Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
JoaoFPedro icon

refinas-ai

by JoaoFPedro

Sec8

An intelligent agent server for Jira that automates user story analysis, refinement, and story point assignment to ensure development readiness.

Setup Requirements

  • ⚠️Requires Node.js v18+.
  • ⚠️Requires an Atlassian Jira account with an API token (Jira subscription may be paid).
  • ⚠️Requires Visual Studio Code with GitHub Copilot or Claude Desktop as the AI client.
  • ⚠️Jira credentials must be securely configured in a `.env` file and not committed to version control.
Verified SafeView Analysis
The server uses environment variables for sensitive Jira credentials (host, email, API token), which is good practice. It explicitly warns against committing `.env` files. There is no `eval` or obvious code obfuscation. Network communication is with the Jira API over HTTPS. Input schemas for tools are defined by the MCP SDK. The primary security risk lies in user misconfiguration (e.g., granting overly broad API token permissions or improper handling of the `.env` file).
Updated: 2026-01-17GitHub
0
0
Low Cost
CrispyCabot icon

ai-mcp-server-base

by CrispyCabot

Sec7

Provides a base server for building AI Microservice Orchestration applications using FastMCP and FastAPI, featuring tools and resources for AI agents.

Setup Requirements

  • ⚠️Requires Python 3.14.2 (other versions may work)
  • ⚠️Requires `mcp` CLI if running with the developer inspector
  • ⚠️Requires a PostgreSQL database for full, non-mocked functionality
Verified SafeView Analysis
The default DB_DSN is a placeholder and not a hardcoded secret. No 'eval' or obfuscation found. The `query_sample_db` tool, when connected to a real database (bypassing the current mock), directly executes SQL queries provided as input. This poses a potential SQL injection vulnerability if the 'query' parameter originates from untrusted user input or an inadequately guarded AI agent, as there is no input sanitization within the tool itself. The project explicitly states it's a 'base' and 'sample', indicating that production hardening would be necessary for such functions.
Updated: 2026-01-18GitHub
0
0
Medium Cost
malwaredetective icon

LOLBAS-MCP

by malwaredetective

Sec9

Provides an MCP interface for Large Language Models to query the LOLBAS Project API for living-off-the-land binaries and scripts, facilitating automated threat intelligence gathering.

Setup Requirements

  • ⚠️Requires Python 3.11+.
  • ⚠️Requires an MCP Client to be installed and configured to interact with the server via STDIO.
  • ⚠️Requires internet access to the LOLBAS Project API.
Verified SafeView Analysis
The server securely fetches data from a public, well-known API (LOLBAS Project) using standard HTTP requests with SSL verification. There is no evidence of dynamic code execution (e.g., 'eval', 'exec'), injection vulnerabilities, or hardcoded secrets. Input parameters are used for data filtering, not command construction. The server operates locally via STDIO, minimizing network attack surface. The primary external risk would be a compromise of the LOLBAS API itself.
Updated: 2025-11-21GitHub
0
0
Medium Cost
HarshavardhanaNaganagoudar icon

NeatNote-MCP-Server-Using-Gradio

by HarshavardhanaNaganagoudar

Sec5

Transforms unstructured text notes into organized, summarized, and exportable knowledge using AI for semantic clustering and summarization.

Setup Requirements

  • ⚠️Requires Node.js/npm for `npx`.
  • ⚠️Requires Claude to be configured with MCP tools enabled and the provided server configuration added to the Claude config file.
  • ⚠️Dependent on an external Gradio server hosted on Hugging Face Spaces, which must be online and functioning.
Verified SafeView Analysis
The provided source code is solely the `README.md`. The actual server logic resides on a remote Gradio instance hosted on Hugging Face Spaces, and its internal implementation is not available for audit. The `npx mcp-remote` command establishes an outbound connection to this external service, meaning the overall security heavily relies on the trustworthiness and security practices of the remote Gradio server. No immediate client-side vulnerabilities like `eval` or hardcoded secrets for local execution are present in the provided `README.md`.
Updated: 2025-11-20GitHub
0
0
Low Cost
ArthurDanjou icon

artmcp

by ArthurDanjou

Sec8

An MCP server for exposing personal professional profile data, projects, skills, and real-time activity information via API endpoints.

