Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
lucad-28 icon
Sec8

An MCP server that integrates with a traffic prediction API, offering tools to retrieve traffic station data, predict traffic Speed Performance Index (SPI), and suggest optimal routes.

Setup Requirements

  • ⚠️Requires an external Mapbox Access Token for route suggestion capabilities.
  • ⚠️Requires a separate backend Traffic Prediction REST API to be deployed and accessible via TRAFFIC_API_URL.
  • ⚠️Requires an API Key (MCP_API_KEY) for authentication with the SSE endpoint, which must be secured.
Verified SafeView Analysis
The server uses environment variables for sensitive data (TRAFFIC_API_URL, MCP_API_KEY, MAPBOX_ACCESS_TOKEN), which is a good practice. It explicitly supports API Key authentication for the SSE endpoint. CORS is wide open (`allow_origins=["*"]`) by default, which is noted as a security consideration in the README, suggesting it should be restricted in production. No 'eval' or other highly dangerous patterns were observed in the provided source code. The server acts as a proxy, so its overall security also depends on the upstream traffic API.
Updated: 2025-12-03GitHub
0
0
Low Cost
aiagentplayground icon

jira-mcp-server

by aiagentplayground

Sec1

A server component for Atlassian's MCP (Most Capable Person) platform, likely integrating with or managing Jira instances.

Review RequiredView Analysis
CRITICAL: A comprehensive security audit is not possible as no server source code was provided for analysis beyond the README. Without code to inspect for patterns like 'eval', hardcoded secrets, or network risks, it is impossible to assess its security posture. The low score reflects the inability to verify safety.
Updated: 2025-12-03GitHub
0
0
Low Cost
lbrenman icon
Sec9

Set up and configure an MCP (Microservice Composer) Server in Amplify Fusion to expose a custom tool to LLMs like Claude for specific tasks, such as order information retrieval.

Setup Requirements

  • ⚠️Requires Amplify Studio and Fusion versions 1.12 or higher.
  • ⚠️Requires AI entitlement to be enabled on the tenant or environment.
  • ⚠️The exposed URL for the MCP Server needs to be copied from Amplify Studio and correctly configured in Claude Desktop (replacing a placeholder).
Verified SafeView Analysis
The provided 'source code' (README) describes a configuration process and does not contain direct code for `eval`, obfuscation, or hardcoded secrets. The security relies heavily on the underlying Amplify Fusion platform's security (e.g., authentication, authorization for the exposed `/orderManagement` endpoint) and the integrity of the `mcp-remote` npm package executed via `npx` in Claude Desktop's configuration. Users must ensure their Amplify Fusion instance is securely configured and the `mcp-remote` package is trustworthy. The provided instructions themselves do not introduce vulnerabilities.
Updated: 2025-11-22GitHub
0
0
Medium Cost
egorka23 icon
Sec8

Send Telegram messages and interact with a personal Telegram account via Claude Code.

Setup Requirements

  • ⚠️Requires Telegram API credentials (API ID and Hash) obtained from my.telegram.org.
  • ⚠️Requires a phone number associated with the Telegram account.
  • ⚠️One-time authorization process is necessary to create a local session file.
  • ⚠️Requires Python 3.10 or higher (tested with 3.11 in setup).
Verified SafeView Analysis
The server uses `telethon` for Telegram API interaction, `python-dotenv` for secure environment variable loading, and stores the session file locally. There is no observed use of `eval` or direct command injection vulnerabilities. A potential concern exists with the `download_media` tool's `save_to` parameter, which accepts an absolute path. A compromised AI could potentially instruct the tool to write files to sensitive system locations or overwrite existing files if the execution environment allows, though the tool itself does not directly execute arbitrary commands.
Updated: 2026-01-19GitHub
0
0
Low Cost
elbrinner icon

MCP_SERVER_SIMPLES

by elbrinner

Sec7

A .NET Model Context Protocol server providing a collection of utility tools accessible via natural language queries through AI assistants like Copilot.

