Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
Sankararao-k icon

mcp-server

by Sankararao-k

Sec5

Provides a server implementation for Minecraft, likely based on the Minecraft Coder Pack (MCP) for game hosting or development.

Setup Requirements

  • ⚠️Requires Java Development Kit (JDK) installed.
  • ⚠️May require network configuration (e.g., port forwarding) for external access.
Review RequiredView Analysis
No source code provided beyond the README.md; unable to perform a comprehensive security audit for 'eval', obfuscation, hardcoded secrets, or malicious patterns. Operating any game server may expose the host to network risks if not properly secured.
Updated: 2025-11-26GitHub
0
0
Medium Cost
bioanywhere icon

pizza

by bioanywhere

Sec9

A client library to programmatically access news data from thousands of sources, enabling semantic search and content extraction.

Setup Requirements

  • ⚠️Requires a World News API Key (may be paid or require registration).
  • ⚠️Python 3.7+ required for Python client.
  • ⚠️CMake 3.2+, Qt, and a C++ compiler required for C++ client.
Verified SafeView Analysis
The project consists of API client libraries generated by OpenAPI Generator, which generally adheres to good security practices. It handles API key and OAuth2 authentication flows. No direct signs of malicious code, obfuscation, or hardcoded critical secrets are present in the truncated source code. Security largely depends on how users manage their API keys and OAuth tokens when integrating the library.
Updated: 2025-12-13GitHub
0
0
Low Cost
suissa icon
Sec8

An MCP server to integrate with Mercado Livre API, enabling e-commerce management (products, orders, questions, shipments, metrics) via stdio, REST, or WebSocket for AI assistants.

Setup Requirements

  • ⚠️Requires manual creation of a Mercado Livre application and configuration of `Client ID`, `Client Secret`, and `Redirect URI` on the Mercado Livre Developers Portal.
  • ⚠️Requires an OAuth 2.0 flow to obtain `Access Token` and `Refresh Token`, which can be a multi-step process. A helper script `get-tokens.js` is provided, but it contains hardcoded credentials that must be updated by the user.
  • ⚠️Relies on environment variables (e.g., `MCP_MODE`, `ML_CLIENT_ID`, `ML_ACCESS_TOKEN`) which need to be set, typically via a `.env` file.
Verified SafeView Analysis
The core server code uses `process.env` for credentials, which is good practice. It also includes `try...catch` blocks for error handling in its API endpoints. Input validation schemas are defined with Zod for MCP tools, but the direct application of `.parse()` on all incoming arguments/parameters within server handlers (REST/WebSocket) is not explicitly shown, relying on the internal tool methods to handle types. A utility script `get-tokens.js` hardcodes `CLIENT_ID`, `CLIENT_SECRET`, and `REDIRECT_URI`, which is a security risk if used without modification or exposed.
Updated: 2025-11-22GitHub
0
0
Low Cost

MCP-Server-Manager

by millsydotdev

Sec6

This project provides tools for managing a server, likely a Minecraft server, with both a Windows GUI and a command-line/scripted approach for installation.

Setup Requirements

  • ⚠️Requires .NET SDK for development and building.
  • ⚠️The GUI component is likely Windows-only.
  • ⚠️Assumes a Minecraft server (or similar 'MCP'-implied server) is the target for management.
Review RequiredView Analysis
The project involves server management and includes a shell script, which could pose security risks if not carefully implemented or if it executes untrusted commands. Without code review, specific vulnerabilities cannot be identified.
Updated: 2025-11-23GitHub
0
0
Medium Cost
oculairmedia icon

postizz-MCP

by oculairmedia

Sec3

An MCP server integrating with the Postiz social media management platform, enabling AI agents to programmatically create posts, manage integrations, and retrieve social media content.

Setup Requirements

  • ⚠️Requires a Postiz API Key for authentication.
  • ⚠️Requires Node.js 18+ (if not using Docker).
  • ⚠️The provided Docker Compose example includes a hardcoded API key, which must be replaced with a secure method of secret management.
Review RequiredView Analysis
The provided `compose.yaml` file includes a hardcoded `POSTIZ_API_KEY` in plaintext, which is a critical security vulnerability. While the server code itself implements good practices like origin validation, DNS rebinding protection, and proper API key handling via environment variables, the presence of a hardcoded key in an example configuration encourages insecure practices and compromises security if deployed as is. No use of `eval` or obfuscation was found.
Updated: 2025-12-06GitHub
0
0
Medium Cost
pogao icon

gcp-mcp

by pogao

Sec9

Enables an LLM to safely query and analyze a Google Cloud Platform (GCP) environment for cloud insights.

Setup Requirements

  • ⚠️Requires Python 3.13+
  • ⚠️Requires Google Cloud SDK installed and configured.
  • ⚠️Requires explicit GCP authentication via `gcloud auth application-default login`.
Verified SafeView Analysis
The server provides read-only access to GCP resources, significantly reducing destructive potential. Authentication relies on Google Application Default Credentials, a standard and secure mechanism, with no hardcoded secrets found. Error handling for `PermissionDenied` gracefully returns empty data, avoiding sensitive information leakage. The implementation itself appears robust. The primary security consideration is ensuring the GCP credentials used to run the server have the principle of least privilege applied. The 'unsafe SSH exposure' and 'public bucket analysis' are features for security analysis within GCP, not vulnerabilities of the server itself.
Updated: 2025-12-02GitHub
0
0
Low Cost
tyukei icon
Sec9

Provides IT study group and event information from Connpass API as an MCP server.

