Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
oscarmarina icon

mcp-knowledge-mind

by oscarmarina

Sec9

Provides a local RAG server for AI tools to index and search Markdown and PDF files from local folders and GitHub repositories using a hybrid search engine.

Setup Requirements

  • ⚠️Requires Ollama with `nomic-embed-text` model downloaded, or will download `nomic-ai/nomic-embed-text-v1.5` locally via `transformers.js` for embedding, which can be a large download.
  • ⚠️Requires Node.js 18+ and SQLite installed on the system.
  • ⚠️GitHub repository indexing requires `GITHUB_CLASSIC_TOKEN` environment variable configured.
Verified SafeView Analysis
The server is designed for local-first operation. It accesses local file paths provided by the user and uses `process.env.GITHUB_CLASSIC_TOKEN` for GitHub integration. There are no direct 'eval' calls or clear malicious patterns. The primary security considerations revolve around how the user secures their `GITHUB_CLASSIC_TOKEN` and ensures the server is not exposed to untrusted external input given its local file access capabilities. Logging to files in `SERVER_DIR` could potentially expose sensitive information if not properly managed, but for a personal knowledge server, this is usually acceptable.
Updated: 2026-01-18GitHub
0
0
Low Cost
MidwestMountaineer icon

Unifi-MCP-Server

by MidwestMountaineer

Sec8

Provides an MCP server that exposes UniFi Network Controller capabilities to AI agents through a well-designed tool interface for natural language network management.

Setup Requirements

  • ⚠️Requires a UniFi Network Controller to connect to.
  • ⚠️Requires UniFi controller API key (read-only recommended) or username/password for authentication.
  • ⚠️Python 3.11+ is required.
  • ⚠️Default `UNIFI_VERIFY_SSL=false` in configuration allows connections to controllers with self-signed SSL certificates without verification, posing a potential MITM security risk if not explicitly set to `true` in production environments.
Verified SafeView Analysis
The server code demonstrates robust security practices such as sensitive data redaction in logs, explicit confirmation for write operations, and input validation. However, the default configuration `UNIFI_VERIFY_SSL=false` presents a potential Man-in-the-Middle (MITM) risk if not explicitly changed by the user, and the inherent nature of AI agent execution of tools requires careful trust in prompts.
Updated: 2025-12-14GitHub
0
0
Medium Cost
Akungapaul icon

wp-settings-mcp

by Akungapaul

Sec4

Manages and configures WordPress site settings, users, and cache through a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires a running WordPress instance with REST API enabled and an Application Password for authentication.
  • ⚠️WP-CLI features (permalink structure, site health, cache flushing, user create/delete) are enabled conditionally and require WP-CLI to be installed and accessible on the WordPress server.
  • ⚠️WP-CLI features can optionally require SSH access configuration (host, port, user, key path) if WordPress is remote or WP-CLI needs to be executed via SSH.
Verified SafeView Analysis
The server provides powerful administrative capabilities over a WordPress site, including updating critical site settings, managing users (list, create, delete), and flushing cache. It relies on WordPress REST API and WP-CLI, which can grant extensive control if configured with administrator credentials. The security of this server heavily depends on the secure management of sensitive environment variables such as WORDPRESS_APP_PASSWORD and SSH_KEY_PATH, and the secure deployment of the MCP server itself (e.g., strong authentication, network access controls). A compromise of this server could lead to full control over the connected WordPress instance and potentially the underlying server if WP-CLI is enabled with SSH access. Input validation with Zod helps with schema adherence but does not mitigate the risk of authorized users performing sensitive actions or a compromised server being misused.
Updated: 2025-11-28GitHub
0
0
Low Cost
vrahulblr icon

attempt-chartjs

by vrahulblr

Sec1

This project likely serves as an attempt or example of using Chart.js for data visualization within a web application.

Review RequiredView Analysis
No source code was provided for analysis, only a truncated README.md. Therefore, it is impossible to assess security risks such as 'eval', hardcoded secrets, network vulnerabilities, or malicious patterns. The score reflects an inability to audit.
Updated: 2025-12-01GitHub
0
0
Medium Cost
OxWorks icon
Sec7