Setup Requirements

  • ⚠️Requires Node.js (v16+)
  • ⚠️Requires .NET SDK 8+ (specifically targeting an upcoming 'net10.0' framework with release candidate dependencies)
Verified SafeView Analysis
The server is built on .NET and utilizes standard Microsoft Extensions libraries and ModelContextProtocol preview packages. While no 'eval', obfuscation, hardcoded secrets, or direct malicious patterns are visible in the provided truncated files, the use of preview/release candidate versions for core dependencies (e.g., Microsoft.Extensions.Hosting 10.0.0-rc.2.25502.107 and ModelContextProtocol 0.4.0-preview.1) introduces a potential risk for instability or unpatched vulnerabilities. Proper input validation in the C# tool implementations (not provided) is crucial, especially for tools like WeatherTools which use environment variables and SecurityTools which generate passwords.
Updated: 2025-11-18GitHub
0
0
Medium Cost
takeachangs icon

strudel-mcp

by takeachangs

Sec8

Enables AI assistants to parse, analyze, generate, and transform musical patterns using the Strudel live-coding environment.

Setup Requirements

  • ⚠️Requires Node.js 18 or higher.
  • ⚠️Requires npm or pnpm for dependency installation and building.
  • ⚠️Requires specific configuration for integration with MCP-compatible clients like Claude Desktop or Claude Code.
Verified SafeView Analysis
The server utilizes `StdioServerTransport`, meaning communication happens over standard I/O, which significantly limits direct network attack surfaces for the server itself. Input schemas are validated using `zod`. While user-provided Strudel mini notation is parsed and processed, the server itself does not `eval` or directly execute arbitrary code on user input. Generated code is returned to the client, with instructions implying execution in a separate client-side Strudel environment (e.g., `strudel.cc`). The primary security consideration would be potential vulnerabilities within the underlying `@strudel/mini` or `@strudel/core` parsing libraries if specifically crafted musical notation could exploit them, but this is a dependency-level risk. No hardcoded secrets were identified.
Updated: 2025-12-15GitHub
0
0
Medium Cost
renbran icon

odoo-mcp-server

by renbran

Sec9

Provides a production-grade Model Context Protocol (MCP) server for Odoo 17-19, offering comprehensive API access, multi-instance support, and AI-powered automation through Claude Desktop.

Setup Requirements

  • ⚠️Requires Node.js 18+ runtime for local execution.
  • ⚠️Requires valid credentials for at least one Odoo instance (can be a complex JSON string for multiple instances).
  • ⚠️Primarily designed for integration with Claude Desktop (or other MCP-compatible clients) for AI-driven interaction.
Verified SafeView Analysis
The server utilizes secure XML-RPC clients (xmlrpc.createSecureClient) for Odoo connections, ensuring HTTPS communication. Credentials are managed via environment variables or Cloudflare secrets, with explicit documentation against hardcoding and logging them directly. Input validation is performed using Zod schemas for tool arguments, mitigating potential injection risks. Comprehensive security best practices are documented, including recommendations for least privilege access and regular password rotation. The main risk is the exposure of potentially verbose Odoo data to an LLM, which needs careful management by the AI system itself.
Updated: 2026-01-19GitHub
0
0
Low Cost
promplate icon
Sec8

This server provides a refined interface for LLMs to interact with GitHub's GraphQL API and Code Search, optimizing for token efficiency and readability.

Setup Requirements

  • ⚠️Requires `gh` CLI to be installed and authenticated via `gh auth login`.
  • ⚠️Requires Python 3.12 or newer.
  • ⚠️Installation typically uses `uvx` (uv installer for executables).
Verified SafeView Analysis
The server executes `gh` CLI commands via `subprocess`, passing user-provided query strings and `jq` expressions as arguments or standard input. This approach reduces direct shell injection risks compared to `shell=True`. However, reliance on the `gh` CLI means its security model is inherited. Malicious `jq` expressions could potentially exploit `jq` vulnerabilities (though `jq` is generally robust) or lead to excessive resource consumption. The HTTP server uses broad CORS (`allow_origins=["*"]`), which is acceptable for local LLM agent setups but requires caution if publicly exposed. No hardcoded secrets or `eval` usage were found.
Updated: 2026-01-12GitHub
0
0
Low Cost
Shivam09247 icon

MCP-Server

by Shivam09247

Sec1

It appears to be a server application, likely related to the Minecraft community (Mod Coder Pack), but its specific functionality cannot be determined from the provided information.

