Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

51
52
Low Cost
StefanMaron icon
Sec8

Provides AI assistants with semantic understanding of AL (Application Language) codebases and Business Central object relationships by parsing compiled AL symbol files.

Setup Requirements

  • ⚠️Requires .NET SDK 8.0+ for AL CLI (auto-installed, but manual intervention might be needed on some systems for PATH configuration or NuGet sources).
  • ⚠️Relies on compiled AL packages (.app files) being present in `.alpackages` directories or specified paths.
  • ⚠️Initial package loading (especially for large codebases like the Base Application) can take several seconds.
Verified SafeView Analysis
The server uses `child_process.spawn` to interact with external `AL` and `dotnet` CLI tools, which introduces a dependency on their security. File system operations for package discovery and symbol extraction include safeguards such as limiting recursion depth, blacklisting common system directories (e.g., node_modules, .git), and enforcing absolute paths for `rootPath` to mitigate arbitrary path traversal. Package content (i.e., `.app` files) is processed by extracting `SymbolReference.json` via ZIP or AL CLI; while the server's code itself appears free of obvious malicious patterns like `eval`, a vulnerability could exist if a crafted `.app` file exploits the underlying AL compiler or ZIP extraction process. Users should ensure they are processing trusted AL packages.
Updated: 2025-12-11GitHub
51
204
Medium Cost
iknowjason icon

AutomatedEmulation

by iknowjason

Sec6

Provisions an automated Breach and Attack Simulation (BAS) lab in AWS, integrating Caldera with an LLM-enabled MCP server, VECTR, and a Windows client with Red/Blue tools.

Setup Requirements

  • ⚠️Requires AWS IAM programmatic access keys with permissions to build AWS resources.
  • ⚠️Requires Terraform 1.5.7 (or compatible version) to be installed locally.
  • ⚠️If your public IP address changes or if `ifconfig.me` returns an IPv6 address, terraform apply must be re-run or manual firewall adjustments are needed.
Verified SafeView Analysis
The project deploys a complex security lab with default administrative credentials (for Caldera and VECTR) that should be immediately changed. The MLflow server for LLM tracing is explicitly stated to be publicly exposed by default, requiring careful configuration of EC2 security groups by the user. While the firewall rules initially whitelist the user's public IP, the option to open to 0.0.0.0/0 exists, posing a significant risk if misused. The core purpose is security emulation, which involves deploying agents and services, but diligent user management of credentials and network access is critical for a secure setup.
Updated: 2025-11-23GitHub
50
7
Medium Cost
chriskd icon

memex

by chriskd

Sec8

Personal knowledge base with hybrid search (keyword + semantic) and LLM-driven memory evolution, designed for agent workflows.

Setup Requirements

  • ⚠️Requires Python 3.11+
  • ⚠️LLM API Keys (Anthropic or OpenRouter) are required for semantic features (paid services)
  • ⚠️Semantic search requires additional dependencies ('chromadb', 'sentence-transformers') which involve a large download for the embedding model on first use.
  • ⚠️File watcher may use polling in Docker environments, potentially impacting performance.
Verified SafeView Analysis
The project uses environment variables for LLM API keys, which is a good practice. It performs extensive file system operations (read, write, delete, rmtree) which are inherent to a KB system, but should be handled carefully, especially with user-provided paths (validation is in place). Subprocess calls are primarily for git commands or generating configuration, posing low risk. External CDN links for static assets are present in the published site templates, a common web practice with inherent supply chain risk. No direct `eval()` or code obfuscation was detected.
Updated: 2026-01-19GitHub
50
95
Medium Cost
oceanbase icon
Sec2

The `awesome-oceanbase-mcp` project provides a collection of Model Context Protocol (MCP) servers designed to enable AI assistants to interact directly with OceanBase databases and its ecosystem components.

