Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
deepakjain12345 icon

jira-utilities-mcp-server

by deepakjain12345

Sec9

Automating JIRA issue management and generating comprehensive reports for PR links, Zephyr test cases, and subtask analysis, either via an MCP server or standalone scripts.

Setup Requirements

  • ⚠️Requires JIRA_EMAIL and JIRA_API_TOKEN environment variables for authentication.
  • ⚠️Requires Docker or Podman to run the MCP server as a container.
  • ⚠️Requires manual configuration of Cursor's ~/.cursor/mcp.json file, including volume mounts for CSV output.
  • ⚠️Network access to celigo.atlassian.net is essential.
Verified SafeView Analysis
The project adheres to good security practices by strictly requiring JIRA API tokens and email to be passed via environment variables, avoiding hardcoding of secrets. It uses HTTPS for all JIRA API communications. Input validation is present for JIRA issue keys. The handling of JQL queries relies on the JIRA API's inherent sanitization. No 'eval' or obfuscation is used.
Updated: 2025-11-24GitHub
0
0
Low Cost
KiranFarhan786 icon

mcp_server_kf

by KiranFarhan786

Sec1

This server likely implements a custom protocol for communication, possibly a game server given the 'MCP' prefix (often associated with Minecraft Protocol).

Review RequiredView Analysis
Cannot perform a security audit as the source code was not provided for analysis. Therefore, potential risks like 'eval' usage, hardcoded secrets, or malicious patterns cannot be identified or ruled out.
Updated: 2025-12-06GitHub
0
0
Medium Cost
globle21 icon

mcp-server

by globle21

Sec7

Fast, token-efficient web content extraction for AI agents, converting websites to clean Markdown while preserving links and structure.

Setup Requirements

  • ⚠️Requires Node.js >=20.0.0.
  • ⚠️Uses Playwright for browser rendering, which might require additional system dependencies or a larger Docker image if browser binaries are not pre-installed or managed.
  • ⚠️The `read_website` tool by default does NOT respect `robots.txt` (can be overridden).
  • ⚠️Local cache directory (`.cache` by default) requires write permissions in the working directory.
Verified SafeView Analysis
The server's core function involves fetching content from arbitrary external URLs, which is an inherent network risk. It uses Playwright for JavaScript rendering, increasing the potential attack surface if a highly sophisticated exploit exists on a target page. The `cookiesFile` and `cacheDir` parameters, while used for local paths, could pose a risk if exposed to untrusted user input without strict validation, but in an MCP context, client inputs are generally more controlled. There are no obvious hardcoded secrets or clear malicious patterns.
Updated: 2025-11-24GitHub
0
0
Medium Cost
Sec8

Provides LLM-powered "second opinions" on challenging coding issues by integrating Google Gemini with Claude Code CLI.

Setup Requirements

  • ⚠️Requires Conda for environment management and activation.
  • ⚠️A Google Gemini API Key is required (free tier available for limited use).
  • ⚠️Configuration within Claude Code CLI requires an absolute path to the server.py file.
Verified SafeView Analysis
The server interacts with the Google Gemini API over the network, which requires handling API keys. It is designed to be invoked locally by the Claude Code CLI, limiting direct public exposure.
Updated: 2025-11-23GitHub
0
0
Low Cost
TaeYoung11 icon
Sec10

Provides a Micro-Agent Platform (MCP) tool to fetch current weather forecasts for specified geographical coordinates.

Setup Requirements

  • ⚠️Requires Python 3.12+
  • ⚠️Requires `mcp` library (Micro-Agent Platform)
Verified SafeView Analysis
No obvious security vulnerabilities, dangerous patterns (like 'eval'), hardcoded secrets, or malicious code identified in the provided truncated source code. It makes a standard HTTP GET request to a public weather API.
Updated: 2025-12-11GitHub
0
0
Low Cost
LibraxisAI icon

rmcp_mux

by LibraxisAI

Sec8

Manage multiple Model Context Protocol (MCP) servers from a single process, multiplexing client connections, providing features like ID rewriting, caching, auto-restart, and a TUI dashboard.

