Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
Honeyfield-Org icon

sevdesk-mcp

by Honeyfield-Org

Sec9

An MCP Server providing comprehensive tools for managing financial data and business operations within the sevDesk Accounting API, including contacts, invoices, credit notes, orders, vouchers, transactions, and inventory parts.

Setup Requirements

  • ⚠️Requires `SEVDESK_API_TOKEN` environment variable to be set for authentication.
  • ⚠️Requires Node.js version 18 or higher.
Verified SafeView Analysis
The server demonstrates good security practices by requiring the API token via an environment variable and using Zod for input validation on tool arguments, which helps prevent common injection vulnerabilities. It utilizes `axios` for HTTP requests, a well-regarded library, and includes error interception for API responses. The server uses StdioServerTransport, limiting its network exposure to standard I/O streams as intended by the MCP specification. There are no obvious signs of 'eval', obfuscation, hardcoded sensitive credentials within the codebase, or direct arbitrary file system access beyond module loading.
Updated: 2026-01-16GitHub
0
0
Medium Cost
Azteron icon
Sec5

The Codesona MCP Server provides team coding standards via stdio transport to AI assistants in IDEs, fetching rules from the Codesona API and supporting rule suggestion.

Setup Requirements

  • ⚠️Requires Node.js 18.0.0 or higher.
  • ⚠️Requires a Codesona workspace API key for operation.
  • ⚠️Running in 'development' mode (`NODE_ENV=development`) disables TLS certificate verification, posing a security risk to API communication.
Verified SafeView Analysis
The server explicitly disables TLS certificate verification (`rejectUnauthorized: false`) when `NODE_ENV` is set to 'development'. This is a critical security risk as it makes the server vulnerable to Man-in-the-Middle (MITM) attacks against the Codesona API in development environments. While conditional, it exposes a significant vulnerability that users should be aware of. No hardcoded secrets or obvious malicious patterns were found, and `CODESONA_API_KEY` is loaded from environment variables.
Updated: 2025-11-22GitHub
0
0
Low Cost

MCP_Slack_Server

by dadavidtseng

Sec4

Provides a backend server to integrate and interact with the Slack messaging platform, potentially for a project named 'MCP'.

Setup Requirements

  • ⚠️Requires a Slack Bot Token (xoxb-...) for API access.
  • ⚠️Requires a Slack Signing Secret for verifying incoming requests (webhooks).
  • ⚠️If receiving Slack webhooks, it requires a publicly accessible URL or a tunneling solution (e.g., Ngrok) pointing to the server.
Review RequiredView Analysis
Source code not provided. Analysis is based solely on the repository name. As a server interacting with Slack, it inherently involves handling sensitive API tokens/secrets and exposing network endpoints. Without code review, critical risks such as hardcoded secrets, improper input validation, denial-of-service vulnerabilities, or unauthenticated endpoints cannot be assessed. It is considered unsafe to run without a thorough security audit of the actual code.
Updated: 2025-11-25GitHub
0
0
Medium Cost
sabatajoxicraft icon

mcp-sample-server

by sabatajoxicraft

Sec9

Provides current weather alerts and detailed forecasts by leveraging the National Weather Service (NWS) API.

Setup Requirements

  • ⚠️Requires Node.js 18 or later and npm 9 or later.
  • ⚠️Weather data is sourced from the NWS API, meaning it primarily supports US locations.
  • ⚠️The server must be running locally to be used with Claude Desktop.
Verified SafeView Analysis
The server uses Zod for robust input validation on tool parameters (state code length, latitude/longitude ranges), mitigating common injection risks. API calls are made to the official NWS API, and sensitive information like API keys are not hardcoded or required, as NWS does not typically require an API key for public data access. Error handling is implemented for network failures and invalid API responses. No 'eval' or other dynamic code execution from user input is present. The `USER_AGENT` and `NWS_API_BASE` are hardcoded but are not secrets.
Updated: 2025-12-13GitHub
0
0
Low Cost
jankutschera icon

flux2-mcp-server

by jankutschera

Sec9

This MCP server enables Claude and other MCP clients to generate and edit images using various FLUX.2 models from fal.ai.

