Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
JamesANZ icon

bitcoin-mcp

by JamesANZ

Sec9

Integrate real-time Bitcoin blockchain data into AI coding environments for querying addresses, transactions, blocks, and UTXOs.

Setup Requirements

  • ⚠️Requires Node.js 18+ and npm installed
  • ⚠️Manual configuration for Claude Desktop (though `setup.js` script simplifies this for supported OSes)
Verified SafeView Analysis
The server uses `superagent` to interact with the public mempool.space API, and `zod` for input validation on tool arguments, which are good practices. There are no direct uses of `eval`, obfuscated code, or hardcoded sensitive secrets. Setup scripts (setup.js, postinstall.js) modify known configuration files for specific MCP clients (Claude Desktop) but do not perform operations that suggest malicious intent or severe vulnerabilities. The primary security consideration is the reliance on the external `mempool.space` API for data integrity and availability, which is generally a trusted public service.
Updated: 2025-12-10GitHub
0
0
Low Cost
kevcav1980 icon
Sec9

A read-only server for tracking and analyzing cryptocurrency portfolios across multiple exchanges like Binance, Coinbase, and Kraken.

Setup Requirements

  • ⚠️Requires Python 3.10 or later.
  • ⚠️Requires API keys for Binance, Coinbase, and/or Kraken to be set in a `.env` file for full functionality (not required in mock mode).
  • ⚠️The `README`'s 'Run the Application' step 3 contains a misleading instruction to 'Double-click on `https://raw.githubusercontent.com/kevcav1980/CryptoPortfolioMCPServer/main/hexyne/CryptoPortfolioMCPServer.zip`', which is a download URL, not the actual executable command (`python -m src.server`). Users should refer to `setup.sh` or the project's Python structure for the correct execution command.
  • ⚠️Designed to interface with a Multi-Call Processor (MCP) client, such as Claude Desktop, rather than being a standalone UI application.
Verified SafeView Analysis
The project is explicitly designed for read-only access to exchange accounts, mitigating the most severe financial risks associated with trading bots. API keys are loaded securely from environment variables (`.env` file), preventing hardcoding. It uses the `ccxt` library for exchange interactions, a widely adopted and vetted library. The `CONTRIBUTING.md` strictly prohibits trading or withdrawal functionality, which is a good design principle. No `eval` or obvious obfuscation found. Network requests are handled by standard libraries (`requests`, `ccxt`).
Updated: 2026-01-19GitHub
0
0
Medium Cost
peterdewit icon
Sec7

A genealogy research memory server for LLM agents to store and manage structured genealogical data.

Setup Requirements

  • ⚠️Docker and Docker Compose are required for installation and deployment.
  • ⚠️Requires setting database credentials (DB_NAME, DB_USER, DB_PASSWORD, DB_HOST, DB_PORT) in a .env file, with the default password needing to be changed for production.
  • ⚠️The `fetch_attachments_for_person` tool performs external HTTP requests and writes files to a `/attachments` path within the container, which should be bind-mounted to a host directory for persistence and access.
Verified SafeView Analysis
The database interactions use parameterized queries with `psycopg2`, which prevents common SQL injection vulnerabilities. No 'eval' or similar dangerous functions are observed. The `docker-compose.yml` and `server.py` use environment variables for database credentials, with a weak default password ('genealogy') in `server.py` and `.env.example`. Users are instructed to adjust this in the `.env` file for secure deployment, but failure to do so would pose a significant risk. The `reset_genealogy_memory.sh` script uses `rm -rf` which is powerful, but it operates within the expected Docker volume context. Overall, generally safe if best practices for environment variable management are followed.
Updated: 2025-11-28GitHub
0
0
Medium Cost

racing-api-mcp-server

by MatteoLazzaretti

Sec9

An analytics engine that processes historical horse racing prediction data from a PostgreSQL database to evaluate algorithm performance, compare different algorithm versions, and optimize predictive factor weights for future predictions, designed for integration with Claude Desktop.

