Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
ashok9315-cmyk icon

mcp-local-server

by ashok9315-cmyk

Sec8

A Model Context Protocol (MCP) server that provides real-time weather data, basic mathematical calculations, and mock alert details to AI agents.

Setup Requirements

  • ⚠️Requires Node.js and npm to be installed locally.
Verified SafeView Analysis
The server uses external APIs for weather and a mock API for alerts. The mock API call uses an HTTP (non-HTTPS) endpoint, which can be a minor risk for data in transit if sensitive information were exchanged. The `id` parameter is directly interpolated into the URL path for the mock API, but standard `fetch` behavior and the nature of an ID parameter typically mitigate direct injection risks for this specific use case. No `eval` or obvious malicious patterns found.
Updated: 2025-12-03GitHub
0
0
Medium Cost
jazilkalim icon
Sec9

Implements a multi-agent customer service system using Google's Agent-to-Agent (A2A) protocol and Model Context Protocol (MCP) for coordinating specialized AI agents to handle customer queries and manage data.

Setup Requirements

  • ⚠️Requires a Google AI API Key or Google Cloud Project with Vertex AI enabled (paid service/account required).
  • ⚠️The MCP Server must be manually started in a separate terminal via `python mcp_server_standalone.py` before running the main agent system.
  • ⚠️Requires Python 3.11+.
Verified SafeView Analysis
The system primarily operates locally, reducing external network exposure. Database interactions via MCP tools utilize parameterized SQL queries, effectively preventing SQL injection. Customer data updates are filtered to a whitelist of allowed fields. The main risk involves the LLM generating malicious tool calls, but the tools themselves implement safeguards.
Updated: 2025-12-01GitHub
0
0
Low Cost
SalimChikh icon
Sec3

Facilitates real-time interaction between Power BI Desktop and Claude Desktop (AI assistant) by providing a Microsoft Cognitive Platform (MCP) server.

Setup Requirements

  • ⚠️Requires Claude Desktop to be installed and launched at least once.
  • ⚠️Requires Power BI Desktop to be running with a .pbix file loaded.
  • ⚠️Installation is via a proprietary `.mcpb` package; the actual server code is not open source or provided for review.
Review RequiredView Analysis
CRITICAL: The full source code for the MCP server was not provided for analysis; only the README.md was available. The project relies on installing an opaque `.mcpb` package, which is a significant security risk as its contents cannot be audited for malicious code, vulnerabilities, or data exfiltration. The server is community-developed and explicitly not affiliated with Microsoft, requiring a high level of trust in the developer for code that operates within sensitive Power BI and Claude Desktop environments.
Updated: 2025-11-25GitHub
0
0
Medium Cost
juehang icon

svikmcp

by juehang

Sec9

This server provides a lightweight Model-Context-Protocol (MCP) interface for the Vikunja task management API, enabling other MCP-compatible agents or services to interact with Vikunja projects and tasks.

Setup Requirements

  • ⚠️Requires Python 3.11 or higher.
  • ⚠️Requires a running Vikunja instance accessible via a URL.
  • ⚠️Requires a valid Vikunja API key for authentication, which must be provided as a command-line argument.
Verified SafeView Analysis
The server uses `httpx` for making API requests, which is a modern, secure HTTP client. API keys and server URLs are passed as command-line arguments, preventing them from being hardcoded. Data serialization is handled by `toon-format`, which is a structured data format, not prone to arbitrary code execution like `pickle`. The code does not contain `eval`, obfuscation, or other immediately apparent malicious patterns. It correctly uses `Authorization: Bearer` headers for authentication. Overall, the security practices in the provided code snippets appear sound.
Updated: 2025-12-12GitHub
0
0
Low Cost
PieterPrespective icon

git-multidolt-mcp

by PieterPrespective

Sec7

A C# Model Context Protocol (MCP) server that bridges MCP requests to the Unity Editor via TCP connection, enabling tool execution and state retrieval for development workflows. It is also an example component within a broader Dolt Multi-Database MCP Server (DMMS) project, which integrates version-controlled knowledge bases.

