Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
High Cost
atlanssia icon

mcp-simulator

by atlanssia

Sec6

Simulate Model Context Protocol (MCP) servers with dynamic configuration and AI-powered mock data generation, facilitating MCP client development, API prototyping, and integration testing.

Setup Requirements

  • ⚠️Requires an LLM API Key (e.g., OpenAI, SiliconFlow, ModelScope) for AI-powered features, which can incur costs.
  • ⚠️Go 1.22+ and Node.js 18+ (with npm) are prerequisites for building the application from source.
  • ⚠️Virtual servers cannot currently be deleted via the API or Web UI, which can lead to accumulation if not managed manually in the `./data` directory.
Verified SafeView Analysis
The server uses environment variables for LLM API keys (e.g., OPENAI_API_KEY) and masks them when exposed via the `/config/llm` API endpoint. However, the default `AccessLog` middleware captures full request and response bodies for most API traffic (excluding `/sse` endpoints). This poses a significant risk of logging sensitive data (e.g., API requests, AI prompts, generated mock data) if not properly secured at the operational level. Frontend uses `JSON.parse` with error handling. No `eval` or obvious malicious patterns found in the provided code.
Updated: 2025-11-27GitHub
0
0
Low Cost
toms74209200 icon

mcp-maven-deps

by toms74209200

Sec9

Provides a Model Context Protocol (MCP) server for searching Maven and Gradle dependencies.

Setup Requirements

  • ⚠️Requires Deno 2.0.0 or later.
  • ⚠️Requires network permission (`--allow-net`) when run with Deno.
  • ⚠️Pre-built binary usage is currently Linux-specific and requires manual installation steps.
Verified SafeView Analysis
The server makes external network requests to Maven Central and Gradle Plugin Portal, which is its core functionality and requires the '--allow-net' Deno permission, explicitly stated in the README. Input parameters for the 'search_dependencies' tool are validated using Zod, mitigating potential injection risks. No 'eval' or other dynamic code execution, obfuscation, or hardcoded secrets were found in the provided source code.
Updated: 2025-12-12GitHub
0
0
Low Cost
noahw345 icon

property-MCP

by noahw345

Sec9

Connects Claude AI to real estate data via the ATTOM Data API to fetch property information for a given address.

Setup Requirements

  • ⚠️Requires an ATTOM_API_KEY, which typically involves a paid subscription or registration with ATTOM Data Solutions.
  • ⚠️Requires Python 3.12+ (implied by Claude Desktop configuration example).
Verified SafeView Analysis
Secrets (ATTOM_API_KEY) are loaded from environment variables using python-dotenv, which is a good practice. There are no 'eval' calls or obfuscation found. Network requests use the 'requests' library with a timeout, and errors are robustly handled at the API client and tool layer, preventing raw exception leakage. The API key is sent in standard HTTP headers.
Updated: 2025-11-26GitHub
0
0
Medium Cost
GustaafS icon

solid5-geo-mcp

by GustaafS

Sec8

A geo-spatial chatbot and Model Context Protocol (MCP) server for querying Microsoft Fabric SQL databases.

Setup Requirements

  • ⚠️Requires Anthropic API Key (Paid)
  • ⚠️Requires Python 3.11+
  • ⚠️Requires Microsoft Fabric SQL database configuration with geo-spatial data (specific schema expected)
  • ⚠️Requires ODBC Driver 18 for SQL Server
  • ⚠️Azure AD setup is required for full authentication features (Auth_Enabled=true by default)
Verified SafeView Analysis
The `simple_query` tool allows execution of arbitrary SQL SELECT statements, which, despite strong safeguards (blocklisting dangerous keywords and restricting to SELECT), always carries a residual risk of injection if bypasses are discovered. All other database interactions use parameterized queries, which is a good practice. Secrets (API keys, JWT secret, Azure credentials) are externalized to environment variables. Authentication and Role-Based Access Control (RBAC) are implemented.
Updated: 2025-12-02GitHub
0
0
Medium Cost
tsinviking icon
Sec9

A multi-agent system that streamlines SpaceX rideshare payload integration by providing AI-driven tools for fit checks, hazard classification, cost estimates, document checklists, timelines, and orbital dynamics.

Setup Requirements

  • ⚠️The `ingest.py` script must be run once to download PDF manuals and initialize the local ChromaDB vector store before the server can start.
  • ⚠️Requires internet access during the initial ingestion phase to download PDF manuals and during operation for real-time orbital data.
Verified SafeView Analysis
No 'eval' or obfuscation found. External network requests are made to known, reputable sources (Google Cloud Storage for PDFs, Celestrak for TLE data) and are specific. No obvious hardcoded secrets; `dotenv` is used, but no explicit secret environment variables are shown as required within the provided server code. Network operations include timeouts.
Updated: 2025-12-01GitHub
0
0
Medium Cost
aplaceforallmystuff icon

mcp-homescan

by aplaceforallmystuff

Sec8

MCP server for local network device discovery, security scanning, and inventory management, with support for Obsidian export.