Setup Requirements

  • ⚠️Requires pre-existing OceanBase database instances and/or access to OceanBase Cloud Platform (OCP/OBCloud) with appropriate accounts.
  • ⚠️Requires specific CLI tools (`okctl`, `obshell`, `obdiag`, `kubectl`) installed and configured on the server machine.
  • ⚠️Requires careful configuration of numerous environment variables for database credentials and connection details across different server components (e.g., OB_HOST, OB_USER, OCP_ACCESS_KEY_ID, SYS_PASSWORD).
Review RequiredView Analysis
The `awesome-oceanbase-mcp` project contains multiple MCP servers, several of which exhibit critical security vulnerabilities: 1. **SQL Injection**: `okctl_mcp_server` (in `sql.py`), `obcloud_mcp_server` (in `functions/index.ts`), `seekdb_mcp_server` (in `server.py`, especially `_embed_mode_execute_sql`, `_server_model_execute_sql`, `full_text_search`, AI model functions, and CSV import), and `oceanbase_mcp_server` (in `server.py`, including `execute_sql`, ASH report, tenant/server queries, and specialized search tools like `oceanbase_text_search`, `oceanbase_vector_search`, `oceanbase_hybrid_search`) directly concatenate or format user-controlled input into SQL queries without proper parameterization, making them highly susceptible to SQL injection. 2. **Command Injection**: `obdiag_mcp_server` (in `server.py`, specifically `obdiag_display_run` and `obdiag_gather_log`) and `okctl_mcp_server` (in `install.py` for `bash -c download_output` and generally for other `okctl` commands if `validate_identifier` isn't fully comprehensive) construct shell commands using f-strings or direct string concatenation with user-provided arguments, posing a risk of arbitrary command execution. 3. **Arbitrary Method Execution (Code Execution)**: `obshell_mcp_server` (in `server.py`, specifically `call_obshell_sdk`) uses `getattr(client.v1, sdk_method)(**processed_args)`, allowing an attacker to call virtually any method available on the `obshell` client with arbitrary arguments. This is a critical remote code execution vector. 4. **Supply Chain Risk**: `okctl_mcp_server`'s `install_okctl` downloads and executes a shell script from a remote GitHub repository. A compromise of this remote script would lead to arbitrary code execution on the server running the MCP. 5. **Lack of Comprehensive Input Validation**: While some modules attempt basic identifier validation (e.g., `okctl_mcp_server/utils/security.py`), it is not consistently applied to all user-controlled inputs that are eventually passed to shell commands or SQL queries, exacerbating the injection risks. Secrets are generally managed through environment variables, which is a good practice. However, the severe injection and execution vulnerabilities make these servers unsafe for production environments without significant security hardening.
Updated: 2026-01-13GitHub
50
74
High Cost
dnnyngyen icon

ironmanus-mcp

by dnnyngyen

Sec9

Orchestrates AI workflows with an 8-phase control flow and specialized tools, serving as a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires Claude (or a compatible MCP client) to function as intended.
  • ⚠️Relies heavily on external APIs; `ALLOWED_HOSTS` and specific API keys/authentication headers may need configuration.
  • ⚠️Node.js 20+ and TypeScript 5.0 are required for local development and execution.
Verified SafeView Analysis
The project demonstrates strong, explicit, and multi-layered security measures. SSRF protection (`ssrfGuard`, `validateAndSanitizeURL`) is consistently applied to network requests and session IDs. Python execution is sandboxed (`validatePythonCode` blocks dangerous functions) and `pip install` uses an allowlist (`ALLOWED_LIBRARIES`). Path traversal is prevented for file system operations via `isValidSessionId`. An active runtime protection system (`startLegacyFileProtection`) removes legacy JSON files. Configuration validation (`validateConfig`) checks critical security settings in production. No obvious hardcoded secrets were found. The primary remaining risk is the inherent trust boundary of `subprocess.check_call` for `pip install` even with an allowlist, as a malicious package could potentially bypass checks if it made it into a mirror.
Updated: 2026-01-19GitHub
50
44
Medium Cost
veelenga icon

claude-mermaid

by veelenga

Sec9

Provides an MCP server for rendering Mermaid diagrams in Claude Code with live reload, multiple save formats, and interactive previews.