Setup Requirements

  • ⚠️Requires .NET 9.0 SDK to build and run locally, which might not be widely installed.
  • ⚠️Requires Unity Editor with the UMCP Unity3D Client running on specific TCP ports (default 6400, 6401) for the server to function.
  • ⚠️If running in Docker, configuring network connectivity to Unity running on the host machine can be complex and may require specific settings like `host.docker.internal` or `network_mode: host` depending on the OS and Docker setup.
Verified SafeView Analysis
The use of `network_mode: host` in `docker-compose.yml` for development simplifies setup but poses a significant security risk in production by exposing all host network interfaces to the container. The long `CONNECTION_TIMEOUT` (24 hours) could allow stale or prolonged connections. However, environment variables are used for configuration, which is a good practice, and volume mounts for `TestResults` and `UnityProject` are set to `read_only: true`, mitigating some file access risks. No obvious malicious patterns or hardcoded secrets were found.
Updated: 2026-01-18GitHub
0
0
Low Cost
chiisen icon

docs

by chiisen

Sec9

This repository serves as a Hexo blog for sharing technical articles and documentation, particularly focusing on Model Context Protocol (MCP) servers, AI tools, and various software development patterns.

Setup Requirements

  • ⚠️Requires Node.js (v10.9.0+ specified, v20.11.0+ recommended in docs) and Yarn/npm for dependencies.
  • ⚠️Requires Hexo CLI to be installed globally (`npm install hexo-cli -g`).
  • ⚠️Requires careful configuration of `_config.yml` (Hexo root) and `themes/next/_config.yml` (theme) files, potentially using Hexo's data-files feature for easier updates.
Verified SafeView Analysis
This repository is a static site generator (Hexo blog) and does not directly function as an MCP server. The code for the Hexo theme and associated scripts (JavaScript, Nunjucks) appears standard and does not contain obvious malicious patterns like 'eval' or direct system calls for arbitrary code execution. Third-party animation libraries and search integrations are well-known. The blog posts themselves document how to set up external MCP servers (e.g., UnityMcpServer, n8n, Context7) using Python or specific AI tools. Users should exercise caution and independently vet any external software or instructions provided in the blog content before execution.
Updated: 2026-01-14GitHub
0
0
Low Cost
ngu-wq icon

mcp-demo

by ngu-wq

Sec10

Demonstrates an MCP (Minecraft Protocol) server implementation.

Verified SafeView Analysis
Only README.md content was provided as source code for analysis. No executable code was available to check for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns. The security score reflects the absence of identified risks within the provided README, not a comprehensive audit of an actual codebase.
Updated: 2025-11-28GitHub
0
0
Medium Cost
bfs icon
Sec9

Provides an MCP server for querying Census American Community Survey (ACS) data, supporting geographic lookups, data discovery, and percentile-based rankings.

Setup Requirements

  • ⚠️Requires Node.js 24+ (LTS).
  • ⚠️Requires pre-generated DuckDB databases (68GB and 75GB) from the `census_acs_duckdb_importer` project, demanding significant disk space.
  • ⚠️Requires creating a symlink to the database directory (e.g., `ln -s /path/to/census_acs_duckdb_importer/output db`).
Verified SafeView Analysis
The server uses parameterized SQL queries via DuckDB, which helps prevent SQL injection vulnerabilities. Database connections are set to READ_ONLY mode, reducing the risk of data modification. No 'eval' or obvious obfuscation found. Environment variables are used for configuration, avoiding hardcoded secrets. JSON parsing of `labels_data` from pre-processed database content is assumed safe given its source.
Updated: 2026-01-19GitHub
0
0
High Cost
LautaroMartVillalba icon

MCP-Server

by LautaroMartVillalba

Sec3

A Spring Boot REST API for hotel, room, reservation, customer, and address management, designed to be integrated with AI orchestration.

