Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
sabariaz94 icon

mcp-server-yt

by sabariaz94

Sec1

Cannot determine use case as the source code was not provided for analysis.

Setup Requirements

  • ⚠️Source code required for analysis was not provided.
  • ⚠️Functionality, dependencies, and setup steps cannot be determined without source code.
Review RequiredView Analysis
Source code was explicitly requested for analysis but not provided. Therefore, a comprehensive security audit for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns is impossible. The score reflects an inability to verify safety, defaulting to the lowest possible due to lack of visibility. Running this software without code review is inherently risky. Without the source code, use case, tags, efficiency metrics, specific setup requirements, exact categorization, required environment variables, and the precise run command cannot be determined accurately.
Updated: 2025-11-23GitHub
0
0
Low Cost
balochshees icon

Claude-Monitor

by balochshees

Sec9

Tracks Claude API token usage and limits in real-time on macOS via a menu bar application.

Setup Requirements

  • ⚠️Requires macOS 10.15 or above.
  • ⚠️Requires a Claude OAuth token (starts with `sk-ant-oat...`); regular Claude API keys (`sk-ant-api...`) will not work.
  • ⚠️Installation involves downloading a `.dmg` file and dragging the app to the Applications folder.
Verified SafeView Analysis
The application securely stores API tokens in the macOS Keychain. It does not use `eval` or similar dangerous functions. Network communication uses HTTPS. The privacy policy explicitly states that no personal information is collected, and usage statistics are stored locally. The Sentry DSN for crash reporting is hardcoded but is not a sensitive secret and is disabled in debug builds.
Updated: 2026-01-19GitHub
0
0
Low Cost
NaetheraS icon
Sec1

This application simplifies the setup and enhancement of a Claude Code development environment by installing a pack of skills and plugins.

Setup Requirements

  • ⚠️Requires users to download and execute an installer from an external GitHub Releases page, which is not provided for security vetting.
  • ⚠️Requires a stable internet connection for download.
  • ⚠️Assumes basic user comfort with running commands in a terminal or command prompt.
Review RequiredView Analysis
The provided 'SOURCE CODE' is solely a `README.md` file (index.md) and does not contain any executable server code. Therefore, a security audit of an 'MCP Server' itself is impossible with the given information. The README describes downloading and running an installer from GitHub Releases. Running external executables (like `claude-skills-pack-installer.exe`, `.dmg`, or a script) from an unverified source carries inherent risks, as their contents are unknown and could potentially contain malicious patterns, use 'eval', or exploit system vulnerabilities. No hardcoded secrets or network risks could be identified from the documentation alone.
Updated: 2026-01-19GitHub
0
0
Medium Cost
feamster icon

paymo-mcp

by feamster

Sec9

Integrate Paymo time tracking, invoicing, and project management with Claude Desktop via Model Context Protocol.

Setup Requirements

  • ⚠️Requires Python 3.8+.
  • ⚠️Requires a Paymo account with API access, and manual generation of an API key.
  • ⚠️Requires `fastmcp` to be installed (`pip install fastmcp`).
  • ⚠️Configuration files (`~/.mcp-config/paymo/config.json` and `~/.mcp-auth/paymo/auth.json`) must be manually created and populated before first use.
Verified SafeView Analysis
The code follows good security practices by storing the API key in a separate, sensitive configuration file (`~/.mcp-auth/paymo/auth.json`) rather than hardcoding it or relying solely on a main config. It uses `yaml.safe_load` for parsing YAML input, mitigating YAML injection risks. API requests are made over HTTPS, and basic rate limiting handling with retries is implemented. Descriptions for CSV exports are cleaned of HTML tags and entities. No 'eval' or other obviously dangerous functions are used without strong justification. File system interactions are limited to config files, temporary files for YAML processing, and user-specified output directories for CSV exports, or an optional file_path for expense uploads, all within reasonable bounds for the application's functionality.
Updated: 2026-01-15GitHub
0
0
Medium Cost
openpharma-org icon

ct-gov-mcp

by openpharma-org

Sec9

This MCP server provides a unified API interface to search, suggest terms, and retrieve detailed information from ClinicalTrials.gov for clinical trial research and discovery.

