Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
bhakti259 icon
Sec9

Proxy remote FastMCP expense tracker tools to a local stdio interface.

Setup Requirements

  • ⚠️Requires Python 3.12 or newer.
  • ⚠️Dependencies 'mcp' and 'aiohttp' must be installed.
  • ⚠️Relies on the availability and responsiveness of the remote FastMCP server at 'https://chronic-scarlet-urial.fastmcp.app/mcp'.
Verified SafeView Analysis
The server acts as a transparent proxy, forwarding requests to a hardcoded remote FastMCP URL. It utilizes standard Python libraries (aiohttp, json) for network communication and JSON parsing. There are no clear indications of 'eval', obfuscation, or arbitrary code execution from untrusted input within the provided source. The primary security consideration would be the integrity and trustworthiness of the remote FastMCP server it proxies to, as the proxy itself introduces minimal new attack surfaces beyond being a relay.
Updated: 2025-11-28GitHub
0
0
Medium Cost
birchamp icon

dcs-mcp

by birchamp

Sec9

A React application for navigating translation helps, synchronized with scripture references.

Setup Requirements

  • ⚠️Requires external 'translation-helps-mcp' API backend (https://translation-helps-mcp-945.pages.dev) to be online and accessible for full functionality.
Verified SafeView Analysis
Client-side React application with standard, encoded API calls to a secure HTTPS endpoint. No obvious dangerous functions (like eval or dynamic require/child_process) or hardcoded secrets are present in the provided source code snippets. The `BASE_URL` is either hardcoded to a production endpoint or proxied to it during development, using `encodeURIComponent` for URL parameters which mitigates basic injection risks.
Updated: 2025-11-22GitHub
0
0
Low Cost
marcinACN icon

mcp-server

by marcinACN

Sec10

Provides a Spring Boot backend server component intended for integration with or serving an AI Core system.

Setup Requirements

  • ⚠️Requires Java Development Kit (JDK) to compile and run.
  • ⚠️Requires Maven or Gradle build tool for project management and execution.
  • ⚠️Implicit dependency or integration with an external 'AI Core' system, whose requirements are not defined in the provided code.
Verified SafeView Analysis
The provided source code is extremely minimal, consisting only of the main Spring Boot application class and a test class. No 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns were found in the truncated code. A comprehensive security audit would require access to the full codebase, including dependencies, configuration, and business logic.
Updated: 2026-01-19GitHub
0
0
Medium Cost
steveo2023 icon

tealium-mcp-server

by steveo2023

Sec8

Hosts a Model Context Protocol (MCP) server to provide real-time visitor profile lookups from Tealium CDP.

Setup Requirements

  • ⚠️Requires Node.js 18.0.0 or higher.
  • ⚠️Requires Tealium API credentials (username, API key) to be provided by the client (e.g., Claude) with each request via headers or query parameters.
  • ⚠️Requires mapping of MCP API keys to specific Tealium account/profile combinations using `API_KEY_<ID>` and `TEALIUM_PROFILE_<ID>` environment variables for server configuration.
Verified SafeView Analysis
The server securely handles Tealium authentication by using client-provided credentials per request and caching tokens, rather than storing them. MCP API keys are configured via environment variables and map to specific Tealium accounts/profiles. There are no evident uses of 'eval' or hardcoded secrets. CORS is enabled by default for all origins, which is common for APIs but could be tightened if stricter access control is desired. The `ADMIN_KEY` is mentioned in the README but not implemented in the provided source code, so there's no administrative API surface to audit.
Updated: 2025-11-23GitHub
0
0
Low Cost
praveenganesh icon

todo-mcp

by praveenganesh

Sec1

A backend server for managing todo items, potentially incorporating multi-criteria planning logic.

Review RequiredView Analysis
Source code was not provided for analysis. Therefore, a security audit cannot be performed. It is impossible to check for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns without the code. **Running any software without source code review is extremely risky and not recommended.**
Updated: 2025-12-05GitHub
0
0
Medium Cost
ebicoglu icon

abp-mcp-server

by ebicoglu

Sec6

Provides ABP Framework-specific information to AI agents through a Model Context Protocol server by searching documentation, GitHub issues, support questions, and community articles.

Setup Requirements

  • ⚠️.NET SDK (version 8 or 9) must be installed
  • ⚠️Expects JSON-RPC input via Stdin/Stdout
  • ⚠️Likely requires a GitHub Personal Access Token for 'abp.github.issues.search' to avoid rate limits or for authenticated access.
Verified SafeView Analysis
The provided source code is heavily truncated, consisting mainly of the README and an example JSON input. Therefore, a comprehensive security audit of the C# implementation for vulnerabilities like 'eval', obfuscation, hardcoded secrets, or malicious patterns is not possible. The server performs web scraping and makes GitHub API calls, which, if not implemented securely, could pose risks such as denial-of-service against target websites, or improper handling of API keys. However, the server itself runs locally and communicates via STDIO, which minimizes local network exposure.
Updated: 2025-12-08GitHub
0
0
Medium Cost
stucchi icon
Sec8

This server acts as an API gateway for AI agents, providing read-only access to MySQL and optionally MongoDB databases via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires an existing MySQL database (and optionally MongoDB) to connect to, this server does not host databases.
  • ⚠️A strong API_KEY must be set via environment variable for production use, as the default is insecure.
  • ⚠️Best run via Docker; alternatively, requires Node.js (>=20.0.0) and npm.
Verified SafeView Analysis
The server implements API key authentication and CORS for network security. For MySQL, it explicitly restricts queries to `SELECT`, `SHOW`, and `DESCRIBE` operations, preventing accidental or malicious writes/deletes. Table names in `mysql_describe` are sanitized, and `mysqlPool.execute` is used for queries, which generally aids in preventing SQL injection if used correctly with parameters. MongoDB queries accept filter objects, which while generally safer, could potentially be exploited by an unconstrained AI for resource exhaustion if not managed at the AI layer. The default API_KEY 'your-secret-api-key-change-this' is a minor security risk if not changed immediately, but is clearly flagged.
Updated: 2025-12-13GitHub
0
0
Medium Cost
CR-AudioViz-AI icon

crav-mcp-github

by CR-AudioViz-AI

Sec9

An API server for GitHub automation, enabling AI agents (like Javari AI) to programmatically manage repositories, commit code, and handle other GitHub resources.