Setup Requirements

  • ⚠️Java 17+ required
  • ⚠️Maven required
  • ⚠️PostgreSQL database required (or adapt `application.yml`)
  • ⚠️Full functionality as an MCP server implies integration with an external LLM (e.g., OpenAI, Anthropic) configured via Spring AI.
Verified SafeView Analysis
The `SecurityConfig` (src/main/java/ar/mcp/server/config/SecurityConfig.java) explicitly disables CSRF protection, allows all origins for CORS, and sets all `/api/**`, `/mcp/**`, and `/sse/**` endpoints to `permitAll()` (no authentication/authorization). JWT authentication is marked as a TODO. This configuration is highly insecure for production deployment but is common for initial development. The `application.yml` contains default local database credentials (hotelms/hotelms) which are not suitable for production.
Updated: 2025-11-26GitHub
0
0
Medium Cost
graphyte-labs icon

kanbanflow-mcp-server

by graphyte-labs

Sec9

Provides a Model Context Protocol (MCP) interface for read-only access to KanbanFlow boards and tasks.

Setup Requirements

  • ⚠️Requires a KanbanFlow API Key (KANBANFLOW_API_KEY) to function.
  • ⚠️Requires Deno runtime to be installed.
  • ⚠️Authentication (MCP_SERVER_AUTH_TOKEN) is optional and disabled if the environment variable is not set, posing a security risk if deployed publicly without configuration.
Verified SafeView Analysis
The server uses environment variables for sensitive API keys and authentication tokens, preventing hardcoding. It implements optional bearer token authentication for the MCP endpoint. Input validation for tools is performed using Zod schemas. Deno's explicit `--allow-net` and `--allow-env` permissions are used, which are necessary but broad for server operation. No 'eval' or similar dangerous patterns were found. Error handling is present to avoid leaking internal details.
Updated: 2026-01-19GitHub
0
0
Low Cost
BruceTrevarthen icon

syncaida-mcp-server

by BruceTrevarthen

Sec9

Provides an MCP server to connect AI clients like Claude Code to Syncaida workspace features, enabling AI-powered whiteboard, diagram, task, and workboard management.

Setup Requirements

  • ⚠️Requires Node.js 18 or higher.
  • ⚠️Requires a Syncaida API token, which must be generated in the Syncaida web application (Users & Security > API Tokens).
  • ⚠️Requires an AI client compatible with the Model Context Protocol (MCP), such as Claude Code, configured to use this server.
Verified SafeView Analysis
The source code is transparent, does not use 'eval' or other obfuscation techniques. API tokens are securely loaded from environment variables or a user-specific configuration file, not hardcoded. Network calls are outbound to a well-defined Syncaida API endpoint with standard bearer token authentication. Tool inputs are schema-validated, reducing risk of arbitrary injection. The primary security considerations involve the security of the Syncaida API itself and the user's handling of their API token.
Updated: 2025-11-26GitHub
0
0
Medium Cost
seanhalberthal icon

supplyscan-mcp

by seanhalberthal

Sec9

A security scanner for JavaScript ecosystem lockfiles, detecting supply chain compromises and known vulnerabilities.

Setup Requirements

  • ⚠️Requires Go 1.23+.
  • ⚠️For 'go install' method, requires $GOPATH/bin to be in system PATH.
  • ⚠️GitHub API rate limits may be encountered during IOC database refreshes without a GITHUB_TOKEN, impacting performance and potentially causing fetch failures.
Verified SafeView Analysis
The server is built in Go, inherently making it immune to typical JavaScript supply chain attacks. It fetches Indicators of Compromise (IOC) from reputable public sources (DataDog, GitHub Advisory Database) and integrates with the npm audit API. There are no indications of 'eval' usage, code obfuscation, or hardcoded sensitive secrets within the provided source. Network calls are made to known security-related APIs and public data sources. File system operations are confined to reading lockfiles and managing a local cache. The custom JSONC parser includes robust handling for comments and strings, preventing misinterpretation of code or data. The dependency on an optional GitHub token for higher API rate limits is appropriately handled.
Updated: 2026-01-08GitHub
PreviousPage 460 of 713Next