Setup Requirements

  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️If not using the default stdio transport, `USE_HTTP=true` or `USE_SSE=true` environment variables, along with `PORT`, must be explicitly set.
  • ⚠️The TypeScript source code must be compiled (`npm run build`) before the server can be run.
Verified SafeView Analysis
Input validation is robust for all tool parameters (e.g., NCT ID format, date ranges, numerical limits). All external API calls are directed exclusively to the official ClinicalTrials.gov API (https://clinicaltrials.gov), limiting external attack surface. No 'eval' or direct command injection vulnerabilities were found. Environment variables for configuration are loaded securely, and the server provides a warning for wide-open CORS origins ('*') in production environments. No hardcoded secrets were identified, as ClinicalTrials.gov is a public API.
Updated: 2025-12-22GitHub
0
0
Medium Cost
dgaida icon

robot_mcp

by dgaida

Sec8

Control robotic arms using natural language commands via multiple large language models and a web-based GUI.

Setup Requirements

  • ⚠️Requires Redis server running (e.g., via Docker).
  • ⚠️Requires at least one LLM API Key (OpenAI, Groq, or Gemini) or a locally running Ollama server.
  • ⚠️Relies on external GitHub repositories (`llm_client`, `robot_environment`, etc.) which are installed during setup.
Verified SafeView Analysis
The project uses environment variables (`.env` file) for sensitive API keys, which is good practice. Input validation is extensively applied using Pydantic models for all server-side tool calls, significantly mitigating risks from malformed inputs. Network communication occurs over HTTP/SSE and Redis, which can be exposed if not properly secured, but the server defaults to localhost. The system relies on external LLM APIs (OpenAI, Groq, Gemini, Ollama) and other GitHub repositories (`llm_client`, `robot_environment`, etc.); the security of these external dependencies is critical. A legacy client (`mcp_groq_client.py`) can launch the server via a `subprocess` call, which carries inherent risks if the script path were to be manipulated, though it defaults to a known project path. The recommended universal client connects to a pre-running server, avoiding this direct subprocess launch.
Updated: 2025-12-24GitHub
0
0
High Cost
pwnies-peru icon

ai-api

by pwnies-peru

Sec3

An AI-powered e-commerce sales agent that uses product search tools to assist users with queries, recommendations, and purchase guidance.

Setup Requirements

  • ⚠️Requires an AI_GATEWAY_API_KEY (for OpenAI-compatible services like Vercel AI Gateway) which likely incurs costs.
  • ⚠️Requires Docker to run Typesense and DragonflyDB instances.
  • ⚠️Requires Python 3.11 or higher.
Review RequiredView Analysis
The `docker-compose.yml` file explicitly sets the Typesense API key to 'xyz' (and this is the default in `typesense_service.py` if not overridden by an environment variable). This hardcoded default API key is a severe security vulnerability, especially if the Typesense instance is exposed externally. Additionally, the FastAPI application uses `CORSMiddleware` with `allow_origins=["*"]`, which permits cross-origin requests from any domain, posing a potential security risk in a production environment by allowing unauthorized access if not properly secured otherwise. The direct passing of AI-generated arguments to internal functions, while currently constrained by simple types, is a pattern to watch for in more complex scenarios.
Updated: 2025-11-30GitHub
0
0
Medium Cost
Swissbit92 icon

MCP_Catalog

by Swissbit92

Sec7

A local AI companion server that provides conversational chat with multiple personas, enhanced by RAG (Retrieval-Augmented Generation) using web search and MongoDB data, and featuring advanced memory management and emotional state tracking.

Setup Requirements

  • ⚠️Requires Docker to be installed and running for MCP services (Brave Search, MongoDB).
  • ⚠️Requires Ollama to be installed and running, with specified models pulled (e.g., dolphin-llama3:8b, nomic-embed-text:latest).
  • ⚠️Brave Search functionality requires a `BRAVE_API_KEY` environment variable.
  • ⚠️MongoDB integration requires a `MONGODB_URI` environment variable and an accessible MongoDB instance.
Verified SafeView Analysis
The system runs FastAPI with Ollama, Brave Search MCP (ephemeral Docker containers), and MongoDB MCP (long-running Docker container). Resource limits (memory, CPU, PIDs) are applied to spawned MCP containers, and MongoDB operations are explicitly restricted to read-only via a blacklist. CORS is configured for localhost, which is appropriate for development. CRITICAL NOTE: The `docker-compose.yml` mounts `/var/run/docker.sock` into the backend container, granting it root access to the Docker daemon. While this is a common pattern for local developer tools that manage other containers, it is a significant security risk in production or multi-tenant environments. The code attempts to mitigate risks by hardening spawned containers with limits and labels for orphan detection, but the underlying exposure of the Docker socket remains. For its stated 'local personal use' context, these mitigations are reasonable, but for broader deployment, this would need re-evaluation.
Updated: 2026-01-19GitHub
0
0
Low Cost
Sandeep850-bit icon
Sec7

A Java-based test automation framework supporting web UI testing with Playwright, data-driven testing, and optional integration with an external Model Context Protocol (MCP) server for remote execution of browser actions.

