Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
High Cost
DuinoDu icon

install-x

by DuinoDu

Sec4

Automates library installation across multiple programming languages (Python, JavaScript, Rust, C, C++) for AI assistants, supporting complex dependencies like CUDA and ML frameworks.

Setup Requirements

  • ⚠️Requires Python 3.8+ (often specifically 3.10 as per scripts), Node.js, npm, Cargo, Git, wget/curl, and Make.
  • ⚠️Many installations require CUDA for GPU acceleration; CUDA installation and configuration are prerequisites for ML libraries.
  • ⚠️Requires `sudo` access for system-level dependency installations (e.g., `apt install`).
  • ⚠️Relies on `rye` for Python dependency management and virtual environment creation.
  • ⚠️Blender and FFmpeg are prerequisites for certain 3D/video-related projects.
Review RequiredView Analysis
The server executes dynamically named shell scripts (e.g., `library_name.sh`) based on user input for `install(library_name)`. While the `is_supported` check attempts to validate `library_name`, the execution of arbitrary shell scripts in `src/install_x/install/` remains a significant risk if the naming convention is exploited or if a malicious package is registered on PyPI/npm/crates.io with a name matching a local trusted script. Many installation scripts utilize `sudo apt install` and `wget` without explicit content hash verification, `git clone` from external repositories, and `pip install` from direct GitHub links, leading to high exposure to supply chain attacks and privilege escalation if external sources are compromised. The implementation of `_install_python_package` incorrectly attempts to execute a shell script for *any* detected Python package, even simple PyPI libraries like 'numpy' that do not have corresponding `.sh` scripts, which is a functional bug, but also slightly mitigates arbitrary script execution for non-existent `.sh` files.
Updated: 2026-01-14GitHub
0
0
Low Cost
sudsarkar13 icon

deno-mcp

by sudsarkar13

Sec7

Provides a comprehensive MCP server for AI assistants to interact with the complete Deno CLI toolchain, enabling seamless Deno development workflows.

Setup Requirements

  • ⚠️Requires Deno installed and in PATH.
  • ⚠️Requires Node.js v18.0.0 or higher.
  • ⚠️Requires an MCP-compatible client (e.g., Claude Desktop, VS Code Continue extension) to interact with the server's core functionality.
  • ⚠️For containerized deployments, Docker is required.
Verified SafeView Analysis
The server's primary function is to expose Deno CLI functionality, including arbitrary code execution (deno_eval) and server startup (deno_serve). While it leverages Deno's strong permission model and implements input validation, the `render-server.ts` variant, designed for public deployment, enables CORS with `Access-Control-Allow-Origin: *` on its `/mcp` endpoint. If deployed publicly without additional authentication and authorization layers at an ingress or API gateway, this open CORS could allow unauthorized execution of Deno commands from any web origin. The `SECURITY.md` explicitly advises proper authentication when exposed.
Updated: 2025-12-19GitHub
0
0
Low Cost
sbroenne icon
Sec10

This repository provides video tutorials and documentation for automating Excel tasks using natural language prompts via the Model Context Protocol (MCP) and AI assistants.

Setup Requirements

  • ⚠️Requires Windows 10/11 with Microsoft Excel installed (Microsoft 365 or Excel 2016+).
  • ⚠️Requires an AI assistant that supports MCP (e.g., VS Code with GitHub Copilot, Claude Desktop, Cursor, or Windsurf), which may incur subscription costs or require specific installations.
  • ⚠️For VBA automation tutorials, Excel's VBA Trust Settings must be configured to 'Trust access to the VBA project object model'.
Verified SafeView Analysis
The provided source code consists solely of Markdown files (documentation and tutorial outlines). It contains no executable server logic, no 'eval' statements, no network calls, and no hardcoded secrets. Therefore, the source code of this repository itself is extremely safe to analyze. Security risks would only arise from running the external 'MCP Server for Excel' project that these tutorials describe, which is not part of this repository's source code.
Updated: 2025-11-25GitHub
0
0
Low Cost
huykaiser icon

mcp-server

by huykaiser

Sec8

This server exposes a set of tools and resources, including arithmetic operations, web browser control, data retrieval, and dynamic greetings, accessible via the MCP protocol over HTTP.