Enables AI assistants to interact with GoodData analytics platforms via natural language queries, retrieve business intelligence data, and manage GoodData resources (metrics, insights, dashboards) through a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires a GoodData account with API access, as GoodData is a commercial analytics platform.
  • ⚠️Requires `GOODDATA_HOST` and `GOODDATA_TOKEN` to be set as environment variables (e.g., in a `.env` file), plus an optional `GOODDATA_WORKSPACE`.
  • ⚠️Requires Python 3.10 or higher.
  • ⚠️The discrepancy between the 'Read-Only by Design' claim in the README and the presence of write operations (create, update, delete for metrics, insights, and dashboards) in the `mcp_server.py` code can be misleading. Users must understand and explicitly use the two-phase commit (preview/apply) for all write operations, which inherently creates friction.
  • ⚠️For multi-customer setups or auto-detection of workspaces based on the current working directory, a `~/.config/gooddata/workspaces.yaml` configuration file is required.
Verified SafeView Analysis
The project's README initially states 'Read-Only by Design', which is directly contradicted by the `mcp_server.py` file. The `mcp_server.py` implements significant write operations for metrics, insights, and dashboards (create, update, delete). This discrepancy in documentation is a critical point of concern, as users relying solely on the README might operate under false assumptions of safety. However, the actual implementation of these write operations includes robust safety mechanisms: a two-phase commit pattern (`preview_*` then `apply_*` with a confirmation token), automatic backups before any modification, and detailed audit logging to a local file system (`~/.config/stackless/gooddata/<customer>/audit.jsonl`). Credentials (`GOODDATA_HOST`, `GOODDATA_TOKEN`) are loaded from environment variables (e.g., via `.env` file) and are not hardcoded. No 'eval' or other directly exploitable malicious patterns were found in the provided source.
Updated: 2026-01-16GitHub
0
0
High Cost
versus1985 icon
Sec9

Serves Home Assistant REST APIs as Model Context Protocol (MCP) tools for AI agents.

Setup Requirements

  • ⚠️Requires a Home Assistant instance to connect to.
  • ⚠️Requires a Home Assistant long-lived access token for authentication.
  • ⚠️Designed to run as a Home Assistant add-on or in a Docker environment, exposing port 8099.
Verified SafeView Analysis
The server employs robust security practices including validation of Home Assistant long-lived tokens, proper handling of Authorization headers (avoiding full token logging), and explicit warnings against direct internet exposure without HTTPS and a reverse proxy. It relies on Home Assistant's API security for templating. No 'eval' or other obvious malicious patterns were found in the provided code.
Updated: 2026-01-16GitHub
0
0
Low Cost
sjinks icon
Sec9

Provides an MCP interface for querying WordPress vulnerability data via the WPScan API.

Setup Requirements

  • ⚠️Requires a WPScan API token (may require registration/payment for access).
  • ⚠️Requires Node.js (>=18) or Bun runtime environment.
  • ⚠️Designed to be used with an MCP-compatible client (e.g., Claude Desktop, VSCode with MCP extension).
Verified SafeView Analysis
The server correctly retrieves the WPScan API token from environment variables, preventing hardcoded secrets. It acts as a wrapper for the legitimate WPScan API. No 'eval', obfuscation, or unusual network activities beyond the documented API interaction were found. The primary security consideration is trusting the WPScan API itself and ensuring the API token is securely managed by the user.
Updated: 2026-01-19GitHub
0
0
Low Cost
ericomack1983 icon

MCPDiscordChatBot

by ericomack1983

Sec1

A Discord chatbot that directly integrates with and queries ChatGPT to answer user questions, styled as Agent Smith.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid).
  • ⚠️Requires Discord Bot Token.
  • ⚠️The provided `discord_aibot.py` directly connects the Discord bot to ChatGPT, which deviates from the README's described architecture of `Discord Chat Bot → MCP Server (Python) → ChatGPT`. The 'MCP Server (Python)' component (e.g., a Flask server) mentioned in the README is not present in the provided source code.
Review RequiredView Analysis
CRITICAL: The `openai.Client` initialization explicitly uses `api_key="XXXXXXXX"` instead of `os.getenv('OPENAI_API_KEY')`. While `os.getenv` is commented out, the active line hardcodes a placeholder that could easily become a hardcoded secret if replaced without proper environment variable usage. This is a severe security vulnerability. The Discord token is correctly loaded from environment variables.
Updated: 2025-12-01GitHub
0
0
Medium Cost
strato-net icon

strato-griphook

by strato-net

Sec7

An MCP (Model Context Protocol) server enabling AI agents to interact with the STRATO blockchain's DeFi ecosystem.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0.0.
  • ⚠️Requires OAuth 2.0 client configuration (OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, OPENID_DISCOVERY_URL) for login and hosted mode.
  • ⚠️Requires a running STRATO API backend accessible via STRATO_API_BASE_URL.
  • ⚠️For public hosted deployments, additional setup for Keycloak, DNS, Nginx, and SSL is required, as outlined in the project's deployment guide (external to source code).
Verified SafeView Analysis
The server transparently handles OAuth 2.0 (PKCE flow) for authentication. Credentials are saved unencrypted to `~/.griphook/credentials.json` with `0o600` permissions; users must protect their filesystem. For local operation, the HTTP server binds to `127.0.0.1` without TLS, requiring users to manually ensure HTTPS and authentication if exposed publicly. The `strato.rpc` tool acts as a JSON-RPC proxy, allowing AI agents to submit arbitrary payloads to the configured STRATO API. This powerful capability relies heavily on the security and validation of the backend STRATO API to prevent misuse or arbitrary execution.
Updated: 2026-01-16GitHub
0
0
Low Cost
SuperPyonchiX icon

confluence_mcp_server

by SuperPyonchiX

Sec8

Provides a Model Context Protocol (MCP) server for AI agents to interact with Confluence DataCenter/Server content, manage pages, spaces, users, search using CQL, and perform bidirectional Markdown conversions.