Setup Requirements

  • ⚠️Requires Node.js and npm to be installed.
  • ⚠️The `@mermaid-js/mermaid-cli` dependency relies on Puppeteer, which may download a large Chromium binary during installation, consuming significant disk space and bandwidth.
  • ⚠️Requires a compatible MCP client (e.g., Claude Code, Codex, Cursor, VSCode Cline, Windsurf, Gemini CLI) for integration.
Verified SafeView Analysis
The server implements strong security practices including Content Security Policy (CSP) headers for web previews and robust path validation (`validateSavePath`, `validatePreviewId`) to prevent path traversal attacks when saving or accessing diagrams. `execFile` is used for rendering diagrams via `mermaid-cli`, which is generally safer than `exec`. Input parameters for `mermaid-cli` are sanitized or enum-restricted, mitigating command injection risks. No hardcoded secrets or obvious malicious patterns were found. The primary attack surface is through the `mermaid-cli` itself and the interpretation of diagram code, which is an inherent risk when rendering user-provided code, but not directly attributable to server vulnerabilities.
Updated: 2026-01-19GitHub
50
89
High Cost
narumiruna icon

yfinance-mcp

by narumiruna

Sec9

Fetches real-time and historical stock data, news, and financial charts from Yahoo Finance.

Setup Requirements

  • ⚠️Requires Python 3.12+
  • ⚠️Chart generation (image output) can lead to high token usage due to base64 encoding
  • ⚠️Relies on the `uv` package installer for easy setup and execution
Verified SafeView Analysis
The server code generally follows good practices, wrapping blocking I/O (yfinance calls) with `asyncio.to_thread` and using structured error responses. There are no obvious hardcoded credentials, direct shell injections, or `eval` usage. The primary security consideration would be the underlying `yfinance` library's interaction with the Yahoo Finance API, which is outside the scope of this server's direct code.
Updated: 2026-01-11GitHub
50
25
Medium Cost
sagemcp icon

SageMCP

by sagemcp

Sec7

A scalable platform for hosting MCP servers with multi-tenant support, OAuth integration, and connector plugins for various services, deployed on Kubernetes.

Setup Requirements

  • ⚠️Requires Kubernetes 1.21+ and Helm 3.8+ for deployment.
  • ⚠️Requires Persistent Volume (PV) provisioner support in the underlying infrastructure for PostgreSQL and Redis persistence.
  • ⚠️Requires OAuth client IDs and secrets (e.g., GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET) to be configured as environment variables for specific connectors to function.
Verified SafeView Analysis
The platform dynamically builds Docker images and installs packages (NPM, PyPI) from remote sources (GitHub, NPM registry) for external MCP servers. This introduces a supply chain risk if a malicious MCP server is registered and installed. Commands for external MCP servers are executed via `subprocess_exec`. While runtime commands are likely admin-controlled, the integrity of external code sources is critical. The `SECRET_KEY` is auto-generated if not provided, ensuring it's always set. OAuth redirect URIs are handled with checks for localhost or `X-Forwarded-Host` headers. CORS `allow_origins` is set to `*` in development but should be restricted in production.
Updated: 2025-12-01GitHub
50
6
Medium Cost
S-FM icon

faim-mcp

by S-FM

Sec9

Integrates FAIM time series forecasting SDK with any Model Context Protocol (MCP)-compatible AI assistant, enabling AI-powered forecasting capabilities for models like Chronos2 and TiRex.

Setup Requirements

  • ⚠️Requires a FAIM API Key, which needs to be registered at https://faim.it.com/ (potentially a paid service).
  • ⚠️Requires Node.js 20+ and npm 10+ to run locally or for `npx` usage.
  • ⚠️Dependent on the availability and performance of the external FAIM API.
Verified SafeView Analysis
The server correctly retrieves the FAIM API key from environment variables, preventing hardcoding. It uses JSON.parse which is generally safe for deserializing JSON strings. There are no direct uses of `eval` or obvious code obfuscation. Network communication is with the FAIM API, which implies reliance on the security of that external service. All errors are handled gracefully and transformed, preventing internal details from leaking.
Updated: 2025-11-28GitHub
50
96
Medium Cost
webflow icon

mcp-server

by webflow

Sec6

A Node.js server implementing Model Context Protocol (MCP) for Webflow, enabling AI agents to interact with Webflow Data and Designer APIs.

