Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
SiinXu icon

devtools

by SiinXu

Sec9

A static website for a Google DevFest workshop about Chrome DevTools MCP Server.

Setup Requirements

  • ⚠️Requires Node.js (for `npm start`) or Python 3 (for `python3 -m http.server`)
Verified SafeView Analysis
The project is a static React application served locally. No dynamic server-side logic, API calls, or sensitive data handling is observed in the provided code. It is generally safe for its intended use, noting that a local HTTP server (Python's `http.server` module) is used for serving files.
Updated: 2025-11-22GitHub
0
0
Medium Cost
DawnReaverWOWS icon

TheFinalDiscordMCP

by DawnReaverWOWS

Sec8

A Discord bot for AI-powered chat, voice TTS, World of Warships stats, moderation, server management, and Model Context Protocol (MCP) integration for AI assistants.

Setup Requirements

  • ⚠️Requires Node.js 18+.
  • ⚠️Requires a Discord bot token and Discord server ID (guildId).
  • ⚠️Voice features require FFmpeg to be available in the environment.
  • ⚠️AI features are optional but highly recommended; they require an OpenRouter API key, though many models are free.
Verified SafeView Analysis
The project demonstrates good security practices, especially in handling external inputs for file paths and URLs. The `read_images` function prevents SSRF by strictly validating and reconstructing Discord CDN URLs. File upload paths are restricted to allowed directories. Network calls to external APIs (e.g., Wargaming, Pollinations.AI) use whitelisted domains. CORS is configured to avoid wildcard origins in non-development environments, explicitly allowing specified origins or private VCN IPs. Command arguments are sanitized, and rate limiting is in place. Overall, a commendable effort in security for a bot interacting with external services and user content. Some areas like more granular input validation for all Discord IDs passed to core Discord.js functions (though Discord.js often handles this internally) could further enhance robustness.
Updated: 2026-01-11GitHub
0
0
High Cost
080bct12alex icon

ChatBot_Development

by 080bct12alex

Sec3

A LangGraph-based AI chatbot with a Streamlit UI, featuring conversation memory, tool integration (search, calculator, stock price), RAG capabilities for document analysis, Multi-Agent Collaboration (MCP), user authentication, and persistent storage.

Setup Requirements

  • ⚠️Requires Google Generative AI API Key (Paid).
  • ⚠️Requires Alpha Vantage API Key (for stock price tool), currently hardcoded in `agent.py` files.
  • ⚠️Requires the Multi-Agent Collaboration (MCP) server `https://alexmcp.fastmcp.app/mcp` to be accessible for MCP tools to function.
  • ⚠️Significant Python dependencies including `langchain`, `langgraph`, `streamlit`, `streamlit-cookies-manager`, `aiosqlite`, `PyPDFLoader`, `FAISS`, `HuggingFaceEmbeddings` (which may download a large model locally), and `langchain-mcp-adapters`.
  • ⚠️Creates and manages a local `vectorstores` directory for FAISS indices, requiring local disk space.
Review RequiredView Analysis
Critical security risks identified: The Alpha Vantage API key is hardcoded in multiple `agent.py` files. More severely, the Streamlit `EncryptedCookieManager` password is hardcoded as `7b9561efc4a6acf95c78285418225434533f70dd609026c8ff9ba1c50a5be6c6` or a placeholder `YOUR_RANDOM_SECRET_KEY_HERE` in `app.py` files. This hardcoded cookie password allows anyone with access to the codebase to decrypt user session data, posing a significant risk of session hijacking and data exposure. Although user passwords are hashed with bcrypt, this cookie vulnerability is critical. External network calls (search, stock, MCP) depend on the security of third-party services.
Updated: 2025-11-29GitHub
0
0
Low Cost
wiznikvibe icon

mcp-cc

by wiznikvibe

Sec2

Exposes basic terminal functionalities like command execution, file creation, and arithmetic operations as tools via Server-Sent Events (SSE) for programmatic interaction, often by AI agents.