Setup Requirements

  • ⚠️Requires Rust toolchain and Cargo for building from source (e.g., `cargo build`).
  • ⚠️Requires a Unix-like operating system (macOS/Linux) as it extensively uses Unix domain sockets.
  • ⚠️Reliable operation depends on a correctly configured and trusted `mux.toml` file, as it defines the commands and parameters for all managed child processes.
Verified SafeView Analysis
The source code demonstrates good practices against common vulnerabilities like path traversal by using `fs::canonicalize` for path sanitization. No hardcoded secrets or malicious patterns (e.g., `eval`) were found. The primary security consideration is that the server's core function is to execute user-defined commands (`cmd` and `args` in `mux.toml`). If a malicious actor gains control over the `mux.toml` configuration file, they could configure `rmcp-mux` to execute arbitrary commands on the system. Therefore, the security relies heavily on the trustworthiness of the configuration source.
Updated: 2025-12-26GitHub
0
0
Medium Cost
dsactivi-2 icon

lead-ai-mcp

by dsactivi-2

Sec5

This server acts as a central hub for automating lead generation, web scraping for housing and jobs, and orchestrating outbound call campaigns using various AI models for TTS and LLM interactions.

Setup Requirements

  • ⚠️Requires numerous API keys for various external services (e.g., OpenAI, Anthropic Claude, Azure Speech/OpenAI, Google TTS, ElevenLabs, Vonage, Sipgate, Make.com, external Lead Builder, and Cloud Agents backends). These services often incur usage-based costs.
  • ⚠️Requires a Vonage private key file for voice calls (`VONAGE_PRIVATE_KEY` points to a file path) which needs to be securely generated and stored on the server.
  • ⚠️The web scraping functionality relies on Puppeteer, which necessitates a Chromium browser installation (the code defaults to '/snap/bin/chromium' suggesting a Linux environment with Snap).
  • ⚠️Upon first run, if no users are found, a default 'admin' user is created with the password 'admin123'. This password must be changed immediately after setup for security.
Review RequiredView Analysis
CRITICAL: A default 'admin' user is created with password 'admin123' if no users exist. This password must be changed immediately after initial setup to prevent unauthorized access. API keys and secrets are loaded from environment variables, which is good practice, but the system relies on the secure configuration and protection of these keys. The 'ops_pm2_logs' tool uses 'child_process.execAsync' with user-provided input ('process' name), which could pose a command injection risk if not sufficiently sanitized by the underlying 'pm2' CLI. Scraper credentials are encrypted on disk using a key derived from an environment variable ('SCRAPER_SECRET') and the hostname, which is an improvement over plaintext storage but remains a sensitive data point.
Updated: 2026-01-18GitHub
0
0
Medium Cost
akousha icon
Sec8

An MCP server that exposes Oracle Primavera Data Service API tools for project management data analysis and reporting to LLMs and other MCP-compatible clients.

Setup Requirements

  • ⚠️Requires Node.js v18+ (v20+ recommended).
  • ⚠️Requires specific Primavera Data Service credentials configured as environment variables in a `.env` file for each tool.
  • ⚠️Designed for integration with MCP-compatible clients like Postman Desktop App, Claude Desktop, or GitHub Copilot Chat, not as a standalone web application.
Verified SafeView Analysis
The server correctly uses environment variables for all API credentials, preventing hardcoding of secrets. All external API calls are made over HTTPS, securing data in transit. Dynamic tool loading uses a statically defined path list, mitigating arbitrary code execution risks. A dependency (`pac-resolver` for proxy auto-configuration) uses code generation for legitimate purposes, which is a known pattern but always carries an inherent, albeit contained, risk. Direct exposure of `error.message` in API error responses could potentially leak minor internal details, but generally, the codebase follows good security practices for a generated server.
Updated: 2025-11-19GitHub
0
0
Medium Cost
Vishwasa2004 icon

mcp-regex-server

by Vishwasa2004

Sec5

This server provides a standardized interface (MCP) for performing regular expression searches within specified files, returning matching lines.

Setup Requirements

  • ⚠️Requires a Go development environment (Go 1.16+ typically) to build and run.
  • ⚠️Designed to communicate via standard input/output (stdin/stdout) using JSON, not a network port. It expects an external orchestrator to provide input and consume output.
  • ⚠️No built-in input validation or sanitization for file paths or regex patterns, which are critical for security.
Review RequiredView Analysis
The server allows searching arbitrary file paths (`file_path` argument) using a user-provided regex pattern (`pattern` argument). This introduces two significant risks if deployed in an untrusted environment or with untrusted input: 1. Local File Inclusion (LFI): An attacker could specify paths to sensitive system files (e.g., /etc/passwd) to extract their content. The current implementation only reads, not writes, files. 2. Regular Expression Denial of Service (ReDoS): Maliciously crafted complex regex patterns can consume excessive CPU resources, leading to a denial of service. There is no built-in input validation or sanitization for file paths or regex patterns.
Updated: 2026-01-19GitHub
0
0
Low Cost
Yeahx1000 icon

mcp-weather

by Yeahx1000

Sec9

Serves weather information via the Model Context Protocol (MCP) as a tool for AI agents.

