Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
DiscourseGraphs icon

discourse-graph-mcp

by DiscourseGraphs

Sec8

Exposes structured discourse graphs to AI assistants for exploration, search, and traversal of research knowledge, including dynamic schema adaptation and inline image display.

Setup Requirements

  • ⚠️Requires a local JSON discourse graph file specified by the DATA_PATH environment variable.
  • ⚠️Image fetching and base64 encoding for inline display can be slow and consume high token counts for image-rich nodes.
  • ⚠️This is a Proof-of-Concept, not optimized for production with limited error handling and no authentication/access control.
Verified SafeView Analysis
The server loads data from a local JSON file (`DATA_PATH`) and fetches images from publicly accessible Firebase URLs. The `fetchImageAsBase64` function, while designed for public URLs, could pose a Server-Side Request Forgery (SSRF) risk if the `DATA_PATH` file itself were compromised with malicious, internal network URLs. However, given it's a Proof-of-Concept, intended for a single static, presumably trusted JSON data source, and operates via standard I/O (stdio) rather than a network port exposed to the internet, the immediate external attack surface is minimal. No 'eval' or obvious malicious patterns found in the source code. The primary risk lies with the integrity of the input JSON data file.
Updated: 2026-01-16GitHub
0
0
High Cost
leegonzales icon

MCPServers

by leegonzales

Sec9

Generate, animate, extend, and transition AI-powered videos using Google Veo 3.1 via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires a Google Gemini API Key (GEMINI_API_KEY environment variable) obtained from Google AI Studio (potentially incurs cost for video generation).
  • ⚠️Requires Node.js version 18 or higher to run.
  • ⚠️Generated video files require local disk space (`~/Documents/veo_generated`).
Verified SafeView Analysis
The server correctly retrieves the `GEMINI_API_KEY` from environment variables, preventing hardcoded credentials. File system operations (read, write, delete) are strictly confined to a dedicated user-specific output directory (`~/Documents/veo_generated`), and output filenames use `randomUUID` to prevent path traversal vulnerabilities. Input validation for tool parameters is handled robustly using Zod schemas. The server utilizes standard I/O for communication (StdioServerTransport), avoiding direct network port exposure, and outgoing API calls to Google are made securely with an API key in headers.
Updated: 2026-01-08GitHub
0
0
Low Cost
SylphxAI icon

mcp-server-sdk

by SylphxAI

Sec9

Pure functional MCP (Model Context Protocol) server SDK for building AI-callable tools, resources, and prompts.

Setup Requirements

  • ⚠️Primarily optimized and built for Bun, although Node.js compatibility is maintained through `node:stream` and general web standards (Fetch API, gust).
Verified SafeView Analysis
The server uses `@sylphx/vex` for robust, type-safe schema validation on all tool and prompt inputs, mitigating common injection vectors. JSON-RPC messages are parsed and validated by `Rpc.parseMessage`. The HTTP transport allows configurable CORS, including a wildcard ('*') which, while flexible, should be used with caution in production. No direct `eval` calls or hardcoded sensitive credentials were found. Standard network server vulnerabilities (e.g., large payload DoS) are inherent to HTTP transport but are not specific to this SDK's logic.
Updated: 2025-12-05GitHub
0
0
Low Cost
Bytelope icon
Sec9

Provides tools for AI assistants to search and retrieve details about Swedish IT consultant jobs.

Setup Requirements

  • ⚠️Requires `API_SECRET` environment variable for self-hosting.
Verified SafeView Analysis
The server correctly handles API secrets via environment variables (API_SECRET) and uses Zod for robust input validation, mitigating common injection risks. There is no evidence of 'eval' or obfuscation. It interacts with a single, defined external API endpoint (https://consultant.dev/api). Permissive CORS headers are present, which is typical for a public tool, but not a critical vulnerability.
Updated: 2025-12-12GitHub
0
0
Medium Cost
Nn9987 icon
Sec10

The mcp-docs-server provides a Model Context Protocol (MCP) server for efficient search and retrieval of MCP documentation.

Setup Requirements

  • ⚠️Requires Node.js 18.0.0 or higher.
  • ⚠️Requires an active internet connection for initial documentation indexing and subsequent document retrieval.
Verified SafeView Analysis
The server demonstrates strong security practices. It uses Zod for input validation and critically restricts all external HTTP fetches to a hardcoded allow-list (only 'https://modelcontextprotocol.io/'). This effectively prevents Server-Side Request Forgery (SSRF) and other arbitrary file/URL access vulnerabilities. There is no usage of 'eval', obfuscation, or hardcoded secrets in the provided source code. The application communicates over standard I/O (stdio) when run, which is inherently secure in a local child-process context.
Updated: 2026-01-19GitHub
0
0
Medium Cost
MissionSquad icon

mcp-thorchain

by MissionSquad

Sec9

Provides an MCP server to access THORChain blockchain data for AI assistants, including transaction details, address history, pool statistics, network stats, and vault addresses.