Setup Requirements

  • ⚠️Requires `uvicorn` and `starlette` for SSE transport.
  • ⚠️The default workspace `~/repo/mcp-cc/artifacts` must exist and be writable by the server process for file operations to succeed.
  • ⚠️Requires Python 3.13 or newer.
Review RequiredView Analysis
The `run_command` tool uses `subprocess.run(command, shell=True)` directly with user-provided input, creating a critical remote code execution vulnerability. Any client can execute arbitrary system commands. The `create_text_file` tool allows writing arbitrary content to the `DEFAULT_WORKSPACE`, posing risks of file manipulation or overwriting if not tightly controlled, despite basic path traversal mitigation for the filename.
Updated: 2025-12-03GitHub
0
0
Low Cost
Bin4yi icon
Sec7

AI-powered pet care chatbot leveraging an MCP server and LangGraph agent for authenticated access to veterinary tools and pet management.

Setup Requirements

  • ⚠️Requires Python 3.12 or higher
  • ⚠️Requires an Asgardeo account and manual application setup (Client ID, Tenant Name, Redirect URLs, Scopes)
  • ⚠️Requires an OpenAI API Key (a paid service)
Verified SafeView Analysis
The server implements robust JWT token validation using JWKS, and the agent uses OAuth2 Authorization Code Flow with PKCE for secure authentication. Sensitive credentials are correctly managed via environment variables. However, the agent's `aiohttp_cors` is configured with a highly permissive `*` origin allowing credentials, which is a significant security risk for production deployments. Additionally, the `JWTValidator` has a `ssl_verify=False` option (commented as for dev/testing) that, if used in production, would compromise security.
Updated: 2025-12-02GitHub
0
0
Medium Cost
bioanywhere icon

kiko

by bioanywhere

Sec8

A Model Context Protocol (MCP) server that provides onchain tools for AI applications like Claude Desktop and Cursor, enabling them to interact with the Base Network, Coinbase API, and other Web3 protocols.

Setup Requirements

  • ⚠️Requires Coinbase API credentials (API Key Name and Private Key) with sufficient permissions for blockchain interactions.
  • ⚠️Requires a wallet seed phrase (`SEED_PHRASE`) in environment variables for any write operations (e.g., transfers, contract deployments), granting the server full control over the associated wallet.
  • ⚠️Dependent on several external API keys for full functionality: Coinbase Project ID (for onramp), Alchemy API Key (for NFTs), OpenRouter API Key (for credits), Neynar API Key (for Farcaster), and potentially Pinata JWT (for Flaunch, if enabled).
Verified SafeView Analysis
The server's design inherently requires access to sensitive information such as Coinbase API keys (with transaction signing capabilities) and a wallet seed phrase, granting it full control over the associated crypto assets. While the codebase itself leverages established libraries (Viem, AgentKit) and follows good practices for handling these credentials (via environment variables), the primary security risk lies in the user's responsibility to securely manage their environment variables and protect the system running the server. There are no obvious 'eval', command injection, or obfuscation patterns observed directly within the provided source that would introduce additional vulnerabilities beyond the high-privilege nature of its intended function.
Updated: 2025-12-10GitHub
0
0
High Cost
techmad220 icon
Sec9

A Rust-based server for managing short-term and long-term memory, featuring semantic search, memory consolidation, and LLM-powered reasoning capabilities, interacting via MCP protocol.

Setup Requirements

  • ⚠️Requires PostgreSQL 14+ with the pgvector extension installed and enabled.
  • ⚠️Requires Ollama installed and running locally, with the 'nomic-embed-text' model (and potentially a large language model like 'llama3.2') pulled for embeddings and reasoning.
  • ⚠️Correct configuration of environment variables (DATABASE_URL, OLLAMA_URL, EMBEDDING_MODEL, LLM_MODEL) is crucial for functionality.
Verified SafeView Analysis
The server uses Rust, which provides strong memory safety. Database interactions are handled securely with sqlx's parameterized queries, preventing SQL injection. External LLM calls are made to a configurable Ollama endpoint, defaulting to localhost, and URLs are not constructed from unsanitized user input, mitigating command injection risks. No hardcoded sensitive credentials were found; configuration uses environment variables. The primary interaction is via stdio, relying on the invoking process for external network security. The overall design appears robust against common web vulnerabilities.
Updated: 2025-12-14GitHub
0
0
Low Cost
ankit48365 icon

portsage

by ankit48365

Sec10

A basic template for a Python project.