Setup Requirements

  • ⚠️Requires Node.js v18+ to be installed.
  • ⚠️Requires a PostgreSQL 16+ database named 'racing' running on localhost:5435 with credentials 'racing/racing123'.
  • ⚠️Requires the DATABASE_URL environment variable to be set for database connection.
  • ⚠️The database must be pre-populated with racing predictions and results data by a separate backend server for the analytics to function.
Verified SafeView Analysis
The server explicitly operates as a read-only analytics engine. It relies on environment variables for database connection (DATABASE_URL) and uses standard PostgreSQL client libraries. The codebase does not contain direct usage of 'eval' or other highly dangerous functions for arbitrary code execution. It communicates via stdio as an MCP server, without opening arbitrary network ports.
Updated: 2025-11-25GitHub
0
0
Low Cost
feiming-afk icon

weather-mcp-server

by feiming-afk

Sec9

Provides real-time weather information for specified cities using the wttr.in API, integrated as an MCP server with the HelloAgents framework.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️The 'Homepage' and 'Repository' URLs in pyproject.toml are generic placeholders and should be updated for a specific project fork.
Verified SafeView Analysis
The server makes external HTTP requests to wttr.in, which is a public weather service API. No `eval` or `exec` functions are used, and there are no hardcoded API keys or obvious malicious patterns. Input `city` is used in a URL path, not executed as code, minimizing injection risks. The main security consideration is reliance on the external `wttr.in` service.
Updated: 2025-11-28GitHub
0
0
Low Cost
chrisnewell91 icon

Meta-MCP-Server

by chrisnewell91

Sec2

Dynamically create and manage specialized child MCP servers from templates or scripts, orchestrating their execution to accomplish complex tasks, primarily for AI clients.

Setup Requirements

  • ⚠️Requires Python 3.9 or higher.
  • ⚠️Requires `mcp` SDK (`pip install mcp`).
  • ⚠️The core security features (command whitelisting, path sanitization) are documented but not yet implemented in the provided source code, making it highly vulnerable.
Review RequiredView Analysis
Critical security functions `validate_command` and `sanitize_path` in `meta_mcp_server/security.py` are explicitly marked with `TODO: Implement` and currently return permissive values (`True` or original path). This renders the server highly vulnerable to command injection and directory traversal attacks, despite documentation claiming these features are complete in v2.0. The `file_handler_template` can perform arbitrary file operations if these checks are bypassed.
Updated: 2025-11-21GitHub
0
0
Low Cost
chironsb icon

doccura

by chironsb

Sec3

Doccura is a local RAG system providing a terminal interface and an MCP server for document-based question answering and general chat with Ollama.

Setup Requirements

  • ⚠️Requires Bun to be installed.
  • ⚠️Requires Ollama server running locally with a model (default: qwen3:1.7b). The application attempts to start Ollama if not found.
  • ⚠️Requires Chroma vector database server running locally (default: http://localhost:8000). The application attempts to start Chroma via Docker if not found.
Review RequiredView Analysis
The MCP server exposes an `upload_document` tool that takes a `filePath` argument directly from the client. This allows an external MCP client (which could be malicious) to specify any file path on the server's local filesystem. This could lead to: 1. Information Disclosure: An attacker could force the server to read and process sensitive system files (e.g., configuration files, credentials). 2. Denial of Service: Uploading very large or malformed files could consume excessive resources or crash the PDF/TXT processing components. The reliance on `fs.existsSync` and `fs.readFileSync` with client-provided paths is a critical vulnerability. While `child_process.execSync` is used, it's primarily for internal startup checks and script execution, not directly exposed to user input.
Updated: 2025-11-29GitHub
0
0
Low Cost
nausheenrizwankhan icon

gemini-cli-mcp-server-test

by nausheenrizwankhan

Sec10

This file contains biographical information about individuals named Nosheen Rizwan; it is not server source code.

Verified SafeView Analysis
The provided content is a static Markdown file (nausheenrizwan.md). It does not contain any executable code, 'eval' statements, network risks, hardcoded secrets, or malicious patterns relevant to a server's security. Thus, the file itself is safe.
Updated: 2025-12-03GitHub
0
0
Low Cost
michaelboateng1 icon

schools-mcp-server

by michaelboateng1

Sec9

This server acts as a Model Context Protocol (MCP) endpoint, exposing structured information about specific schools as resources and providing mock tools to simulate interactions with their administration.