Review RequiredView Analysis
No source code was provided for analysis, making a security audit impossible. Therefore, no assessment of potential risks (like 'eval', obfuscation, network vulnerabilities, or hardcoded secrets) could be performed.
Updated: 2025-11-25GitHub
0
0
Low Cost
malston icon
Sec8

A mock BOSH Director server used for testing BOSH clients like bosh-mcp-server.

Setup Requirements

  • ⚠️Requires Go development environment to build the binary from source.
  • ⚠️Clients connecting to the server must be configured to trust self-signed TLS certificates or explicitly ignore CA validation (e.g., BOSH_CA_CERT="").
Verified SafeView Analysis
The server uses hardcoded default credentials (admin/admin) which can be overridden by CLI flags. While intended for local testing, this poses a minor risk if accidentally exposed in an insecure network. Self-signed TLS certificates are generated, requiring clients to ignore certificate validation or trust the generated cert, typical for a development mock but insecure for production. No 'eval' or malicious patterns were found.
Updated: 2025-11-26GitHub
0
0
Low Cost
alxspiker icon

MSFS-MCP-Server

by alxspiker

Sec6

Bridges Large Language Models (LLMs) to Microsoft Flight Simulator (MSFS) for AI-controlled aviation, enabling AI to read instruments and control the aircraft via SimConnect.

Setup Requirements

  • ⚠️Requires Microsoft Flight Simulator (2020 or 2024) running on Windows.
  • ⚠️Requires Python 3.10+.
  • ⚠️Remote access requires `ngrok` (which typically needs an account and authentication token).
  • ⚠️Requires an MCP-supported AI client (e.g., ChatGPT with Dev Mode, Claude Desktop).
Verified SafeView Analysis
The server exposes powerful SimConnect control methods (e.g., `set_event_state`, `fire_event`) via an HTTP/SSE API (FastAPI + FastMCP). When exposed publicly via `ngrok` (as explicitly suggested for remote control), this creates a significant attack surface. A compromised LLM client or an attacker gaining access to the ngrok URL could issue arbitrary commands to the local MSFS instance. While the direct code does not contain obvious malicious patterns like `eval` or hardcoded secrets, the fundamental design grants high-level control to external entities, which is inherently risky when unauthenticated and publicly accessible. The project disclaimer explicitly warns about risks like LLM rate-limiting leading to uncontrolled flight.
Updated: 2025-12-03GitHub
0
0
Medium Cost
shuji-bonji icon

rfcxml-mcp

by shuji-bonji

Sec9

This MCP server enables structured understanding and analysis of RFC documents by extracting normative requirements, RFC dependencies, definitions, and generating implementation checklists for AI models and human developers.

Setup Requirements

  • ⚠️Requires Node.js version 20.0.0 or higher.
  • ⚠️Functions as a Model Context Protocol (MCP) server, requiring an MCP-compatible client (e.g., Claude Desktop, Claude Code) to interact with its tools.
Verified SafeView Analysis
The server's core function involves fetching public RFC documents from official IETF/RFC Editor sources, which is handled with robust parallel fetching and caching mechanisms. Input validation is supported via tool schemas. No instances of 'eval', obfuscation, hardcoded secrets, or obvious command injection vulnerabilities were found. Network interactions are for accessing public specifications, posing minimal direct risk, though any external network call carries an inherent, minor risk.
Updated: 2026-01-18GitHub
PreviousPage 521 of 713Next