Setup Requirements

  • ⚠️Requires a fal.ai API Key (FAL_KEY environment variable).
  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️Must be configured in Claude Desktop's mcpServers config for full integration.
Verified SafeView Analysis
The server explicitly requires the FAL_KEY environment variable and handles its absence by exiting, preventing hardcoded secrets. It utilizes established SDKs (`@modelcontextprotocol/sdk`, `@fal-ai/client`) for communication and AI interaction. No 'eval' or direct child process execution is present. The primary security consideration outside of the code itself is the secure management of the FAL_KEY by the user.
Updated: 2025-11-26GitHub
0
0
High Cost
saurabhsinha09 icon

mcp-csa-toolkit

by saurabhsinha09

Sec8

Serves as an MCP endpoint to generate comprehensive cloud architecture proposals, diagrams, executive summaries, infrastructure code, and requirements templates using various LLMs.

Setup Requirements

  • ⚠️Requires ANTHROPIC_API_KEY or OPENAI_API_KEY (paid services).
  • ⚠️Requires Python 3.9+.
  • ⚠️Local setup requires 'pip install -r requirements.txt'.
Verified SafeView Analysis
The server handles API keys directly through user input and environment variables. While it does not appear to have direct code vulnerabilities like 'eval', users must ensure the Gradio server is deployed with HTTPS in production, especially when exposing to external networks ('server_name=0.0.0.0', 'share=True') to protect API keys in transit. The application itself does not log or persist API keys beyond session.
Updated: 2025-11-27GitHub
0
0
Medium Cost
mmcdermott-ashleyne icon

fde_fabric_mcp

by mmcdermott-ashleyne

Sec8

An MCP server to expose Microsoft Fabric workspaces, Lakehouses, Warehouses, SQL endpoints, and FDE-specific project orchestration as tools for AI agents.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires an ODBC Driver for SQL Server (e.g., ODBC Driver 18) installed at the OS level.
  • ⚠️Requires access to a Microsoft Fabric / Power BI tenant and Azure AD application or interactive login for DefaultAzureCredential.
  • ⚠️The 'mcp' client/programming helpers must be installed.
Verified SafeView Analysis
The server correctly uses environment variables for sensitive credentials. SQL queries executed via `run_sql_query` for the user-defined SQL string are protected by `guardrails.py` which attempts to prevent write operations (INSERT, UPDATE, DELETE, etc.) by analyzing the SQL after stripping comments and literals. While this is a strong defense, executing arbitrary (though filtered) SQL strings carries an inherent risk. DML operations via `execute` and `execute_many` use parameterized queries, which is a safer approach to prevent SQL injection for those specific operations. `subprocess.run` is used for `az account show`, which is a controlled execution of a known command.
Updated: 2026-01-16GitHub
0
0
High Cost
Dhana009 icon
Sec8

A production-ready RAG system for MCP that provides intelligent semantic search and question-answering capabilities for codebase and documentation.

Setup Requirements

  • ⚠️Requires Qdrant (Cloud or local Docker) setup with API keys.
  • ⚠️Downloads large (~500MB) embedding models on first run, causing initial slowness.
  • ⚠️The server, when run in standalone mode, will appear to 'hang' as it waits for JSON-RPC messages, which can be confusing for new users.
Verified SafeView Analysis
The server correctly uses environment variables (`.env.qdrant`) for sensitive credentials like Qdrant API keys, and explicitly warns against committing them. Destructive operations like `delete_all` require explicit `--confirm` flags. However, the `PUBLICATION_CHECKLIST.md` indicates that Qdrant API keys were found in the git history of *other* (non-current) branches, which is a significant security vulnerability if those branches are public. This implies a need for API key rotation and stricter git hygiene across all branches.
Updated: 2025-11-21GitHub
0
0
Low Cost
sarva-20 icon

heimdall-mcp

by sarva-20

Sec9

Heimdall MCP Server extends Claude Desktop's capabilities to interact with and control macOS system features, applications, and hardware.