Setup Requirements

  • ⚠️Requires Connpass API Key (free, but registration with Connpass is required)
  • ⚠️Requires Python 3.12 or higher
  • ⚠️Setup instructions use `uv` as the package manager
Verified SafeView Analysis
The project adheres to good security practices by loading the Connpass API key from environment variables (CONNPASS_API) rather than hardcoding it. It uses the `httpx` library for secure HTTP requests to a known API endpoint (connpass.com). There are no visible uses of `eval`, `exec`, or direct shell commands with unsanitized user input. The internal rate limiting further mitigates potential abuse or accidental overloading of the external API.
Updated: 2025-12-14GitHub
0
0
High Cost
puran-water icon

site-fit-mcp-server

by puran-water

Sec2

MCP server for constraint-based site layout optimization of wastewater/biogas facilities, generating diverse layouts while respecting engineering rules and process topology.

Setup Requirements

  • ⚠️Requires Python 3.11+.
  • ⚠️Optional features like GIS file loading, DXF export, and PDF generation require additional `pip install` commands (e.g., `pip install 'site-fit-mcp[gis]'` for GIS support).
  • ⚠️When running in HTTP mode with viewer (`site-fit-serve`), it requires `uvicorn` and `fastapi`.
Review RequiredView Analysis
CRITICAL: The `sitefit_load_gis_file` tool directly passes a user-controlled `file_path` to `fiona.open` without sanitization. This allows for arbitrary file read vulnerabilities (e.g., path traversal like `../../../etc/passwd`). CRITICAL: The `sitefit_export_pack` tool accepts a user-controlled `output_dir` for writing generated files (e.g., DXF, PDF, CSV). This allows for arbitrary file write vulnerabilities (e.g., path traversal to write to sensitive system directories). LOW RISK: The `rules_override` parameter in `sitefit_generate` is passed to `yaml.safe_load` for merging into the RuleSet. While `safe_load` mitigates many YAML deserialization attacks, it's not entirely immune, especially with older `PyYAML` versions or complex gadget chains. User-controlled input to a YAML parser is generally discouraged if the parser is not fully sandboxed.
Updated: 2026-01-10GitHub
0
0
High Cost
blueorbitz icon

jedi-mcp

by blueorbitz

Sec8

Converts technical documentation websites into Model Context Protocol (MCP) servers, enabling AI coding assistants to access detailed framework, library, API, SDK, and language documentation during development.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires a Google Gemini API key or AWS Bedrock credentials (paid AI services are used extensively).
  • ⚠️Browser-based navigation extraction (required for some sites like Microsoft Learn or those with JavaScript-rendered navigation) depends on Playwright, which needs its browsers installed after `pip install playwright`.
Verified SafeView Analysis
The project demonstrates good security practices for web crawling (rate limiting, URL validation, external link filtering) and AI API key management (environment variables, no hardcoded secrets, parameterized SQL queries). The use of Playwright for headless browser automation (to handle JavaScript-rendered content) inherently carries a risk of executing JavaScript from crawled sites; however, this is mitigated by robust URL filtering and strict adherence to documentation-specific content.
Updated: 2025-12-25GitHub
0
0
Low Cost
pawneetdev icon

dataforseo-mcp

by pawneetdev

Sec9

This server acts as a Model Context Protocol (MCP) adapter, exposing DataForSEO's Research Toolkit API to Claude Desktop as automatically generated tools for SEO research tasks.

Setup Requirements

  • ⚠️Requires DataForSEO API username and password to be configured in a .env file.
  • ⚠️The 'generate_registry.py' script must be run first to create the necessary tool registry and endpoint files before starting the server.
  • ⚠️Requires Python 3.13 or newer.
Verified SafeView Analysis
Credentials are loaded from environment variables (.env file) and not hardcoded, which is good practice. The server interacts with external APIs (DataForSEO, GitHub for OpenAPI spec), which is standard for its function. No 'eval' or obvious malicious patterns were found in the provided code snippets. Logging is directed to stderr to avoid interfering with stdout JSON-RPC communication.
Updated: 2025-11-25GitHub
0
0
Medium Cost
AshGhimire icon

mcp-chess-server

by AshGhimire

Sec9

Provides access to Chess.com player data for profiles and statistics through an MCP server.

Setup Requirements

  • ⚠️Requires Python 3.14 or higher (this is a future Python version and not yet released, meaning it cannot be run on current stable Python versions like 3.8-3.12).
  • ⚠️Requires the `uv` package manager (or `uvx` executable) to be installed for running via the provided MCP configuration.
Verified SafeView Analysis
The server acts as a wrapper for the public Chess.com API. It uses the `requests` library with `raise_for_status()` for error handling. No hardcoded secrets, `eval()` calls, or obvious malicious patterns were found. The 'User-Agent' string is slightly malformed ('moizillla' instead of 'mozilla'), which is a minor stylistic issue but not a security vulnerability.
Updated: 2026-01-17GitHub
0
0
Medium Cost
djdjdj08 icon
Sec9

An MCP server providing an AI agent with tools to ingest content, search a knowledge base, and log completion results for an educational context.

Setup Requirements

  • ⚠️Requires Node.js 20.18.0
  • ⚠️The 'ingest_content', 'search_content', and 'log_completion_result' tools are currently stubs and require a separate backend implementation for full functionality.
Verified SafeView Analysis
The server uses Express.js and Zod for schema validation, which are good practices. Error handling for MCP requests is present. There are no obvious signs of 'eval' usage, hardcoded secrets, or malicious patterns. The `TODO` comments indicate that actual backend integrations (for ingest, search, log) are pending, and their security would depend on their implementation. General web security practices (e.g., HTTPS, rate limiting) would be needed for production deployment, but the provided code itself is robust.
Updated: 2025-12-02GitHub
PreviousPage 524 of 713Next