Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
yuriyo icon

mcp-fileop

by yuriyo

Sec8

A stateful MCP server for efficient, memory-mapped file operations, designed for VS Code integration, CLI tools, and web applications requiring streaming and progress updates.

Setup Requirements

  • ⚠️Requires C++20 toolchain (CMake, C++ compiler, vcpkg) for building from source.
  • ⚠️Docker/Docker Compose is highly recommended for simplified setup and running, especially for the streaming server.
  • ⚠️The `allowed_paths` configuration is crucial for security and must be properly set in `config.json` (or `config.docker.json`). If left unconfigured, it defaults to allowing all paths, which is a significant security risk for a file server.
Verified SafeView Analysis
The server includes critical safeguards like `allowed_paths` configuration and canonical path resolution to prevent directory traversal and restrict file access. However, for the HTTP/SSE implementations (`mcp_stream`), the server binds to `0.0.0.0:8080` and explicitly enables CORS (`Access-Control-Allow-Origin: *`) without built-in authentication or authorization. This makes it vulnerable if exposed to untrusted networks or clients without an external proxy providing security layers. For local or VS Code integration (stdio), these are lesser concerns. No obvious malicious patterns, `eval` usage, or hardcoded secrets were found.
Updated: 2025-12-04GitHub
0
0
Medium Cost
Atomic-Germ icon

mcp-x-platform

by Atomic-Germ

Sec9

A Cross-Platform Compatibility Analyzer MCP server that systematically identifies platform-specific code patterns, dependencies, and potential portability issues.

Setup Requirements

  • ⚠️Requires Node.js 18+ runtime environment.
  • ⚠️Requires manual configuration in an MCP client (e.g., Claude Desktop) with an absolute path to the server's entry point.
Verified SafeView Analysis
The server performs static code analysis, explicitly stating 'No code execution during analysis'. It uses standard AST parsing libraries and operates via stdio, limiting external network exposure. Input validation is in place, and there are no obvious hardcoded secrets or malicious patterns in the provided source code. File system access is typically contained within the project directory for analysis.
Updated: 2025-12-02GitHub
0
0
Medium Cost
fawazbayureksa icon

mcp-server

by fawazbayureksa

Sec8

An AI-powered chat interface for business management operations, leveraging natural language processing and external tool calling to interact with business data.

Setup Requirements

  • ⚠️Requires an OpenAI or OpenRouter API Key, which are typically paid services.
  • ⚠️Requires PHP 8.1+, Composer, Node.js & npm, and a database (MySQL/PostgreSQL/SQLite) for local development and deployment.
  • ⚠️The 'MCP_VALID_KEYS' environment variable must be configured with a secret key for API authentication.
Verified SafeView Analysis
The server uses Laravel's standard security features, including API key authentication for external access via the 'X-MCP-Key' header. Database interactions are handled through Eloquent ORM, mitigating common SQL injection risks. Input validation is present for tool execution. Dynamic method invocation for tool handlers is controlled by a predefined list of tools, reducing the risk of arbitrary code execution. No direct 'eval' or obvious malicious patterns were found. Proper environment variable management for API keys and general server hardening are crucial for operational security.
Updated: 2025-12-07GitHub
0
0
Low Cost
theinterneti icon

mcp-hub

by theinterneti

Sec7

Centralized management and orchestration of diverse Model Context Protocol (MCP) servers for AI agents, enabling advanced tool chaining and context management.

Setup Requirements

  • ⚠️Requires several environment variables to be explicitly set (e.g., GITHUB_TOKEN, database passwords, API keys) for active servers.
  • ⚠️Docker runtime is required for GitHub and Grafana MCP servers, which run as containers.
  • ⚠️The `jq` utility is required for script-based server management (adding/modifying servers).
Verified SafeView Analysis
The system relies heavily on executing external commands via `npx`, `docker`, and `uvx`, which inherently introduces a supply chain risk if upstream packages or container images are compromised, especially with `@latest` versions or direct Git pulls. While environment variables are correctly externalized and not hardcoded, the 'Code-Mode' feature allows AI agents to execute arbitrary TypeScript code to chain tools. This capability, while powerful, requires careful oversight of agent prompts to prevent unintended or malicious actions. No direct 'eval' or obfuscation was found in the provided source code.
Updated: 2025-12-13GitHub
0
0
Medium Cost
Sean-m-e icon

jess-mcp-server

by Sean-m-e

Sec9

Serves externalized knowledge base and behavioral protocols for a voice agent (Jess v3.33) via an API, supporting multi-client data access.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0.0
Verified SafeView Analysis
The server uses Express and reads static JSON files. User input for client and resource names is validated against predefined lists, mitigating direct path traversal risks. No 'eval' or other dynamic code execution from user input is observed. The pseudo-code in JSON files is intended for the voice agent, not direct server-side execution. No hardcoded secrets are present in the provided code.
Updated: 2025-11-25GitHub
0
0
High Cost
MrGladiator14 icon
Sec6

A Python-based CLI tool for running multi-step web automation workflows in the background using Google ADK agents and Playwright MCP tools.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid)
  • ⚠️Requires Node.js and npm for Playwright MCP
  • ⚠️Playwright MCP is installed globally without version pinning (@latest)
Review RequiredView Analysis
The demo_insurance workflow contains hardcoded sensitive credentials (username/password) which is a significant security risk if this demo workflow is used in a production or exposed environment. The system uses `npx @playwright/mcp@latest` for installing Playwright MCP globally without version pinning, which can lead to supply chain risks or unexpected breaking changes if a malicious or incompatible update is pushed to `@latest`.
Updated: 2025-12-01GitHub
0
0
Low Cost
NexusPHP icon

mcp-sdk

by NexusPHP

Sec9

This PHP SDK provides the necessary data structures and message definitions for building both client and server applications that interact using the Model Context Protocol, primarily facilitating communication for large language model (LLM) interactions and data exchange.