Setup Requirements

  • ⚠️Requires macOS (Apple Silicon or Intel)
  • ⚠️Requires Bun runtime
  • ⚠️Requires Claude Desktop
  • ⚠️Requires manual configuration of `claude_desktop_config.json` with absolute paths
  • ⚠️Requires Screen Recording permission for screenshots
Verified SafeView Analysis
The server leverages child processes (`execAsync`, `Bun.spawn`) to interact with the macOS system, which is inherent to its functionality. The implementation includes sanitization for user-provided string arguments passed to shell commands (e.g., `say`, `open -a`, `osascript`) by escaping double quotes, reducing direct command injection risks. File paths for `save_to_desktop` are constructed using `path.join`, mitigating path traversal. No hardcoded secrets or 'eval' statements were found. The primary security consideration is the inherent power given to an AI to execute commands and access system information on the user's behalf.
Updated: 2026-01-19GitHub
0
0
Medium Cost
Open-Earth-Foundation icon

MCP_global_API

by Open-Earth-Foundation

Sec9

Provides a Micro-Agent Compute Protocol (MCP) server to access CityCatalyst Global API for environmental and urban data queries.

Setup Requirements

  • ⚠️Requires access to the external CityCatalyst Global API (https://ccglobal.openearth.dev).
  • ⚠️The `llm_mcp_client.py` (for testing/interaction) requires an OpenAI API Key, which is a paid service.
  • ⚠️Python 3.10+ is implied due to the use of `Type | None` syntax for type hints.
Verified SafeView Analysis
The server's source code shows good practices for configuration management (environment variables via `os.getenv`), secure HTTP requests (`httpx` with `raise_for_status()`), and URL encoding (`urllib.parse.quote`) to prevent basic injection. There are no direct uses of `eval` or other highly dangerous functions without clear justification. The architecture delegates LLM interaction to a client, limiting the server's direct exposure to LLM-generated code. Security heavily relies on the `fastmcp` framework and the upstream CityCatalyst Global API.
Updated: 2025-12-10GitHub
0
0
High Cost
rhoni icon
Sec9

Provides a Messaging Control Protocol (MCP) server that acts as a client for the SEOMCP backend, enabling AI agents to access specialized SEO optimization, analytics, and content generation tools.

Setup Requirements

  • ⚠️Requires 'SEOMCP_API_KEY' which must be obtained from console.seomcp.run (likely a paid service).
  • ⚠️Requires Python 3.10 or higher.
Verified SafeView Analysis
The server functions as a stdio proxy client to an external backend API (`https://api.seomcp.run`). It loads its API key and backend URL from environment variables (`SEOMCP_API_KEY`, `SEOMCP_BACKEND_URL`), which is a good security practice. There are no direct uses of `eval` or obvious obfuscation. Network calls use `httpx` with timeouts. Error handling for JSON parsing and general exceptions is present. The primary security considerations would be the trustworthiness of the `seomcp.run` backend and the secure handling of the `SEOMCP_API_KEY` by the user, not inherent vulnerabilities in this client's code.
Updated: 2026-01-04GitHub
0
0
Low Cost
ElliotCambo icon
Sec9

A lightweight FastAPI server acting as a central control plane (MCP) to define, list, and mock calls to various tools and resources, configured via environment variables.

Setup Requirements

  • ⚠️Requires MCP_CONFIG environment variable to be set with valid JSON.
  • ⚠️Requires Python 3 and standard FastAPI/Uvicorn dependencies.
Verified SafeView Analysis
The current implementation is relatively safe as it primarily mocks tool calls. No 'eval' or direct command injection vectors are present in the provided code. No hardcoded secrets. The primary security consideration for future development is how the 'actual API calls' mentioned in the `call_tool` endpoint will be implemented. If tool definitions or user-supplied arguments are used directly to make external calls without proper sanitization or validation, it could introduce risks (e.g., SSRF, command injection, arbitrary code execution if the 'tool' itself is a script). However, based purely on the provided, mock-focused code, it is generally safe.
Updated: 2026-01-17GitHub
PreviousPage 449 of 713Next