Setup Requirements

  • ⚠️Requires Python 3.13 or newer
  • ⚠️Requires the 'mcp' library (mcp[cli]>=1.22.0) to be installed
Verified SafeView Analysis
The `webbrowser.open` function call, while hardcoded to a specific URL in this demo, introduces a capability on the server that could be risky if the URL were dynamically controlled. However, there are no obvious hardcoded secrets or arbitrary code execution vulnerabilities (like `eval`) present.
Updated: 2025-11-28GitHub
0
0
High Cost
guilhermetechmakers icon
Sec6

Builds AI-powered conversational forms (agents) to collect structured data through natural language interactions.

Setup Requirements

  • ⚠️Requires Supabase project (VITE_SUPABASE_URL, VITE_SUPABASE_ANON_KEY)
  • ⚠️Requires a separate backend API (VITE_API_URL)
  • ⚠️LLM API keys (e.g., OpenAI, Anthropic, Google) are needed for AI functionality and may incur costs.
Review RequiredView Analysis
The application interacts with `/admin` endpoints, which implies a strong backend authentication/authorization layer is critical but not visible in this client-side code. The `webhook-utils.ts` allows forwarding data to arbitrary URLs, which is a high-risk feature requiring strict backend validation to prevent SSRF or data exfiltration. The `profile.ts` file explicitly comments that `two_factor_secret` 'Should be encrypted in production', indicating a potential vulnerability if not handled rigorously on the backend. Client-side 2FA secret generation is less secure than server-side. No obvious malicious patterns or 'eval' usage observed.
Updated: 2025-11-23GitHub
0
0
High Cost
bhaskar9298 icon
Sec9

Manages personal and group expenses, including shared expense tracking and splitting, through an AI-orchestrated tool server.

Setup Requirements

  • ⚠️Requires MONGODB_URI environment variable for database connection.
  • ⚠️Requires Python 3.12 or newer.
  • ⚠️Requires an OpenAI API key for the example client to function as demonstrated, interacting with 'gpt-5'.
Verified SafeView Analysis
The server uses environment variables (`MONGODB_URI`) for sensitive connection strings, indicating good practice against hardcoded secrets. MongoDB connections are configured with TLS and certificate verification (`tls=True`, `tlsCAFile=certifi.where()`). Authentication and authorization logic (`is_user_in_group`, `is_user_group_admin`, etc.) are heavily integrated into the tools, requiring `user_id` for most operations. Input validation is present for critical parameters like group names, amounts, and email formats. There are no obvious `eval` or other dangerous dynamic code execution patterns. The MongoDB schema `additionalProperties: True` allows for flexible document structure but could be made stricter for enhanced data integrity if desired, though this is not a direct security vulnerability.
Updated: 2025-12-19GitHub
0
0
Medium Cost
080bct12alex icon

MCP

by 080bct12alex

Sec3

Building and deploying an MCP server for expense tracking that integrates with AI chatbots and custom clients, demonstrating core MCP concepts and multi-server client interaction.

Setup Requirements

  • ⚠️Requires `uv` package manager and `fastmcp` library for both server and client setup.
  • ⚠️Client configurations for local servers contain hardcoded absolute paths (e.g., to Python executables and server scripts), which must be manually adjusted for different environments.
  • ⚠️Requires an `OPENAI_API_KEY` to interact with the specified `ChatOpenAI` LLM via the client.
Review RequiredView Analysis
The remote expense tracker server lacks user authentication and authorization mechanisms. All operations (add_expense, list_expenses, summarize) apply to a single, shared database (expenses.db) without distinguishing between users. This poses a critical data privacy and integrity risk for a multi-user deployment, as any client can access or modify all financial data. SQL injection is mitigated by parameterized queries, and temporary directory usage for the database is a minor improvement.
Updated: 2025-11-28GitHub
0
0
Low Cost
alexisleboulanger icon

mcp-server-miro

by alexisleboulanger

Sec8

An MCP server enabling AI agents to programmatically interact with and manipulate Miro boards via its API.