Setup Requirements

  • ⚠️Requires Node.js 18+ or Bun
  • ⚠️Requires pnpm 10.12.1+
  • ⚠️External API integrations (Discord, WakaTime, UptimeKuma) require respective API keys/IDs to be set in environment variables for full functionality.
Verified SafeView Analysis
The server leverages environment variables for sensitive API keys, a good security practice. Data fetching uses `@nuxt/content` for local files and `$fetch` for external APIs (Lanyard, WakaTime, wttr.in, UptimeKuma), with input validation via Zod for tools, minimizing direct injection risks. Caching is extensively used. No 'eval' or malicious patterns were identified. Security largely depends on the integrity of the integrated external APIs and proper configuration of environment variables.
Updated: 2025-12-14GitHub
0
0
High Cost
markryanbotha icon

fetch2md

by markryanbotha

Sec8

Fetches website content and converts it to clean markdown format.

Setup Requirements

  • ⚠️Requires Node.js runtime environment.
  • ⚠️Requires 'pnpm' package manager for installation and building.
  • ⚠️Requires a TypeScript build step (pnpm build) to generate JavaScript output before running the server.
Verified SafeView Analysis
The server fetches content from arbitrary URLs specified by the 'url' parameter. While input validation (z.string().url()) is used, this functionality inherently carries a risk of Server-Side Request Forgery (SSRF) if the server is exposed to untrusted users without additional network restrictions or URL whitelisting. No 'eval' or other direct code execution vulnerabilities were found. HTML parsing and markdown conversion mitigate some content injection risks in the output.
Updated: 2025-11-18GitHub
0
0
High Cost
marc-shade icon

threat-intel-mcp

by marc-shade

Sec9

Aggregates threat intelligence from multiple sources to provide reputation checks and threat detection for an Agentic System.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Designed to run within the Agentic System's path structure (defaulting to /opt/agentic/mcp-servers/threat-intel-mcp/data).
  • ⚠️Requires optional API keys (VirusTotal, AbuseIPDB, Shodan, OTX) for full enhanced functionality.
Verified SafeView Analysis
The server makes external HTTP/HTTPS calls to various threat intelligence providers (e.g., VirusTotal, AbuseIPDB, Shodan, CISA KEV, ThreatFox) as its core function. These are handled asynchronously with proper error handling. API keys are loaded from environment variables. No 'eval' or obvious malicious patterns found. The dashboard component is a Flask web server, introducing standard web security considerations, but primarily fetches cached data.
Updated: 2025-12-30GitHub
0
0
High Cost
PSYnala icon
Sec7

Parses WeChat articles to extract full content, including text, images, and videos, with support for batch processing and local saving.

Setup Requirements

  • ⚠️Requires Chrome browser installed.
  • ⚠️Requires stable network connection for ChromeDriver download and web scraping.
  • ⚠️Python 3.10+ required (as per pyproject.toml).
  • ⚠️Only officially supports macOS 10.15+ (as per README for environment, though Python/Selenium might work on other OS).
Verified SafeView Analysis
The server performs web scraping on user-provided URLs using Selenium, which inherently carries risks such as resource exhaustion, IP blocking, or exposure to malicious external content. The `install_dependencies.sh` script uses `curl | sh` for `uv` installation, which can be a security concern if the `uv` script source is compromised. However, the server itself does not contain obvious code execution vulnerabilities, hardcoded secrets, or path traversal issues in its file-saving function. It is intended for research and personal use as stated in the README, implying the user is aware of scraping implications.
Updated: 2025-11-19GitHub
0
0
Medium Cost
OrgLance icon
Sec7

Provides a Model Context Protocol (MCP) server for accessing SNOMED CT terminology services, enabling AI models to interact with SNOMED CT data.

