Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
gkerensky icon

mcpinabox

by gkerensky

Sec9

Builds a Model Context Protocol (MCP) server to expose weather data as tools for AI models like OpenAI's Responses API.

Setup Requirements

  • ⚠️Requires Node.js v18 or higher.
  • ⚠️Requires ngrok for tunneling the local server to a public URL, necessary for integration with external APIs like OpenAI.
  • ⚠️Requires an OpenAI API Key for testing with OpenAI's Responses API, which may incur costs.
  • ⚠️The enhanced version (server-enhanced.js) optionally requires an OpenWeatherMap API Key to fetch real weather data, otherwise, it uses mock data.
Verified SafeView Analysis
The server uses `zod` for input schema validation, which is a good practice for security. Environment variables (`process.env.PORT`, `process.env.OPENWEATHER_API_KEY`) are used for configuration. CORS is set to allow all origins (`*`), which is acceptable for a tutorial/lab but might require stricter configuration for production. No 'eval' or other directly dangerous patterns are observed.
Updated: 2025-12-10GitHub
0
0
Low Cost
Abelin101 icon
Sec8

Reproduce and debug a specific 'Error in message stream' bug in ChatGPT's HTTP MCP message streaming pipeline using a minimal server.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Requires ngrok for public exposure to ChatGPT.
  • ⚠️The `uvicorn.run` command specifies `ops.mcp.slim_server:app`, which requires the file to be correctly placed within a Python package structure (e.g., in `ops/mcp/slim_server.py`) relative to the execution context, or the path adjusted.
  • ⚠️Requires `fastapi-mcp`, `FastAPI`, `uvicorn`, and `pydantic` Python packages.
Verified SafeView Analysis
The server uses a wide-open CORS policy (`allow_origins=["*"]`), which is a security risk for general production applications. However, in the context of a minimal bug reproduction server, often exposed via temporary tunnels like ngrok, this is a common and sometimes necessary configuration to ensure connectivity and is not indicative of malicious intent or a fundamental flaw in the minimal code itself. No 'eval' or other dangerous patterns found. No hardcoded secrets.
Updated: 2025-11-19GitHub
0
0
Low Cost
renuo icon
Sec3

This server acts as an MCP interface for the 'nctl' command-line tool, exposing its functionality to allow external clients to query application statistics, retrieve logs, and list application resources.

Setup Requirements

  • ⚠️Requires 'nctl' CLI tool to be installed and configured on the host system where the MCP server runs.
  • ⚠️Requires a Ruby environment (e.g., Ruby 3.x) to be installed.
  • ⚠️Requires the `mcp` Ruby gem to be installed (`gem install mcp`).
Review RequiredView Analysis
The server directly interpolates user-provided string inputs (`project`, `app`) into shell commands executed via `nctl`. While `input_schema` provides basic type validation, it does not sanitize or escape malicious characters within string inputs. This creates a significant risk of command injection if a malicious string (e.g., `myproject; rm -rf /`) is passed as `project` or `app` to the `GetAppsStatsTool` or `GetAppLogsTool`.
Updated: 2025-11-20GitHub
0
0
Low Cost
nickweedon icon

mcp_server_template

by nickweedon

Sec9

A template for building Model Context Protocol (MCP) servers, providing a robust foundation with best practices, Docker support, and example API implementations for AI agent integration.

Setup Requirements

  • ⚠️Python 3.10 or higher is required.
  • ⚠️Requires API credentials (API_KEY) configured in a .env file for integration with a real backend; otherwise, mock data is used for the example API.
  • ⚠️While optional for local development, Docker is highly recommended for containerized deployment and consistent development environments via Dev Containers.
Verified SafeView Analysis
Uses environment variables for API keys, following best practices. No obvious hardcoded secrets, 'eval' usage, or malicious patterns found in the provided code snippets. The recommended 'mcp-mapped-resource-lib' for handling large files explicitly mentions security features like path traversal prevention and MIME validation. The client module loads .env files from standard locations, including the user's home directory, which is a common pattern but requires users to manage their local environment files carefully.
Updated: 2025-12-25GitHub
0
0
Medium Cost
vic7ord1st icon

Buxfer-MCP-Server

by vic7ord1st

Sec8

Manages Buxfer financial transactions and accounts, enabling users to add transactions, list accounts with balances, and query transaction history via natural language.