Setup Requirements

  • ⚠️Requires Node.js 18 or higher.
  • ⚠️Primarily designed for Confluence DataCenter/Server with Basic Authentication (username/password), as stated in the main README. Although the code includes branches for token authentication, the README explicitly states Confluence Cloud is not supported in this version.
  • ⚠️Markdown conversion tools (`confluence_page_to_markdown`, `confluence_markdown_to_page`, `confluence_update_page_from_markdown`) require absolute file paths for inputs and outputs.
Verified SafeView Analysis
The codebase generally follows good security practices, utilizing environment variables for credentials and including checks for absolute file paths and directory traversal in file operations. It uses `axios` for network requests with interceptors for error handling. HTML/Markdown processing performs basic escaping. No explicit use of `eval` or similar dangerous patterns was found. While overall good, deeper dynamic analysis of external SDKs is beyond this scope.
Updated: 2026-01-16GitHub
0
0
Low Cost
dannwaneri icon

mcp-server-worker

by dannwaneri

Sec9

A production-ready Model Context Protocol (MCP) server providing HTTP-based semantic search and intelligent search with AI-powered synthesis context using Cloudflare Workers AI and Vectorize.

Setup Requirements

  • ⚠️Requires a Cloudflare account with Workers enabled.
  • ⚠️Requires Wrangler CLI installed.
  • ⚠️Requires a Vectorize index named 'mcp-knowledge-base' to be created with 384 dimensions and cosine metric.
  • ⚠️Requires the Vectorize index to be populated with data (e.g., using the referenced 'vectorize-mcp-worker' project) before semantic search yields results.
  • ⚠️No built-in authentication for API endpoints by default, making it publicly accessible unless a custom authentication layer is added as suggested in the README.
Verified SafeView Analysis
The code acts as an HTTP adapter for the MCP protocol, directly handling 'tools/list' and 'tools/call' methods. User input for search 'query' is passed to Workers AI for embedding and then to Vectorize. The 'topK' parameter for search results is explicitly capped at 10, preventing excessive resource consumption. CORS is broadly enabled ('Access-Control-Allow-Origin: *'), which is common for public APIs but could be restricted further if needed. While the README suggests adding authentication as a production enhancement, the core worker logic itself does not implement it by default, meaning the API is publicly accessible post-deployment. No 'eval' or other obvious code injection vulnerabilities were found in the provided source.
Updated: 2025-12-05GitHub
0
0
Medium Cost
Kirkigmenezes icon

AIDomesticCoreAIJ

by Kirkigmenezes

Sec9

AIDomesticCoreAIJ is a foundational artificial intelligence platform designed for both home and enterprise applications. It provides the power to create intelligent agents, automate tasks, and orchestrate complex multi-model systems, integrating quantum computing, computer vision, federated learning, generative AI, privacy-first IDEs, LLM-kernel IDEs, and edge execution capabilities.

Setup Requirements

  • ⚠️Requires Docker and Docker Swarm for deployment in a clustered environment.
  • ⚠️Python 3.8-3.11 is required (Python 3.11 recommended).
  • ⚠️Minimum 8GB RAM (16GB recommended) and 10GB storage.
  • ⚠️CUDA-compatible GPU is optional but recommended for accelerated inference and training.
  • ⚠️External API keys for various AI services (e.g., OpenAI, Claude, GigaChat3, KatyaAI) are required for full functionality of GenAI components.
  • ⚠️Uses API keys for authentication (`Authorization: Bearer <api_key>`).
Verified SafeView Analysis
The project demonstrates a robust commitment to security, featuring quantum-safe cryptography (Kyber, Dilithium), a Zero-Trust security model, Decentralized Identity Networks (DIDN), and automated SBOM generation with vulnerability scanning (`syft`, `grype`). It also outlines compliance with EU AI Act and GDPR, detailed security policies, bug bounty programs, and strong input validation. Minor findings include a hardcoded development password in `docker-compose.yml`, which is a common practice for local development setups but should not be used in production.
Updated: 2026-01-19GitHub
PreviousPage 514 of 713Next