Setup Requirements

  • ⚠️Requires a Webflow API token (`WEBFLOW_TOKEN`) set as an environment variable.
  • ⚠️Requires Node.js 22.3.0 or higher.
  • ⚠️For local installation, requires creating, publishing, and launching a 'Webflow MCP Bridge App' in a Webflow workspace with Admin permissions.
  • ⚠️The server's Designer App Bridge needs an available local port between 1338 and 1638.
Verified SafeView Analysis
The server uses `cors({ origin: '*' })` for both its Express app and Socket.IO server, which allows connections from any origin. While this configuration is often used for ease of development in local environments, it poses a network risk if the server is exposed beyond the local machine or if other untrusted local processes are able to connect. The `WEBFLOW_TOKEN` is correctly handled as an environment variable, preventing hardcoded secrets. No 'eval' or obvious malicious patterns were found.
Updated: 2026-01-16GitHub
50
90
High Cost
VeriTeknik icon

pluggedin-app

by VeriTeknik

Sec9

A testing environment for MCP (Model Control Protocol) servers, allowing interaction through a chat interface powered by LLMs and an AI agent using the LangChain ReAct framework.

Setup Requirements

  • ⚠️Requires OpenAI, Anthropic, or Google API Key for LLM integration and email translation (Paid services).
  • ⚠️Requires PostgreSQL database for persistent storage.
  • ⚠️Requires Redis for session management and distributed rate limiting.
  • ⚠️Requires Docker (for deployment) and potentially Bubblewrap/Firejail (for sandboxing on Linux hosts, if not containerized with them).
  • ⚠️GitHub API Token required for repository analysis and publishing to the MCP Registry.
Verified SafeView Analysis
The application exhibits a robust security posture, incorporating numerous defense-in-depth measures. Key strengths include: comprehensive input validation and sanitization (URLs, paths, external IDs, HTML content) to prevent XSS, path traversal, and SSRF attacks; strong authentication security with bcrypt (cost factor 14), brute-force protection (account lockout), and detailed audit logging; secure session management with JWTs, periodic revalidation, and session invalidation on password changes; robust data encryption (AES-256-GCM with scrypt and random salts) for sensitive data at rest; global CSRF protection and HTTP security headers (CSP with nonce, X-Frame-Options, X-Content-Type-Options, etc.); and critical sandboxing capabilities for executing external MCP server code via Bubblewrap/Firejail for process, filesystem, and network isolation. While in-memory rate limiting is noted as a 'CRITICAL TODO' for multi-instance deployments in one file, other files show the use of `ioredis` for distributed rate limiting, mitigating this, though fallback to in-memory still presents a risk if Redis fails. `process.setMaxListeners` is used, which is a practical mitigation but could be a resource exhaustion vector if many STDIO servers are connected concurrently without proper scaling.
Updated: 2026-01-17GitHub
50
96
High Cost
nkapila6 icon

mcp-local-rag

by nkapila6

Sec8

Provides a local, RAG-like web search tool for Large Language Models to retrieve current information and context.

Setup Requirements

  • ⚠️Requires Docker or uv for installation.
  • ⚠️Requires Python 3.10.
  • ⚠️Downloads a MediaPipe Text Embedder model locally (~20MB).
Verified SafeView Analysis
The server fetches content from arbitrary URLs found via DuckDuckGo. While the content is processed to plain text (mitigating direct script execution risks), fetching from untrusted sources always carries inherent risks. No 'eval' or direct code execution from fetched content is observed. No hardcoded secrets are present in the provided code.
Updated: 2026-01-19GitHub
PreviousPage 52 of 713Next