Setup Requirements

  • ⚠️Requires Node.js >= 20.0.0
  • ⚠️Manual configuration of Claude Desktop JSON file with an absolute path is required for integration.
Verified SafeView Analysis
Input validation is rigorously enforced using Zod schemas. The server makes API calls to public THORChain endpoints (Midgard, Thornode) and includes provider rotation for redundancy. No hardcoded sensitive secrets or 'eval' usage were found in the provided source code. Direct calls to external APIs inherently carry a minor risk from those APIs, but the project itself appears well-secured.
Updated: 2025-11-22GitHub
0
0
Low Cost
kaushaldhingra128-boop icon

test-remote-mcp-server

by kaushaldhingra128-boop

Sec1

Unable to identify the specific use case for this 'MCP Server' as the source code was not provided in the prompt.

Setup Requirements

  • ⚠️Source code not provided, cannot analyze requirements or friction points.
Review RequiredView Analysis
Source code for 'test-remote-mcp-server' was not provided in the prompt, making it impossible to perform a security audit for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns. Due to the complete lack of visibility, the lowest possible security score is assigned, and it is marked as unsafe to run.
Updated: 2025-11-25GitHub
0
0
Medium Cost
civicteam icon
Sec9

An MCP server for interacting with the CardPointe Gateway payment processing API, enabling transaction, inquiry, profile, reporting, and BIN lookup operations.

Setup Requirements

  • ⚠️Requires CardPointe Gateway API Credentials (Merchant ID, Username, Password, Site Identifier) obtained from Fiserv/CardPointe Portal.
  • ⚠️Requires Node.js version >= 20.0.0.
  • ⚠️Defaults to read-only mode; 'READONLY=false' must be set to enable write operations like authorizations, captures, refunds, voids, and profile creation/updates/deletions.
Verified SafeView Analysis
The server correctly handles sensitive credentials by requiring them as environment variables (CARDPOINTE_USERNAME, CARDPOINTE_PASSWORD, CARDPOINTE_MERCHANT_ID). All API communication uses HTTPS. A robust 'read-only' mode is implemented and enabled by default, blocking all write operations and significantly enhancing safety for production deployments. No 'eval' or obvious obfuscation detected. Error handling is present to prevent exposing raw API errors directly, though further sanitization might be considered for verbose error messages.
Updated: 2026-01-07GitHub
0
0
Medium Cost
jjones-wps icon

pyodbc-mcp-server

by jjones-wps

Sec9

Provides read-only access to Microsoft SQL Server databases for AI assistants and other clients via the Model Context Protocol (MCP), using Windows Authentication.

Setup Requirements

  • ⚠️Requires Windows operating system to connect to SQL Server using Windows Authentication.
  • ⚠️Requires ODBC Driver 17 or 18 for SQL Server to be installed.
  • ⚠️Requires a Windows domain account with SELECT permissions on the target SQL Server database.
Verified SafeView Analysis
Designed with robust security: strictly read-only (blocking INSERT, UPDATE, DELETE, etc., even in subqueries), uses Windows Authentication (no credentials stored), enforces row limiting, and communicates via stdio only (no network exposure). A documented local API token exposure was confirmed never to have been committed to git or involved actual project tokens; mitigation is complete.
Updated: 2026-01-03GitHub
0
0
Medium Cost
johanthoren icon

parrotscribe-mcp

by johanthoren

Sec9

Enables AI agents to interact with the ParrotScribe real-time transcription service on macOS to facilitate 'Speech-to-Action' workflows such as monitoring meetings, tracking action items, or summarizing discussions.

Setup Requirements

  • ⚠️Requires macOS with ParrotScribe installed.
  • ⚠️Requires Node.js 18 or higher.
  • ⚠️The `pscribe` CLI must be available in your system PATH.
Verified SafeView Analysis
The server directly executes external `pscribe` CLI commands using `child_process.execFileSync`. While arguments are passed as an array to mitigate common shell injection, the overall security critically depends on the robustness and trustworthiness of the `pscribe` CLI itself and preventing malicious manipulation of the `PSCRIBE_PATH` environment variable. Given its local-only operation via standard I/O (stdio) and explicit 'zero-cloud' data flow, network attack surfaces are significantly reduced.
Updated: 2026-01-17GitHub
0
0
Medium Cost
Sec8

A Cloudflare Workers server for stock screening using SBI証券 CSV data, integrated with ChatGPT for natural language queries.

Setup Requirements

  • ⚠️Requires downloading SBI証券 CSV files in a specific two-step process and placing them in the `inbox/` directory.
  • ⚠️Requires a Cloudflare account and configured Cloudflare KV for data storage.
  • ⚠️The `npm run upload-csv` command will require local Cloudflare CLI authentication or API tokens to interact with Cloudflare KV.
Verified SafeView Analysis
The example API key provided in the README for ChatGPT integration is a specific value that is likely hardcoded or configured as a secret on the deployed server. In general, API keys should be securely managed and not exposed in documentation examples if they are meant to be unique/sensitive for each deployment. The `upload-csv` script requires local Cloudflare authentication, which could be a security risk if not handled securely by the user.
Updated: 2025-11-19GitHub
0
0
Low Cost
BigBang142 icon
Sec1

Enables anonymous web searching via the Tor network and DuckDuckGo for use with local language models.

Review RequiredView Analysis
The provided source code is an index.md file (documentation) and does not contain any executable code (e.g., Python, JavaScript, Java) for a security audit. Therefore, it is impossible to analyze for 'eval', obfuscation, hardcoded secrets, or malicious patterns. The security score reflects the inability to perform a code-level audit, not a proven vulnerability or safety concern with the described functionality itself.
Updated: 2026-01-19GitHub
PreviousPage 458 of 713Next