Setup Requirements

  • ⚠️Requires Node.js 20 or later.
  • ⚠️For local use with Claude Desktop, requires manual configuration of `claude_desktop_config.json` with an absolute path to the compiled server.
  • ⚠️Cloudflare Workers deployment requires `wrangler` CLI and Cloudflare authentication.
  • ⚠️The SNOMED CT API base URLs are hardcoded in the source, requiring code modification for changes.
Verified SafeView Analysis
The server hardcodes SNOMED CT API base URLs, including a specific IP address, rather than making them configurable via environment variables. While these are public endpoints, hardcoding can pose a risk if the IP changes ownership or becomes untrustworthy without a code update. The Cloudflare Worker implementation uses wide-open CORS headers ('Access-Control-Allow-Origin: *') which is typical for public APIs but should be considered if the server were to handle authenticated or sensitive data (which it doesn't appear to do). No obvious 'eval' or other direct code injection vulnerabilities were found. Robust error handling and JSON content type validation are implemented to prevent common issues.
Updated: 2025-11-23GitHub
0
0
Medium Cost
TTomczek icon
Sec1

Provides a server for manual command and control operations, possibly implementing a specific protocol.

Review RequiredView Analysis
No source code was provided for analysis. Therefore, it is impossible to identify security risks such as 'eval' usage, obfuscation, network vulnerabilities, hardcoded secrets, or malicious patterns. The security score reflects this complete lack of visibility, making it impossible to guarantee safety.
Updated: 2026-01-17GitHub
0
0
Medium Cost
jhenbertgit icon

nest-mcp-server

by jhenbertgit

Sec2

A NestJS server implementing the Model Context Protocol (MCP) to expose developer tools to AI agents via HTTP or standard I/O, supporting real-time streaming of tool outputs.

Setup Requirements

  • ⚠️Requires pnpm for package management.
  • ⚠️Requires Node.js 18+.
  • ⚠️The /register, /authorize, and /token endpoints are mock implementations and provide no actual security; MUST be replaced with real authentication for production use.
Review RequiredView Analysis
CRITICAL VULNERABILITY: The `filereader` tool (src/tools/filereader/filereader.service.ts) is susceptible to path traversal. It uses `fs.readFile` directly with user-provided `path` input without sufficient validation or restriction. An attacker can read arbitrary files on the server (e.g., `/etc/passwd`, `../../.env`). NETWORK RISKS: - CORS is enabled for all origins (`origin: '*'`), which is insecure for production environments. - The `/register`, `/authorize`, and `/token` endpoints are explicitly mock implementations, providing no real authentication or authorization. Deploying this server publicly without a robust external authentication layer would be highly insecure. - The `file-search` tool, while using `glob`, operates with `cwd: '.'` and could be leveraged for information disclosure (e.g., listing sensitive files outside intended scope) if patterns are not adequately restricted, though less critical than arbitrary file read.
Updated: 2025-12-01GitHub
0
0
Low Cost
gvdlga icon
Sec9

Provides a set of geographical and mapping functionalities as an MCP (Model Context Protocol) service, typically consumed by AI agents, by wrapping Google Maps API calls.

Setup Requirements

  • ⚠️Requires a Google Maps API Key (Paid service).
  • ⚠️Requires a Node.js environment (v18 or higher as per SDK dependencies).
  • ⚠️Built upon the '@geniusagents/mcp' framework, implying integration into that ecosystem.
Verified SafeView Analysis
The server demonstrates good security practices by externalizing API keys to environment variables or an API Key Manager, preventing hardcoding. Input validation is performed using Zod schemas and additional runtime checks for parameters like radius. Error handling is present to catch issues during API execution. All external API calls use HTTPS to Google Maps. No 'eval' or malicious patterns were identified.
Updated: 2025-11-20GitHub
PreviousPage 538 of 713Next