Setup Requirements

  • ⚠️Requires Claude Desktop installed to interact with the server as intended.
  • ⚠️Requires the `NWS_API_BASE` and `USER_AGENT` environment variables to be set for successful interaction with the National Weather Service (NWS) API.
  • ⚠️The `server/tsconfig.json` file contains `"noEmit": true` in its `compilerOptions`. This setting prevents TypeScript from compiling the source code into JavaScript, which would cause the `npm run build` command to fail and consequently `npm run start` would not function as `build/index.js` would not be created. This option must be changed to `"noEmit": false` or removed for the server to build and run correctly.
Verified SafeView Analysis
The server employs good security practices by using `dotenv` for environment variable management and `zod` for robust input validation on all tool arguments (`state`, `latitude`, `longitude`), which helps prevent common injection issues. External API requests are made using values configured via environment variables (`NWS_API_BASE`, `USER_AGENT`), mitigating hardcoded secret risks. Basic error handling is in place for network requests. No 'eval', obfuscation, or other overtly malicious patterns were detected in the provided source code. A potential, albeit low, configuration risk exists if `NWS_API_BASE` or `USER_AGENT` are maliciously set in the environment, but this is an environmental concern rather than a code vulnerability.
Updated: 2026-01-19GitHub
0
0
Low Cost
LuizMeier icon

mcp-ddi

by LuizMeier

Sec3

This project provides an MCP (Multi-Cloud Platform) server that integrates with Infoblox DDI to manage DNS zones, records, and grid members, offering a unified interface for network automation and operations.

Setup Requirements

  • ⚠️Requires `WAPI_URL`, `WAPI_USER`, and `WAPI_PASS` environment variables, typically provided via a `.env` file.
  • ⚠️The Infoblox WAPI client explicitly disables SSL verification (`verify=False`), which is a critical security risk and should be addressed for production deployments.
  • ⚠️Requires `uv` (a Python package manager and runner) or a similar `uvicorn`/`fastapi` setup to run the server.
Review RequiredView Analysis
The `infoblox_client.py` explicitly disables SSL certificate verification for all Infoblox WAPI calls by using `httpx.AsyncClient(verify=False)`. This creates a critical security vulnerability, making the system susceptible to Man-in-the-Middle attacks. While environment variables are used for credentials, this SSL bypass severely undermines transport security. No 'eval' or obvious obfuscation detected.
Updated: 2025-11-25GitHub
0
0
Medium Cost
Atomic-Germ icon

mcp-optimist

by Atomic-Germ

Sec7

Provides comprehensive static code analysis and optimization suggestions for JavaScript/TypeScript codebases.

Setup Requirements

  • ⚠️Requires Node.js 18+ and npm/pnpm.
  • ⚠️Requires a local Ollama server running if utilizing the 'consult_ollama' tool (e.g., via the provided 'ask_kimi' scripts), which acts as an intermediary for external AI models.
  • ⚠️Initial setup requires `npm install` and `npm run build` to compile the TypeScript source to JavaScript.
Verified SafeView Analysis
The core server performs static code analysis locally, with a stated design principle of 'Sandboxed Analysis: No code execution during analysis' and 'No Network Access: All analysis performed locally'. However, the utility scripts (`tools/ask_kimi.js`, `tools/ask_kimi_then_qwen.js`) utilize `child_process.execSync` and `spawn` to invoke internal tools and external LLMs (via the `consult_ollama` tool). While these calls are currently controlled to execute trusted local scripts/tools, dynamic code generation and execution (`fs.writeFileSync` then `node <temp_file>`) in `tools/ask_kimi_then_qwen.js` for LLM interaction is a potential vector for code injection if the LLM output is not properly sanitized before embedding it into executable code. No obvious hardcoded secrets or arbitrary network risks were found in the core server logic.
Updated: 2025-12-02GitHub
PreviousPage 515 of 713Next