Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
winniehhy icon

MCP-server

by winniehhy

Sec4

A personal finance tracker for managing income and expenses, with optional synchronization to Notion.

Setup Requirements

  • ⚠️Data persistence relies solely on a local `data.json` file; not suitable for multi-user, production, or serverless deployments without additional storage solutions.
  • ⚠️Requires separate commands to run both the backend API and the frontend application.
  • ⚠️Notion integration (for syncing entries) requires `NOTION_API_KEY` and `NOTION_DB_ID` environment variables, otherwise it will be disabled.
Verified SafeView Analysis
The primary security risk is that all data is stored in a local `data.json` file, and the API has no authentication or authorization. Any client with network access to the API can read, add, or modify financial entries without credentials. While there are no obvious code injection vulnerabilities like `eval` or unsanitized database queries (as it's a JSON file), the lack of access control makes it unsuitable for multi-user environments or exposure beyond localhost. CORS is enabled, likely with default permissive settings, further opening it up.
Updated: 2025-12-02GitHub
0
0
Low Cost
sumitdotgh icon

ai-examples

by sumitdotgh

Sec9

A basic weather API server built with FastAPI, demonstrating a Microservice Communication Protocol (MCP) server that provides CRUD operations for weather information.

Setup Requirements

  • ⚠️Python 3.12+ required
  • ⚠️Needs 'uvicorn' to run the FastAPI server
Verified SafeView Analysis
The code itself is clean and does not contain obvious malicious patterns, 'eval' calls, or hardcoded secrets. It implements a standard FastAPI application. Security relies on FastAPI's inherent protections and proper deployment practices.
Updated: 2025-11-29GitHub
0
0
Low Cost
megs-p icon

mcp-py

by megs-p

Sec1

To provide a server implementation for the Minecraft Classic Protocol, allowing clients to connect and interact with a game world or service.

Setup Requirements

  • ⚠️Requires Python installation.
Review RequiredView Analysis
No source code was provided for analysis beyond the README. It is impossible to conduct a security audit for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns without the actual code. Therefore, its safety cannot be guaranteed.
Updated: 2025-11-23GitHub
0
0
Medium Cost
Sanny1998 icon
Sec1

Provides an API for remote expense tracking and management.

Review RequiredView Analysis
CRITICAL: No source code was provided for analysis. A comprehensive security audit could not be performed. The score of 1 reflects a complete lack of ability to verify safety and assumes maximum risk due to unknown factors. **DO NOT RUN WITHOUT MANUAL CODE REVIEW.**
Updated: 2025-11-23GitHub
0
0
Medium Cost
underyx icon
Sec8

Allows AI assistants to interact with the Matter read-later app, enabling listing articles, retrieving article details with highlights, and saving new articles.

Setup Requirements

  • ⚠️Relies on Matter's internal API (v11), which is reverse-engineered and undocumented, making it susceptible to breakage if Matter changes its API.
  • ⚠️Local usage requires manually obtaining `MATTER_ACCESS_TOKEN` and `MATTER_REFRESH_TOKEN` via a multi-step process involving the Matter Obsidian plugin and the Matter mobile app.
  • ⚠️Vercel deployment involves an interactive OAuth-style QR code authentication flow requiring the Matter mobile app to connect an AI assistant.
Verified SafeView Analysis
The server utilizes the Model Context Protocol SDK and Zod for input validation, which are good security practices. For Vercel deployments, token handling is stateless, meaning Matter API tokens are passed via request headers after an OAuth flow, reducing server-side storage risks. However, a significant operational risk is the reliance on a reverse-engineered, undocumented internal Matter API (v11). This makes the server vulnerable to breaking changes if Matter updates its API. There are no apparent hardcoded secrets, 'eval' usage, or obfuscation within the provided source code.
Updated: 2026-01-18GitHub
0
0
Low Cost
slavadubrov icon

mcp-featurestore

by slavadubrov

Sec9

This server provides a lightweight Model Context Protocol (MCP) Feature Store for storing and retrieving machine learning features, designed to integrate with Claude Desktop.

Setup Requirements

  • ⚠️Requires 'uv' for dependency management and execution.
  • ⚠️Requires Python 3.13 or newer (specified in pyproject.toml).
  • ⚠️Requires manual initialization of the local SQLite database via 'uv run python database.py'.
Verified SafeView Analysis
The server uses parameterized SQL queries, preventing common SQL injection vulnerabilities. Inputs like 'vector' are explicitly validated as JSON. No 'eval' or 'exec' calls are present, and no hardcoded secrets or network-exposed critical resources are evident. The local SQLite database access is confined to the application's directory, limiting external exposure.
Updated: 2025-11-27GitHub
0
0
High Cost
openpharma-org icon

financials-mcp

by openpharma-org

Sec8

A comprehensive Model Context Protocol (MCP) server that provides professional-grade access to financial and economic data through Yahoo Finance and Federal Reserve Economic Data (FRED).

Setup Requirements

  • ⚠️Requires a free FRED API Key (set as FRED_API_KEY environment variable) for most FRED data retrieval methods.
  • ⚠️Relies on unofficial Yahoo Finance web scraping, which may be prone to breakage due to website changes or bot detection.
  • ⚠️Requires Node.js version 18 or higher.
Verified SafeView Analysis
The server primarily performs web scraping from Yahoo Finance and uses the FRED API. It correctly retrieves the FRED_API_KEY from environment variables, preventing hardcoding. The Yahoo Finance scraping uses a mobile User-Agent and includes built-in throttling and bot detection handling, indicating an awareness of scraping challenges, but it's an unofficial method. No 'eval' or other directly exploitable malicious patterns were found. Network requests are to legitimate financial data sources.
Updated: 2025-12-22GitHub
0
0
Medium Cost
timothywarner-org icon

stoic-mcp

by timothywarner-org

Sec8

An MCP server for Claude Desktop that provides access to a curated collection of wisdom quotes from Stoic philosophers and modern personal development authors, offering quote management, discovery, and AI-powered explanations and generation.

