symbol_name, file size) are also enforced to prevent resource exhaustion. No 'eval' or malicious patterns were identified in the provided source code. The HTTP clients for external APIs use timeouts to prevent hangs.
Updated: 2026-01-19GitHub→
0
0
Medium Cost

OECD-MCP

by KSAklfszf921

Sec9

Enables AI assistants to query and analyze OECD's comprehensive statistical data through its SDMX API.

Setup Requirements

  • ⚠️Requires Node.js and npm installed locally for development or global installation.
  • ⚠️Specific configuration within Claude Desktop's `claude_desktop_config.json` is required for local integration.
Verified SafeView Analysis
The server interacts with the public OECD SDMX API and does not require authentication. No 'eval', obfuscation, or unusual network risks are evident based on the provided README. It's a standard Node.js application.
Updated: 2025-11-23GitHub→
0
0
Medium Cost
setsail-it icon

arb-mcp-server

by setsail-it

Sec9

This server provides specialized tools for AI agents, including fetching keyword search volume from DataForSEO, managing HTML artifacts in a PostgreSQL database, retrieving client-specific information and writing rules, generating images via Google Gemini, and managing client discovery documents.

Setup Requirements

  • ⚠️Requires a PostgreSQL database to be configured and accessible via DATABASE_URL.
  • ⚠️Requires API keys for external services: DataForSEO (DATAFORSEO_API_KEY) and Google Gemini (GOOGLE_API_KEY), which may incur costs.
  • ⚠️Requires AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) and an S3 bucket (AWS_S3_BUCKET) for image hosting. The S3 bucket must be configured for public read access.
  • ⚠️The image generation process (`generate_image`) implements exponential backoff, which is good for reliability but might lead to increased latency under high load or temporary API issues.
Verified SafeView Analysis
The server loads all sensitive credentials (API keys, database URL) from environment variables, which is good practice. Database interactions use parameterized SQL queries, mitigating common SQL injection risks through data values. The process for updating discovery documents correctly maps internal Python parameter names to database columns, and explicitly parses/re-dumps JSON input, further reducing injection vectors. External API calls are handled via standard HTTP requests with API keys in headers. No use of 'eval' or other obviously dangerous functions was found. The main security concern would be improper configuration of AWS S3 bucket policies (e.g., overly permissive public access) for image hosting, but this is an infrastructure concern outside the code itself.
Updated: 2025-12-18GitHub→
0
0
Low Cost
MuhammadSaadBandukda icon

mcp-server-learning

by MuhammadSaadBandukda

Sec9

A basic server component for the Minecraft Protocol, likely for learning or foundational development.

Setup Requirements

  • ⚠️Requires Python 3.14+ (currently in alpha/beta phase, may be unstable or difficult to install depending on the OS/environment).
Verified SafeView Analysis
The provided source code is extremely minimal, consisting of a print statement and project configuration. There are no direct security vulnerabilities like eval, obfuscation, hardcoded secrets, or network listeners present within this snippet. Any potential risks would originate from the 'mcp' dependency or further implementation, which are not visible here.
Updated: 2025-11-24GitHub→
0
0
Medium Cost
Avery2 icon
Sec9

Automating personal productivity workflows in Things3 and Notion, leveraging Claude Code skills for contextual guidance and task management.

Setup Requirements

  • ⚠️Requires macOS (due to AppleScript and Things3 dependency).
  • ⚠️Requires Python 3.11+ for the tool scripts.
  • ⚠️Requires 'Claude Code' (an AI agent) and specific configuration within its MCP settings.
  • ⚠️A Notion API token ('NOTION_TOKEN') is required for Notion integration features.
Verified SafeView Analysis
The MCP server uses Node.js, running locally and communicating via standard I/O, thus not exposing any network ports directly. It executes Python scripts which, in turn, interact with Things3 via AppleScript (osascript) and Notion API (notion_client). API tokens (e.g., NOTION_TOKEN) are properly managed through environment variables. No 'eval' or obfuscation was found. The primary security consideration is the implicit trust in the AppleScript files, which are part of the repository, for controlling Things3 on the user's macOS system.
Updated: 2026-01-07GitHub→
0
0
Low Cost
jashanjitattx icon

remote-mcp-servers

by jashanjitattx

Sec9

This server provides an asynchronous API for tracking and summarizing personal or business expenses, allowing users to add new entries, list them by date range, and summarize spending by category.

Setup Requirements

  • ⚠️Requires Python 3.14 or higher as per 'pyproject.toml', which is an unreleased version of Python and likely a typo; it is more probable that it targets Python 3.8+.
  • ⚠️Database data (expenses.db) is stored in the system's temporary directory ('tempfile.gettempdir()') and may not persist across reboots or system cleanups, leading to data loss if not backed up or moved.
  • ⚠️Requires 'aiosqlite' and 'fastmcp' Python packages to be installed.
Verified SafeView Analysis
The server uses parameterized SQL queries ('?' placeholders) for all database operations, effectively preventing SQL injection vulnerabilities. No 'eval' or similar dangerous functions were found. There are no hardcoded credentials or sensitive information within the provided code. The database is stored in a temporary directory, which has implications for data persistence but doesn't inherently pose a direct security risk, assuming standard OS temporary directory permissions. The server binds to 0.0.0.0, which means it will listen on all available network interfaces, but this is a common default for local services and should be managed with network firewalls in a production setting.
Updated: 2025-12-15GitHub→
0
0
Medium Cost
cloudinary icon
Sec3

This MCP server enables AI applications to manage Cloudinary environment configurations, including transformations, upload presets, streaming profiles, webhooks (triggers), and upload mappings.

Setup Requirements

  • ⚠️Requires Cloudinary API Key, API Secret, and Cloud Name (Cloudinary service usage may incur costs).
  • ⚠️Requires Node.js v20 or higher to run.
  • ⚠️Requires an MCP-compatible AI client (e.g., Cursor, Claude Desktop, VS Code extension) to interact with the server.
Review RequiredView Analysis
The `cloudinaryAuthHook.ts` contains logic to resolve `file://` URIs by reading local files from the server's filesystem and converting them to base64. If any exposed tool or prompt allows user-controlled input for a `file` parameter (e.g., for uploading assets) to be a `file://` URI without strict validation, this creates a critical Local File Inclusion (LFI) vulnerability. An attacker could read arbitrary files from the server. Additionally, the `UploadPreset` model includes an `eval` field, which, if evaluated unsafely by the underlying Cloudinary API or any part of the server, could lead to arbitrary code execution. These are significant risks.
Updated: 2025-11-30GitHub→
PreviousPage 446 of 713Next