Setup Requirements

  • ⚠️Requires a GitHub Personal Access Token (GITHUB_TOKEN) with repository permissions.
  • ⚠️Requires a custom secret API key (MCP_API_KEY) for authenticating requests to the server's API.
  • ⚠️Requires Node.js and npm to run.
Verified SafeView Analysis
The server implements good security practices including API key authentication for all privileged endpoints, rate limiting, helmet for common web vulnerabilities, CORS, and comprehensive logging. GitHub token and MCP API key are loaded from environment variables. Repository deletion includes a confirmation step. There are no obvious `eval` calls, command injections, or hardcoded secrets found in the main server logic (src/index.ts). The 'avg_tokens_per_call' is interpreted as an estimate of the average data payload size (characters/words) processed during a typical API call, not AI inference tokens, as this server primarily interacts with GitHub.
Updated: 2026-01-09GitHub
0
0
High Cost
Sergio-Oracle icon

mcp-servers

by Sergio-Oracle

Sec8

Facilitates LLM interaction with Moodle LMS for course, student, assignment, and quiz management, including AI-assisted auto-correction and reporting.

Setup Requirements

  • ⚠️Requires a Moodle API token with appropriate administrator-level permissions, which must be generated manually within Moodle.
  • ⚠️Requires Node.js v18 or higher to run the server.
  • ⚠️For network mode, the `socat` utility must be installed on the server, and specific firewall rules are necessary to secure network access to the MCP server on port 3000.
  • ⚠️The `MOODLE_COURSE_ID` environment variable is crucial for many tools, acting as a default course identifier if not explicitly provided in tool arguments.
Verified SafeView Analysis
The server uses `process.env` to load sensitive Moodle API credentials (`MOODLE_API_URL`, `MOODLE_API_TOKEN`, `MOODLE_COURSE_ID`), preventing hardcoding in the source code. For network deployment, the `start-moodle-mcp.sh` script leverages `socat` to expose the server over TCP. This requires the user to implement proper firewall rules to restrict access to trusted IPs, as explicitly detailed in the project's documentation, failing which could lead to unauthorized access to Moodle data via the MCP server. The `upload_file_to_course` tool accepts base64 encoded file content, relying on Moodle's API for content validation and size limitations. No direct `eval` calls or clear command injection vulnerabilities were identified in the provided Node.js source files.
Updated: 2025-12-18GitHub
0
0
High Cost
DhimanMajumdar icon

MCP-Server

by DhimanMajumdar

Sec8

An AI-powered tool for searching, retrieving, and summarizing online documentation for specified libraries.

Setup Requirements

  • ⚠️Requires GROQ_API_KEY (Paid)
  • ⚠️Requires SERPER_API_KEY (Paid)
  • ⚠️Requires 'uv' (a fast Python package installer and runner) to execute the server
  • ⚠️Requires Python 3.11 or higher
Verified SafeView Analysis
Utilizes `os.getenv` for API keys, which is good practice. Leverages external web search (Serper API) and LLMs (Groq) for content retrieval and processing. The `fetch_url` function sends raw HTML chunks to an LLM for cleaning and extraction, which relies on the LLM's adherence to the system prompt and is a potentially resource-intensive and indirectly risky approach if the LLM were to misinterpret or generate unintended content, but not a direct code injection vulnerability for the server itself. No `eval` or similar direct execution risks are present.
Updated: 2025-11-29GitHub
0
0
Medium Cost
medley56 icon

spicedocs-mcp

by medley56

Sec9

Provides an MCP server for Claude to access and search a local archive of NAIF SPICE documentation.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires the `uv` package manager for installation and execution.
  • ⚠️Requires an internet connection (~28MB) and at least 100MB of disk space for the initial documentation download.
Verified SafeView Analysis
The server includes robust path traversal protection using `Path.resolve()` and `relative_to()` to ensure file access is restricted to the intended archive directory. SQLite queries are parameterized to prevent SQL injection. HTML content is parsed with BeautifulSoup to extract text and links, avoiding direct execution of potentially malicious scripts. The primary potential risk involves a user intentionally overriding `SPICEDOCS_BASE_URL` to download documentation from an untrusted source, which an LLM might then interpret. However, the server itself does not execute this content.
Updated: 2026-01-12GitHub
0
0
Low Cost
PGYER icon
Sec9

This server provides a Model Context Protocol (MCP) interface to interact with the PGYER platform for mobile application (IPA/APK) distribution, testing, and version management.

Setup Requirements

  • ⚠️Requires PGYER_API_KEY environment variable to be set for authentication with the PGYER platform (a PGYER account is needed).
  • ⚠️Requires Node.js version 16.0.0 or higher.
Verified SafeView Analysis
The server retrieves the PGYER API key from environment variables (PGYER_API_KEY), which is a secure practice. File paths for uploads are validated for existence and type. Network requests are made to the official PGYER API endpoints using HTTPS. There are no clear instances of eval, obfuscation, or hardcoded secrets other than what is expected for API communication via environment variables. The retry mechanism for upload results indicates robustness rather than a security flaw.
Updated: 2025-11-24GitHub
PreviousPage 508 of 713Next