Setup Requirements

  • ⚠️Requires Docker to be installed and running.
  • ⚠️Requires a Buxfer API token, obtained by a manual POST request with email and password.
  • ⚠️Requires the Claude Desktop application for integration.
Verified SafeView Analysis
The server retrieves the Buxfer API token from an environment variable, preventing hardcoding. It runs in an isolated Docker container, uses HTTPS for all Buxfer API communications, and logs no sensitive data. The token is passed as a query parameter as per Buxfer's API design, which is generally less secure than a header but is an external API constraint rather than an internal flaw.
Updated: 2025-11-24GitHub
0
0
Medium Cost
valentinozegna icon

netlist-mcp

by valentinozegna

Sec8

Serves EDA netlist data to AI/ML coding assistants for circuit analysis and connectivity tracing.

Setup Requirements

  • ⚠️Requires 'curl' or 'wget' to be installed on the system for the initial installation script to function.
  • ⚠️Requires manual configuration within specific AI coding assistants (e.g., Claude, VS Code, Cursor) by adding a JSON snippet to a configuration file.
  • ⚠️User must open a new terminal or manually source their shell's RC file after installation for the 'netlist-mcp' command to be available in their PATH.
Verified SafeView Analysis
The installation script downloads and executes a binary from GitHub releases via 'curl | bash', which carries inherent risks if the remote source or release assets are compromised. Checksum verification is utilized, but the checksums are also sourced from the same GitHub release. No 'eval' commands, obfuscation, or hardcoded secrets were found within the provided 'install.sh' script. The script modifies the user's PATH variable, which is standard for CLI tool installations.
Updated: 2026-01-16GitHub
0
0
Low Cost
kbedford icon
Sec6

Centralized execution of Junos CLI commands on routers via an MCP server hosted on a Linux bastion.

Setup Requirements

  • ⚠️Requires Python 3.11 specifically.
  • ⚠️Requires `git`, `curl`, and `jq` to be installed on the bastion host.
  • ⚠️The `MCP_SESSION` environment variable must be manually set and re-set every time the MCP server (`jmcp.py`) is restarted.
  • ⚠️The `jmcp_cli` helper function is hardcoded to interact with a single router (`vmx101`) and requires manual modification to support multiple Junos devices.
Verified SafeView Analysis
The server, by default, runs without authentication (`.tokens` file missing), making it 'open to all clients' on `127.0.0.1:30030`. While bound locally, this is a risk if other processes on the bastion are compromised or if the binding is changed to `0.0.0.0` without tokens. The `devices.json` example includes a hardcoded password (`junos123`), which, if not replaced, poses a significant security vulnerability. The `jmcp_token_manager.py` script is provided to configure tokens for enhanced security.
Updated: 2025-12-03GitHub
0
0
Low Cost
abboahene icon

mcp-gateway

by abboahene

Sec3

Aggregates multiple Model Context Protocol (MCP) servers into a single endpoint for clients like Claude Desktop or VS Code.

Setup Requirements

  • ⚠️Requires Node.js 18+ to run the CLI and server.
  • ⚠️Relies on a user-editable configuration file (`~/.mcp-gateway/config.json`) where malicious entries could lead to Remote Code Execution (RCE) if the file is compromised.
  • ⚠️Requires manual configuration in client applications (e.g., Claude Desktop, VS Code) to point to the gateway, and each proxied MCP server will have its own setup requirements, dependencies, and potential API key costs.
Review RequiredView Analysis
The core functionality of the MCP Gateway involves executing user-defined commands and arguments for each configured MCP server using `child_process.spawn`. These commands are sourced directly from the `~/.mcp-gateway/config.json` file, which is user-editable. If this configuration file is compromised or a malicious entry is injected (e.g., through a malicious marketplace server listed in the desktop app, or by direct file modification), it could lead to arbitrary code execution (RCE) on the host system. Environment variables specified in the config are also passed directly to these spawned child processes, posing a risk of credential exfiltration if a malicious command is executed. While the user explicitly configures these commands, the gateway itself does not provide sandboxing for them, making configuration integrity critical. The README correctly advises securing the config file permissions (e.g., `chmod 600`).
Updated: 2025-11-23GitHub
0
0
Medium Cost
kiki830621 icon

che-ical-mcp

by kiki830621

Sec9

Manage macOS Calendar events and Reminders tasks for AI agents through 20 specialized tools, including batch operations, search, and conflict detection.