Setup Requirements

  • ⚠️Requires a Miro API token configured in a .env file.
  • ⚠️Many tools require a Miro Board ID, either set as a default in .env or provided per-call.
  • ⚠️Requires Node.js to be installed for local development/execution without Docker.
Verified SafeView Analysis
The server uses Zod for input validation, and sensitive API tokens are correctly loaded from environment variables. There are no obvious 'eval' or command injection vulnerabilities. The `passthrough()` option in some Zod schemas allows unknown fields to pass through validation, which is then forwarded to the Miro API, potentially leading to unexpected behavior or API errors if the Miro API doesn't handle them gracefully, though this is not a direct server vulnerability. Error responses from the Miro API are directly formatted and returned, which could, in rare cases, expose verbose upstream error details if the Miro API itself were to leak sensitive system information (unlikely for a public API).
Updated: 2025-12-03GitHub
0
0
Medium Cost
yes0ng icon
Sec9

Assisting with information security tasks by providing product end-of-life dates, CVE lookups, and threat intelligence checks for IPs, domains, and URLs.

Setup Requirements

  • ⚠️Requires Python 3.8 or higher.
  • ⚠️Dependencies must be installed via `pip install -r requirements.txt`.
  • ⚠️Full functionality (VirusTotal, AbuseIPDB) requires API keys, which may be for paid services.
Verified SafeView Analysis
The servers utilize standard Python libraries (httpx, asyncio, os, json, hashlib, datetime) and interact with legitimate, well-known public security APIs (NVD, endoflife.date, VirusTotal, AbuseIPDB, URLhaus). API keys for premium services are correctly loaded from environment variables, preventing hardcoding of secrets. A simple file-based cache for reputation results is implemented in a 'tmp' directory, which is a common and generally safe practice for local caching of JSON data. No 'eval' or other dynamic code execution functions are observed, and the code appears straightforward and robust.
Updated: 2025-11-21GitHub
0
0
Low Cost
jvolden icon

mcp-sdl

by jvolden

Sec9

Provides SDL3 API documentation, code examples, and migration guides to AI assistants for code generation and reference.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires 'uv' package manager for installation and running.
  • ⚠️Installation uses 'uvx' directly from the GitHub repository URL.
Verified SafeView Analysis
The server primarily serves pre-defined static data (API docs, examples, migration guides) stored as Python data structures. Dynamic imports are restricted to internal modules, and there are no direct calls to 'eval' or external arbitrary code execution. The provided code does not show hardcoded secrets or direct external network requests initiated by the tools themselves. The risk of malicious patterns or arbitrary code execution appears low based on the provided source.
Updated: 2026-01-18GitHub
0
0
Low Cost
Sec8

Executes shell commands on a server with security controls, and reads/searches/extracts information from PDF files.

Setup Requirements

  • ⚠️Requires the 'mcp' Python package to be installed.
  • ⚠️Requires the 'pymupdf' Python package for the PDF server.
  • ⚠️Configuration in Claude Desktop requires absolute paths to the server scripts.
Verified SafeView Analysis
The terminal server implements security features like command whitelisting, timeout limits, and shell operator restrictions. The PDF server uses a trusted library (pymupdf) and handles file paths carefully. Both servers avoid 'eval' and similar dangerous functions. Potential risks are mitigated by the security features implemented.
Updated: 2025-11-22GitHub
0
0
Low Cost
Ramakrishna-Gedala icon

mcp_emi_server_deployment

by Ramakrishna-Gedala

Sec9

Provides a lightweight FastMCP server to expose loan EMI calculation, amortization schedule, loan comparison, and prepayment calculation tools to MCP clients.

Setup Requirements

  • ⚠️Requires Python 3.13+
  • ⚠️Requires 'uv' for environment management and running (pip-compatible alternative)
  • ⚠️An external EMI calculation backend API must be running and accessible at the configured `EMI_API_BASE_URL`
Verified SafeView Analysis
The server acts as a proxy to a configurable REST backend via the `EMI_API_BASE_URL` environment variable. The `requests` library is used with a 10-second timeout. Payloads are constructed internally, minimizing client-side injection risks. The primary security consideration is ensuring `EMI_API_BASE_URL` points to a trusted and secure backend, as compromise of this variable could direct traffic to malicious endpoints.
Updated: 2025-11-27GitHub
PreviousPage 498 of 713Next