Setup Requirements

  • ⚠️Requires Python environment
Verified SafeView Analysis
The provided source code consists solely of a README and an empty design document. No executable code was available for security analysis, thus no vulnerabilities were detected in the given files.
Updated: 2025-11-21GitHub
0
0
Low Cost
Tasfiul-Hedayet icon

mcp-server

by Tasfiul-Hedayet

Sec7

This server logs authorized client connection events as part of an MCP (Multi-Agent Communication Protocol) system.

Setup Requirements

  • ⚠️Requires Python 3.10 or newer.
Verified SafeView Analysis
The actual server logic (specifically the `server:server.run` function and its event handling) is not provided, making a full security audit impossible. The `record_event` tool accepts a 'message' string, which, if not properly sanitized before logging or display, could lead to log injection or Cross-Site Scripting (XSS) vulnerabilities. No 'eval', obfuscation, hardcoded secrets, or obvious malicious patterns were found in the provided configuration files.
Updated: 2025-11-30GitHub
0
0
Low Cost
Dhruta25 icon
Sec9

The server provides an API for tracking and managing personal expenses, allowing users to add, list, delete, update, and query expense records.

Setup Requirements

  • ⚠️Python 3.10+ required
  • ⚠️fastmcp library needs to be installed (`pip install fastmcp`)
Verified SafeView Analysis
The SQLite database operations use parameterized queries, effectively preventing SQL injection vulnerabilities. No 'eval' or similar dangerous functions are used, and no hardcoded secrets or sensitive network configurations are present. The database path is relative to the script, enhancing portability and security.
Updated: 2025-12-03GitHub
0
0
Low Cost

k8s-build-mcp-wm

by afrmwyattmeng

Sec8

Automates Kubernetes manifest generation for deployable targets (DTs) using Mustache and Helm templates, with parallel execution.

Setup Requirements

  • ⚠️Requires Git with SSH access configured for the 'all-the-things' repository.
  • ⚠️'all-the-things' repository must be pre-cloned and its root path correctly set in the `ALL_THE_THINGS_ROOT` environment variable.
  • ⚠️Absolute paths are mandatory for the `command` and `args` fields within the `~/.cursor/mcp.json` configuration.
Verified SafeView Analysis
The server operates locally and executes build commands (`make k8s_build`). It requires Git with SSH access to the 'all-the-things' repository, which is a standard prerequisite for build systems. No direct 'eval' or obfuscation is indicated. Security considerations are primarily related to the integrity of the 'all-the-things' repository and the standard risks associated with running local build processes.
Updated: 2025-11-19GitHub
0
0
Low Cost
bbbgggrrr icon
Sec8

This server acts as an API wrapper for an existing Reddit comments search service, providing an optional security layer and consistent interface.

Setup Requirements

  • ⚠️Requires an existing Reddit bridge service URL (REDDIT_BRIDGE_URL) to function as it acts as a proxy.
  • ⚠️Deployment is targeted for Vercel, requiring a Vercel account and CLI for setup and deployment.
  • ⚠️The optional MCP_WRAPPER_KEY (X-MCP-KEY header) should be securely generated and configured if API access control is desired.
Verified SafeView Analysis
The server uses environment variables for sensitive data (API keys, URLs), which is good practice. It implements an optional API key for access control (X-MCP-KEY). Input validation is light, primarily passing the request body to an upstream service; thus, the security of the upstream service is critical. No dangerous functions like 'eval' or hardcoded secrets were found within the provided source.
Updated: 2025-12-03GitHub
PreviousPage 526 of 713Next