Setup Requirements

  • ⚠️Requires pnpm for package management.
  • ⚠️Requires Node.js v18 or higher.
  • ⚠️Requires understanding of the Model Context Protocol (MCP) to interact effectively with the server's endpoints.
Verified SafeView Analysis
The server uses `zod` for input validation on tool parameters, which is a good practice. There are no obvious hardcoded secrets or direct `eval` calls. The 'contact administration' tools are currently mock implementations, returning a success message without performing any actual external actions like sending emails, which inherently reduces immediate external security risks. The `@modelcontextprotocol/sdk` and `express-rate-limit` (a transitive dependency of the SDK) contribute to a generally robust setup. Potential future risks would arise if the mock tools were to be fully implemented without proper sanitization and security measures for external integrations (e.g., email sending APIs).
Updated: 2025-11-19GitHub
0
0
Low Cost
papertray3 icon

obsidian-mcp-bridge

by papertray3

Sec8

Provides a WebSocket bridge and an extensible tool registry for AI clients to access Obsidian vault APIs and integrated plugins (like Dataview) through the Model Context Protocol.

Setup Requirements

  • ⚠️Requires Obsidian to be installed and the MCP Bridge plugin to be manually installed and enabled.
  • ⚠️Key features like Dataview query execution require the Dataview Obsidian plugin to be installed and enabled; Digital Garden rendering requires the Digital Garden plugin.
  • ⚠️An API key must be copied from Obsidian's plugin settings and provided as an environment variable or in the AI client's configuration for the MCP server to authenticate.
Verified SafeView Analysis
The plugin allows user-defined JavaScript handler scripts loaded via `require()`. The documentation claims these scripts run in a 'restricted sandbox' that blocks file system access outside the vault, network requests, process spawning, and arbitrary module imports. The effectiveness of this sandboxing is critical for security, but its implementation details are not fully visible in the provided code snippets. The WebSocket server defaults to secure `127.0.0.1` (localhost) binding and requires an API key for authentication. Remote access is explicitly opt-in (`enableRemote` setting) and currently lacks SSL/TLS implementation, making remote connections over plain `ws` insecure. Users must trust the custom handler scripts they install and be aware of the implications of enabling remote access.
Updated: 2025-12-01GitHub
0
0
Medium Cost
ChathuraIshara icon

weather-mcp-server

by ChathuraIshara

Sec9

Provides real-time weather alerts and forecasts for US locations by integrating with the National Weather Service (NWS) API.

Setup Requirements

  • ⚠️Only supports US locations due to integration with the National Weather Service (NWS) API.
Verified SafeView Analysis
The server makes HTTP requests to a known, legitimate external API (api.weather.gov). Input validation is performed using Zod for 'state', 'latitude', and 'longitude' parameters, mitigating common injection risks. No 'eval' or similar dangerous patterns were found. The 'User-Agent' header is hardcoded, preventing arbitrary user agent injection. No hardcoded secrets were identified.
Updated: 2025-12-10GitHub
0
0
Low Cost
Hellganaut icon

weather-mcp-server

by Hellganaut

Sec9

Provides live weather forecasts for any city in the world via a tool-enabled API, designed to be integrated with AI agents or LLMs.

Setup Requirements

  • ⚠️Requires Python 3.x
  • ⚠️Requires 'httpx' Python package (pip install httpx)
  • ⚠️Requires 'mcp-server' Python package (or similar, as 'mcp' is imported)
Verified SafeView Analysis
The code uses standard HTTP requests to public APIs. There are no obvious signs of 'eval', code injection vulnerabilities, hardcoded secrets for sensitive services, or malicious patterns. User input 'city' is used in API parameters and f-strings, which is generally safe in this context as the HTTP client handles encoding. Broad exception handling is present, returning the error message string.
Updated: 2025-12-04GitHub
PreviousPage 468 of 713Next