Setup Requirements

  • ⚠️Requires macOS 13.0+.
  • ⚠️Requires explicit macOS permissions for Calendar and Reminders access, which will be prompted on first use.
  • ⚠️Installation to cloud-synced folders (Dropbox, iCloud, OneDrive) is discouraged due to potential MCP connection timeouts from file sync operations.
Verified SafeView Analysis
The server operates locally using Apple's native EventKit framework. The `PRIVACY.md` explicitly states that 'No data is stored outside of macOS EventKit', 'No data is transmitted to external servers or cloud services', and 'No network connections are made by this server'. Communication happens locally via `StdioTransport`. The code itself does not contain `eval` or similar dangerous patterns, nor does it appear to have hardcoded secrets. It requires explicit macOS permissions for Calendar and Reminders access, which is necessary for its functionality. The primary security risk is granting access to potentially sensitive local calendar/reminder data to an AI agent if the user is not aware of the permissions or the AI's capabilities.
Updated: 2026-01-19GitHub
0
0
Low Cost
JMRMEDEV icon
Sec9

Tracks Amazon Q sessions, preserves context, monitors progress toward goals, and provides crash recovery capabilities for development workflows.

Setup Requirements

  • ⚠️Requires `npm install` for dependencies.
  • ⚠️Requires `git` to be installed on the system for the `log_git_commits` tool.
  • ⚠️Requires configuration in `.amazon-q-history/config.json` in the project root to define storage mode, allowed paths, and tool permissions.
  • ⚠️Needs to be registered as an Amazon Q CLI MCP server, with the `cwd` parameter in `mcp-server.json` correctly pointing to the server's installation directory.
Verified SafeView Analysis
The server employs robust input validation, path traversal protection, sensitive file blocking, and input length limits. All file operations are serialized via an async queue, preventing race conditions. Tool permissions allow fine-grained access control. The use of `child_process.execSync` for Git operations is carefully constructed with controlled arguments and input validation to prevent command injection. No clear hardcoded secrets or direct network vulnerabilities (operates via stdio) were identified.
Updated: 2025-12-10GitHub
0
0
Low Cost
Cipheeer icon

MCP_server

by Cipheeer

Sec9

This server provides a set of string manipulation tools as microservices using the FastMCP framework.

Setup Requirements

  • ⚠️Requires 'fastmcp' Python package to be installed
  • ⚠️Python 3+ is required
Verified SafeView Analysis
The provided source code for string manipulation tools is simple and does not contain 'eval', 'exec', direct shell commands, or obvious hardcoded secrets. Its overall security largely depends on the underlying 'fastmcp' library and how it handles SSE transport and incoming requests. No apparent malicious patterns within the provided snippet.
Updated: 2025-12-02GitHub
0
0
Low Cost
itsniazahmad icon

demo-mcp-server-yt

by itsniazahmad

Sec7

A basic, in-memory demo server designed to mimic a Minecraft server using the 'minecraft-protocol' Node.js library for development, testing, or educational purposes.

Setup Requirements

  • ⚠️Requires Node.js runtime environment
  • ⚠️Requires 'minecraft-protocol' npm package to be installed
  • ⚠️Requires a Minecraft Java Edition client (version 1.16.4) to connect and test
Verified SafeView Analysis
The server is set to 'online-mode: false' and listens on '0.0.0.0' (all network interfaces), meaning it does not perform Mojang authentication and could allow anyone to connect with any username if exposed publicly. For a 'demo' server, this setup is common for ease of local development and testing, but it is critical to understand these implications and to avoid exposing it to untrusted networks without additional security measures.
Updated: 2025-11-29GitHub
PreviousPage 491 of 713Next