Setup Requirements

  • ⚠️Requires Java 11+ and Maven 3.6+.
  • ⚠️Playwright browsers must be installed explicitly via 'mvn exec:java -Dexec.mainClass=com.microsoft.playwright.CLI -Dexec.args="install"'.
  • ⚠️If MCP mode is enabled (`mcp.enabled=true`), an external, separately developed MCP server is required to be running and accessible at the configured `mcp.endpoint`.
  • ⚠️Test data files (`testdata.xlsx`, `testdata.properties`) need manual creation or population for data-driven tests.
Verified SafeView Analysis
The provided code is primarily a client for an external MCP server, not the server itself. While the client framework itself has no malicious patterns, hardcoded *sample* credentials (`superuser@sks`, `Welcome1`) are present for testing purposes in `AppConstant.java` and `TestConfiguration.java` which should be overridden or managed securely in production test environments. The `mcp.endpoint` is configurable (`http://localhost:8080` by default); configuring it to an untrusted or vulnerable server could lead to browser control by an attacker managing that endpoint. Users should ensure the MCP server and its configuration are trusted.
Updated: 2025-12-01GitHub
0
0
Low Cost
jeff-atriumn icon

annex-gmail-mcp

by jeff-atriumn

Sec9

Orchestrates Gmail API functionality via an MCP server for reading, drafting, and sending emails, integrated with the RAM orchestration layer.

Setup Requirements

  • ⚠️Requires manual Google Cloud Project setup, including enabling Gmail API and configuring OAuth Consent Screen.
  • ⚠️Requires a manual, browser-based OAuth 2.0 authentication flow on first run to generate a persistent token file.
  • ⚠️Requires secure storage of Google API client credentials and OAuth token files in a user-specific directory (e.g., ~/.config/ram/).
  • ⚠️The 'gmail_send' tool will execute if called; RAM (the orchestrator) is solely responsible for gating access with user approval, not this server.
Verified SafeView Analysis
The project design emphasizes a clear trust model, where RAM (the orchestration layer) is responsible for enforcing user approval for email sending, not this MCP server. Credentials are handled via OAuth2 and stored in the user's home directory outside the repository, explicitly with a .gitignore recommendation. The server does not store email content locally, reducing data exposure risk. No 'eval' or other highly dangerous patterns are mentioned or implied in the provided design/setup documentation.
Updated: 2025-12-02GitHub
0
0
Low Cost
Shubham5070 icon

MCP_SERVER

by Shubham5070

Sec8

Provides a Micro-Agent Control Plane (MCP) server to expose smart meter data, usage calculations, and billing information as callable tools.

Setup Requirements

  • ⚠️Requires 'fastmcp' and 'sqlalchemy' Python packages to be installed.
  • ⚠️Initializes and seeds a local SQLite database ('smart_meters.db') upon first run.
Verified SafeView Analysis
The application uses SQLAlchemy ORM which mitigates common SQL injection vulnerabilities. Environment variables are used for port configuration. There are no hardcoded secrets or 'eval'/'exec' patterns found in the provided code. The primary security considerations would be the underlying FastMCP framework (not provided) and potential for data exposure if not properly authenticated/authorized in a production environment, although no authentication is present in this snippet.
Updated: 2025-12-03GitHub
0
0
High Cost
arthurfantaci icon

mcp-snapshot-server

by arthurfantaci

Sec9

Transforms Zoom meeting transcripts into instant AI-powered insights or comprehensive 11-section Customer Success Snapshots.

Setup Requirements

  • ⚠️Requires Anthropic API Key (Paid Service) for Claude AI access.
  • ⚠️Requires manual creation and configuration of a Zoom Server-to-Server OAuth app with specific recording and user scopes (multi-step process involving Zoom Marketplace).
  • ⚠️Requires manual download of spaCy and NLTK data models after installation.
Verified SafeView Analysis
The server demonstrates strong security practices: uses environment variables for API keys (e.g., Anthropic, Zoom) via Pydantic settings, includes explicit input validation for VTT files and paths, implements robust error handling with retries, and outputs structured JSON logs. Data is stored temporarily in-memory with a TTL, and the project explicitly documents security best practices and PII handling. No 'eval' or malicious patterns were found. Assumes secure configuration of environment variables and Zoom OAuth application.
Updated: 2025-11-25GitHub
PreviousPage 475 of 713Next