Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
SaberMaple1 icon

renfe_mcp_server

by SaberMaple1

Sec9

Access real-time Spanish Renfe train schedules and live prices using web scraping and GTFS data.

Setup Requirements

  • ⚠️Requires Python 3.12 or later.
  • ⚠️Requires an active internet connection to fetch live data and GTFS updates.
  • ⚠️API Key is required for authentication if enabled (can be generated using `python -m renfe_mcp.security generate-key`).
Verified SafeView Analysis
The server implements strong security measures including URL whitelisting, HTTPS enforcement, response size limits, and robust Zip Slip prevention for GTFS data updates. API keys are managed securely via environment variables or hashes. Rate limiting is also in place to prevent abuse. No 'eval' or obvious malicious patterns found. The use of json5.loads for DWR responses relies on the integrity of the Renfe API output, which is generally considered safe for this specific integration.
Updated: 2026-01-19GitHub
0
0
Medium Cost
Niraj-82 icon
Sec9

Retrieve and analyze cryptocurrency market data from various exchanges for trading bots, AI agents, and analytics dashboards.

Setup Requirements

  • ⚠️Requires an active internet connection to fetch real-time and historical market data from external cryptocurrency exchanges.
  • ⚠️Dependencies listed in requirements.txt (FastAPI, uvicorn, ccxt, pandas, pydantic, prometheus_client) must be installed.
Verified SafeView Analysis
The project demonstrates good security practices including input validation (exchange/symbol), retry logic for external API calls, comprehensive error handling to prevent exposing raw stack traces, and reliance on the reputable CCXT library for exchange interactions. It does not contain obvious dangerous patterns like 'eval', 'exec', or hardcoded secrets. The configuration parameters (HOST, PORT, CACHE_TTL, etc.) are not sensitive, and while not explicitly using `os.getenv` in the provided `config.py` snippet, Pydantic's BaseSettings typically allows environment variable overrides for these types of settings.
Updated: 2025-12-06GitHub
0
0
Medium Cost
zitaharry icon

ai-fit-tracker

by zitaharry

Sec9

A fitness tracking mobile and web application built with Expo and React Native, utilizing Sanity as a headless CMS and Clerk for user authentication.

Setup Requirements

  • ⚠️Requires Clerk account setup for authentication, involving API key configuration (typically as environment variables like EXPO_PUBLIC_CLERK_PUBLISHABLE_KEY).
  • ⚠️Requires a Sanity CMS project (as configured with projectId '3wfl5398' and dataset 'production') with 'exercise' and 'workout' schemas defined.
  • ⚠️Requires a Node.js and Expo development environment for local development and build processes.
Verified SafeView Analysis
The application leverages Clerk for robust user authentication (email/password, Google SSO) and Sanity for content management, both of which are established, secure third-party services. No obvious hardcoded secrets or malicious code patterns are found in the provided source. Sanity project IDs and dataset names are publicly exposed in configuration, which is standard for Sanity. While a large dependency tree always presents a theoretical supply chain risk, no specific vulnerabilities are identified within the given files. The commented-out email verification UI in `sign-up.tsx` indicates an incomplete client-side implementation detail but does not expose a security vulnerability as Clerk handles the backend verification process.
Updated: 2025-12-13GitHub
0
0
High Cost
Ricardo-M-L icon

mcp-ocr-server

by Ricardo-M-L

Sec4

Provides a production-grade OCR server for text recognition from images, featuring intelligent preprocessing and integration with the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires manual installation of system dependencies (Tesseract OCR 4.0+, OpenCV 4.5+, pkg-config, and Tesseract language packs) specific to the operating system (macOS/Homebrew, Ubuntu/apt, CentOS/yum). Automated scripts are provided but still require elevated permissions.
  • ⚠️CGo-based compilation for GoCV and Gosseract can lead to complex build environments and potential linking issues with C/C++ system libraries if `PKG_CONFIG_PATH` or dynamic library paths are not correctly configured.
  • ⚠️The `TESSDATA_PREFIX` environment variable might need to be explicitly set to the Tesseract language data directory for the OCR engine to locate required files, overriding default system paths or configuration.
Review RequiredView Analysis
The `ocr_recognize_text` and `ocr_batch_recognize` tools accept `image_path` as an argument, which, if not properly validated or constrained by the calling MCP client, could allow the server to read arbitrary local files (Local File Inclusion). This poses a significant risk if the server is exposed to untrusted input or is not run in a strictly sandboxed environment. No explicit 'eval' or obfuscation was found, nor were hardcoded secrets detected in the provided code snippets.
Updated: 2025-12-01GitHub
0
0
Low Cost
viktortat icon

MyMcpServer

by viktortat

Sec8

A C# project template for building and publishing self-contained Model Context Protocol (MCP) servers as NuGet packages, enabling AI assistants like Copilot Chat to use custom tools.