Setup Requirements

  • ⚠️Requires Claude Desktop for MCP integration.
  • ⚠️Requires a DeepSeek API key (paid service) for AI-powered features (explanations and quote generation).
  • ⚠️The full path to `dist/index.js` must be manually configured in Claude Desktop's `claude_desktop_config.json`, which can be platform-specific and error-prone.
Verified SafeView Analysis
The server uses `StdioServerTransport` for communication, which is safer than direct network exposure. AI API key (`DEEPSEEK_API_KEY`) is retrieved from environment variables, which is good practice. Tool arguments are type-cast and processed in a controlled switch statement, reducing direct code execution risks. The `import-quotes.ts` utility takes a filename from process arguments, but uses `path.join` with a fixed base directory (`quotes-source/`), which mitigates simple path traversal attacks to write arbitrary files outside the intended directory. AI prompts are constructed with user content, which is sent to an external API but not executed locally, presenting a minor prompt injection vector at the DeepSeek API level.
Updated: 2025-11-19GitHub
0
0
Low Cost
aaronjnichols icon

mcp_server_example01

by aaronjnichols

Sec10

Performs addition of two numbers and generates a text summary, a PNG bar chart visualization, and a CSV file of the result. Designed to be consumed by a client (e.g., an AI agent).

Setup Requirements

  • ⚠️Requires `matplotlib` for plotting, which might need system-level dependencies depending on the environment (though pre-built wheels are common).
  • ⚠️Requires the `FastMCP` library to be installed.
Verified SafeView Analysis
The source code in `src/mcp_test.py` does not contain any obvious security vulnerabilities such as direct use of `eval()` or `exec()` with untrusted input, arbitrary file system writes, or hardcoded secrets. It relies on standard and generally secure Python libraries for its functionality (matplotlib, csv, base64). Network communication and server handling are delegated to the `FastMCP` framework, which is built on `uvicorn`, a robust ASGI server.
Updated: 2025-11-22GitHub
0
0
Medium Cost
victormasson21 icon

foundation-project-mcp

by victormasson21

Sec8

An MCP server enabling AI assistants to securely read unread emails, draft replies in Gmail, and access email writing style guides from Notion.

Setup Requirements

  • ⚠️Requires Google Cloud Console setup for Gmail API Client ID and Secret.
  • ⚠️Manual OAuth authentication process involving opening a URL in a browser and approving access.
  • ⚠️Optional Notion integration requires creating a Notion integration, a style guide page, and granting access.
  • ⚠️The `.env.local` file must be manually created and populated, and never committed to version control.
Verified SafeView Analysis
The server uses OAuth 2.0 for Gmail access with `gmail.readonly` and `gmail.compose` scopes, which are sensitive. It explicitly warns against committing `.env.local` containing credentials and saves tokens securely. Email headers are sanitized to prevent injection attacks. OAuth token generation involves a temporary local web server, which is a standard secure practice. Overall, good security practices are implemented for its intended functionality.
Updated: 2025-12-07GitHub
0
0
Low Cost
aporthq icon
Sec9

Provides policy enforcement for AI agent tool calls using the APort platform for authorization and audit trails.

Setup Requirements

  • ⚠️Requires an APort Agent Passport, which needs to be registered via the APort API (aport.io) using a curl command.
  • ⚠️Depends on the external APort service (api.aport.io) for real-time policy verification.
  • ⚠️Requires Node.js and npm to run the server, with client examples also available in Python.
Verified SafeView Analysis
The server is built using the Model Context Protocol (MCP) SDK and APort SDK for policy enforcement. It does not contain 'eval' or other directly exploitable patterns. Configuration values are sourced from environment variables, preventing hardcoded secrets. The 'Simple Mode' explicitly noted in the README implies a lesser security posture than an upcoming 'Secure Mode', but this is transparent. Calls to the external APort service are central to its function and introduce a dependency on that service's security.
Updated: 2026-01-15GitHub
0
0
Medium Cost
johngrimes icon

mcp-js-debugger

by johngrimes

Sec2

Enables AI assistants to debug JavaScript and TypeScript applications by exposing Chrome DevTools Protocol capabilities.

Setup Requirements

  • ⚠️Requires Node.js 18.0.0 or later.
  • ⚠️Requires a CDP-compatible debug target (e.g., Node.js with --inspect, Chrome, Edge) to be running and exposed via WebSocket URL.
Review RequiredView Analysis
The server allows connecting to arbitrary WebSocket URLs via `connect_debugger` and fetching source maps from arbitrary URLs. This presents a severe Server-Side Request Forgery (SSRF) vulnerability, allowing an AI to potentially probe or interact with internal network resources from the host running the MCP server. While the evaluation of expressions is an inherent function of a debugger, the uncontrolled network access for connection and resource fetching is a critical flaw. The design document mentions mitigation strategies (URL validation, allowlists), but these are not implemented in the provided source code.
Updated: 2025-11-24GitHub
PreviousPage 463 of 713Next