Setup Requirements

  • ⚠️Requires Node.js 18+
  • ⚠️Only runs on macOS or Linux (relies on the `arp` command)
  • ⚠️Correct `HOMESCAN_SUBNET` environment variable configuration is crucial for proper network scanning
Verified SafeView Analysis
The server executes local shell commands (`arp`, `ping`) for network scanning. While inputs to these commands are constructed internally and from environment variables, direct command execution carries inherent risks. There are no indications of `eval` usage, obfuscation, or hardcoded sensitive secrets. The project explicitly states no external data is sent unless the optional Shodan API key is configured. Key security considerations include ensuring a trusted execution environment and proper configuration of the `HOMESCAN_SUBNET` environment variable.
Updated: 2025-12-27GitHub
0
0
Low Cost
jashpal2003 icon

mcp-product-server

by jashpal2003

Sec9

Provides a Micro-Capability Protocol (MCP) endpoint for retrieving mock product usage analytics for specific customers.

Setup Requirements

  • ⚠️Requires Node.js runtime (version 14 or higher recommended based on Express.js dependencies).
Verified SafeView Analysis
The server uses Express.js and handles JSON input. It performs an object lookup based on 'customerId' from user input, which is safe in this context as it uses mock in-memory data. No 'eval' or direct command execution is observed. No hardcoded sensitive credentials. The Express.js version (4.22.1) is recent. Overall, the current implementation shows low direct security risks.
Updated: 2025-12-15GitHub
0
0
Low Cost
SuperBox64 icon

xcf.ai

by SuperBox64

Sec10

This repository hosts the static website for xcf.ai, an Xcode MCP Server, primarily serving as a documentation and marketing platform.

Verified SafeView Analysis
The provided source code is purely client-side JavaScript for a static website. It primarily handles DOM manipulation, smooth scrolling, and copy-to-clipboard functionality. There are no server-side components, network requests (other than page load), use of 'eval', obfuscation, hardcoded secrets, or patterns indicative of malicious activity. It is highly secure for its intended purpose.
Updated: 2025-11-30GitHub
0
0
Low Cost
belyaerenturk icon

mcp-tutorial

by belyaerenturk

Sec10

This project serves as a basic tutorial or example for developing Minecraft Forge mods for version 1.12.2.

Setup Requirements

  • ⚠️Requires Java Development Kit (JDK) to build and run.
  • ⚠️Requires a Minecraft Forge 1.12.2 installation to run.
  • ⚠️Requires Gradle for building the mod.
Verified SafeView Analysis
The provided code snippet is a very basic Minecraft Forge mod template, primarily logging events. It does not contain any obvious security vulnerabilities like dynamic code execution, network interactions, or hardcoded secrets. Its simplicity suggests a high level of safety within the provided scope.
Updated: 2026-01-17GitHub
0
0
Low Cost
Sec9

Provides searchable access to NativePHP documentation for AI assistants via an MCP server.

Setup Requirements

  • ⚠️Requires Python 3.8 or higher.
  • ⚠️Requires the absolute path to the server's Python executable and script for Claude Desktop integration.
Verified SafeView Analysis
The server operates locally and communicates via stdio. It scrapes a known documentation website with a 1-second delay, indicating respectful behavior. No 'eval' or obfuscation is mentioned, and it relies on standard, well-vetted Python libraries. No external API keys or third-party services are required beyond the initial documentation source.
Updated: 2025-11-23GitHub
0
0
Low Cost
callebescos icon

esic-mcp-courses

by callebescos

Sec3

A web server for managing educational courses, likely involving user authentication and database interaction for course content.

Setup Requirements

  • ⚠️Requires a PostgreSQL database instance to be running and accessible.
  • ⚠️Node.js and npm must be installed.
  • ⚠️The hardcoded cookie secret 'your-secret-key' must be replaced with an environment variable for production use.
Review RequiredView Analysis
CRITICAL: A hardcoded secret ('your-secret-key') is used for `cookie-parser`, making session cookies vulnerable to hijacking if the secret is exposed. While login uses parameterized queries for SQL injection prevention, this is a significant flaw. No explicit CSRF protection or comprehensive input sanitization for all routes is visible in the provided snippets, which are common web application security oversights.
Updated: 2025-12-02GitHub
0
0
Low Cost
MaitreyaM icon

WEB3-MCP

by MaitreyaM

Sec7

An MCP server enabling AI agents to perform Ethereum blockchain operations, including wallet management, ERC-20 token handling, DeFi swaps on Uniswap V3, and generic smart contract interactions on Sepolia or Mainnet.

Setup Requirements

  • ⚠️Requires a valid Ethereum RPC endpoint (e.g., Infura, Alchemy) configured via `WEB3_PROVIDER_URL`, which may involve registration or paid plans for high usage.
  • ⚠️Requires an `AGENT_PRIVATE_KEY` for a dedicated wallet, which carries inherent security risks and necessitates careful management and monitoring by the user.
  • ⚠️Effective and safe use, especially with generic smart contract interaction, requires a solid understanding of blockchain fundamentals (addresses, gas fees, ABIs).
Verified SafeView Analysis
The server loads the `AGENT_PRIVATE_KEY` from an environment variable, which is a good practice for handling sensitive data. Input validation for addresses and amounts is present. The `interact_with_contract` tool allows for generic contract function calls, including write operations, where the ABI is supplied as a string. While `json.loads` itself is not an execution vulnerability like `eval`, an untrusted or maliciously crafted ABI could lead to unintended contract interactions if the agent's calls are not carefully validated. The primary risk comes from the necessity of using an active private key for automated transactions; users must ensure it belongs to a dedicated, monitored wallet.
Updated: 2025-11-23GitHub
PreviousPage 483 of 713Next