Setup Requirements

  • ⚠️Requires .NET SDK for local development.
  • ⚠️Publishing to NuGet.org requires a NUGET_API_KEY and a NuGet.org account.
  • ⚠️Requires specific IDE configuration (.mcp.json or .vscode/mcp.json) to integrate with Copilot Chat.
  • ⚠️The template is currently in an early preview stage, which may imply instability or changing APIs.
Verified SafeView Analysis
No direct application code was provided for the MCP server implementation. The `publish.sh` script securely handles the `NUGET_API_KEY` by loading it from a `.env` file, preventing hardcoding. No `eval`, obfuscation, or apparent malicious patterns were found in the provided documentation or build scripts. The overall security of the MCP server would depend on the specific C# logic implemented by the developer using this template.
Updated: 2025-12-22GitHub
0
0
Low Cost
manojkumarjanapati icon

expense-tracker-mcp-server

by manojkumarjanapati

Sec10

This repository contains various Data Structures and Algorithms implementations in Java for learning and practice purposes.

Setup Requirements

  • ⚠️Java Development Kit (JDK) required
Verified SafeView Analysis
The provided source code consists purely of Data Structures and Algorithms implementations. There are no indications of network interactions, file I/O, use of 'eval' equivalents, hardcoded secrets, or any other patterns that could pose a security risk in a server context. The repository name 'expense-tracker-mcp-server' is misleading given the content, which is an academic collection of DSA examples.
Updated: 2026-01-19GitHub
0
0
Medium Cost
AnuruddhaPaul icon

MCP_SERVER

by AnuruddhaPaul

Sec9

Retrieves and cleans official documentation for specified AI/Python ecosystem libraries using web search and LLM-based content extraction.

Setup Requirements

  • ⚠️Python 3.11+ is required.
  • ⚠️Requires 'uv' package manager to be installed.
  • ⚠️Requires `SERPER_API_KEY` (Serper.dev is a paid API for Google-like search).
  • ⚠️Requires `GROQ_API_KEY` (Groq API for LLM cleaning, which incurs costs).
Verified SafeView Analysis
API keys for Serper.dev and Groq are loaded from environment variables via `python-dotenv`, not hardcoded. The server makes external HTTP requests to Serper API and specified documentation domains using `httpx`. HTML content fetched from external sources is processed, but `trafilatura` and an LLM are employed for cleaning and extraction, which helps mitigate direct HTML injection risks. No `eval` or other inherently dangerous functions were found in the provided source code. The primary remaining risk relates to the reliability and security of external APIs and the content fetched from the web, which is intrinsic to the tool's function.
Updated: 2025-12-01GitHub
0
0
Low Cost
Pavel-K-Group icon

Mcp-Server

by Pavel-K-Group

Sec3

Facilitates integration of modular AI tools with client applications using the Model Context Protocol, specifically for productivity and task management within a 'Timelix' context.

Setup Requirements

  • ⚠️Requires an external PostgreSQL database with specific schema (e.g., 'Timelix').
  • ⚠️Requires Telegram Bot Token and Chat ID to use the `sendTelegramMessage` tool.
  • ⚠️Relies on external authentication/authorization for `userId`, `agentId`, and `todoListId` provided via query parameters; insecure if exposed directly to untrusted clients.
Verified SafeView Analysis
The server relies on client-provided `userId`, `agentId`, and `todoListId` in query parameters for establishing session context, which are then used directly in database queries for data filtering and ownership (`eq(block.userId, userId)`). There is no explicit in-code validation or authentication of these IDs against a trusted source (like an `mcp_access_tokens` table) during session establishment shown in `main.ts`. This means an unauthenticated client could potentially impersonate any user or access/modify unauthorized data by supplying arbitrary IDs if the server is exposed publicly without a robust authentication layer in front. Additionally, CORS is configured with `origin: '*'`, allowing requests from any domain, which is broad for a publicly exposed API. Hardcoded secrets are avoided by using environment variables. Database operations use Drizzle ORM, which helps prevent SQL injection.
Updated: 2025-12-14GitHub
0
0
Medium Cost
JR33D icon
Sec7

An MCP server to connect Claude Desktop to the Jotty REST API, enabling language models to interact with user checklists and notes.

Setup Requirements

  • ⚠️Requires a running Jotty REST API instance for data operations.
  • ⚠️Requires `JOTTY_API_KEY` (for Jotty API) and `API_KEY` (for MCP server HTTP transport) environment variables to be set.
  • ⚠️Node.js 20+ is required, as specified in `package.json`.
Verified SafeView Analysis
Secrets (JOTTY_API_KEY, API_KEY) are correctly handled via environment variables and Zod validation, preventing hardcoding. The default CORS_ORIGIN is set to '*' for HTTP transport, which is overly permissive for production environments and should be restricted. Sensitive request bodies and response data are logged directly to console, which could expose user data if logs are not secured. Error stack traces are also logged, which can reveal internal server paths. No 'eval' or obvious malicious patterns were detected.
Updated: 2026-01-13GitHub
0
0
Low Cost
whiskyCavalier icon
Sec4

A remote Model Context Protocol (MCP) server deployed on Cloudflare Workers to expose simple arithmetic tools without requiring authentication.

Setup Requirements

  • ⚠️Requires a Cloudflare account and configured `wrangler` CLI for deployment.
  • ⚠️The server is 'authless'; publicly deploying it means anyone can use the exposed calculator tools.
Verified SafeView Analysis
The server is explicitly designed to be 'authless', meaning it lacks any authentication or authorization mechanisms for its tools. While acceptable for a public demo calculator, deploying this server publicly would allow anyone with the URL to invoke its arithmetic functions without restriction. There are no obvious malicious patterns or usage of `eval` in the provided source code, and division by zero is handled in the calculator logic. The primary security risk stems from the inherent 'authless' nature if deployed in a context requiring access control.
Updated: 2025-11-25GitHub
0
0
Medium Cost
SouravMishra-MS icon

MCP-Client-Cli

by SouravMishra-MS

Sec7

A command-line client for interacting with Model Context Protocol (MCP) servers, enabling AI-powered tool calling and multi-turn conversations.

Setup Requirements

  • ⚠️Requires Python 3.13+
  • ⚠️Azure OpenAI API credentials (endpoint, API key, deployment name) required for LLM interaction (paid service)
  • ⚠️External dependencies installed via `uv` or `pip`
Verified SafeView Analysis
The client stores LLM API keys in local JSON files (`llms.json`), which users must treat as sensitive and secure appropriately. It logs activity, potentially including query and response content, to a local file (`logs/mcp_client.log`); care should be taken to avoid logging sensitive data. The client's functionality includes executing arbitrary local scripts (Python/Node) or npm packages (`npx`) as stdio MCP servers. This introduces a risk if users point the client to unvetted or malicious server code, as this client facilitates the execution on the user's local machine. No direct `eval` or `exec` on user input is observed within the client's own code.
Updated: 2026-01-19GitHub
0
0
Medium Cost
Reneeviolent774 icon

nowledge-mem

by Reneeviolent774

Sec1

Manages and tracks different contexts and memories, potentially within the scope of AI interactions or knowledge graphs.

Setup Requirements

  • ⚠️Requires running an unverified executable downloaded from a raw GitHub link, posing a significant security risk.
Review RequiredView Analysis
The repository's README instructs users to download and execute an untrusted '.zip' file directly from a raw GitHub link. This is an extremely dangerous practice as it encourages running arbitrary, unscreened code. Without auditing the contents of the '.zip', its safety cannot be guaranteed, and it poses a significant malware risk. The provided Python snippet itself is benign, but it is not the application being distributed or an 'MCP Server'.
Updated: 2026-01-19GitHub
PreviousPage 533 of 713Next