Setup Requirements

  • ⚠️Requires PHP version 8.4 or higher.
  • ⚠️Strictly enforces the Model Context Protocol version '2025-11-25'. Any client or server implementing this protocol must adhere to this exact version.
  • ⚠️While the SDK itself has no token cost, applications built using it for LLM interactions (e.g., via `CreateMessageRequest`) will incur variable costs based on the LLM provider and token usage.
Verified SafeView Analysis
The source code appears to be well-structured and focuses on defining data schemas for the Model Context Protocol. No direct use of dangerous functions like `eval`, `shell_exec`, or `unserialize` was found. Input validation for URIs (`ResourceValidator`) and regex patterns (`StringType`) is implemented, including error handling for regex compilation, which mitigates common injection risks. Classes are `final readonly`, promoting immutability. The `_meta` fields allow arbitrary data, but the SDK merely transports this; responsibility for safe handling of such data lies with the consuming application. Overall, the SDK itself seems robust for its intended purpose of message definition and serialization.
Updated: 2025-12-11GitHub
0
0
Medium Cost
jeanlopezxyz icon

mcp-redhat-kb

by jeanlopezxyz

Sec9

Provides an AI agent with tools to search the Red Hat Knowledge Base for technical articles and solutions.

Setup Requirements

  • ⚠️Requires Java 21+ to be installed.
  • ⚠️Requires a Red Hat API Offline Token, which must be generated from the Red Hat customer portal.
Verified SafeView Analysis
The server correctly handles API tokens via environment variables (REDHAT_TOKEN) and avoids hardcoding sensitive information. It implements a basic caching mechanism for access tokens and refreshes them as needed. Network requests use standard HTTPS and configured timeouts. The `execSync` call for `java -version` is for environment checking and does not process user input, posing a minimal risk.
Updated: 2025-12-12GitHub
0
0
Low Cost
whhwhh8023-glitch icon

mcp-server

by whhwhh8023-glitch

Sec8

A Rust-based server for querying Ethereum balances and simulating token swap operations.

Setup Requirements

  • ⚠️Rust 1.70+ required
Verified SafeView Analysis
The server primarily simulates blockchain interactions using hardcoded values, which inherently reduces direct security risks associated with real on-chain operations. Input parsing uses `serde_json`, generally safe against injection attacks. Configuration is loaded from environment variables (or defaults), avoiding hardcoded secrets in the source. Basic TCP listener with a fixed buffer size (1024 bytes) for requests could lead to truncated requests if larger, but doesn't immediately present a buffer overflow vulnerability in Rust. No 'eval' or similar dynamic code execution patterns are observed.
Updated: 2025-11-28GitHub
0
0
Medium Cost

shopify-mcp-admin

by AntonAndrusenko

Sec9

Manage Shopify store data (products, inventory, content, SEO, collections) programmatically via an MCP interface.

Setup Requirements

  • ⚠️Requires a Shopify Development Store or Partner Store.
  • ⚠️Requires a Custom Shopify App with extensive Admin API scopes (read/write products, inventory, content, online store navigation).
  • ⚠️Requires at least one active location enabled for inventory management for inventory-related tools.
Verified SafeView Analysis
The server utilizes environment variables for sensitive credentials (SHOPIFY_ACCESS_TOKEN), avoiding hardcoded secrets. Input validation is rigorously enforced using Zod schemas for all tool parameters, significantly reducing injection and unexpected input risks. Error responses are sanitized to prevent leakage of sensitive information. Rate limiting is implemented for Shopify API calls to prevent abuse and throttling. The HTTP transport exposes standard endpoints (/mcp, /health) which require careful deployment (e.g., behind a firewall) but are handled robustly within the application.
Updated: 2025-11-27GitHub
0
0
Low Cost
yashsdhond icon
Sec9

This server provides an API for tracking and summarizing personal expenses, allowing users to add entries, list them by date, and get category-wise summaries.

Setup Requirements

  • ⚠️Requires Python 3.11 or newer.
  • ⚠️FastMCP library needs to be installed (e.g., via pip install fastmcp).
Verified SafeView Analysis
The server uses parameterized SQL queries for all database operations, effectively preventing SQL injection vulnerabilities. There are no obvious signs of 'eval', obfuscation, or hardcoded sensitive secrets. It serves on 0.0.0.0, meaning it's externally accessible if deployed without a firewall, but this is typical for a server. Data is stored locally in an SQLite database, so security relies on the host system's file permissions.
Updated: 2026-01-19GitHub
0
0
Low Cost
codemeasandwich icon

MCP-atom

by codemeasandwich

Sec8

A zero-boilerplate framework for building Model Context Protocol (MCP) servers by automatically discovering, validating, and registering tools, prompts, and resources from JSDoc-annotated files.

Setup Requirements

  • ⚠️Requires Node.js and npm to be installed.
  • ⚠️The default HTTP transport uses a wildcard CORS origin (`*`), which should be configured with specific allowed origins for production security.
  • ⚠️Files within the `register/` directory are dynamically imported and executed; ensure this directory only contains trusted code.
Verified SafeView Analysis
The server uses `cors({ "origin": "*" })` by default for its HTTP transport, which is acceptable for development and inspector use but should be restricted in production deployments. The core mechanism involves dynamically importing and executing `.js` files from the `register/` directory; thus, the integrity and trustworthiness of content within `register/` are paramount. No obvious hardcoded secrets, `eval`, or command injection vulnerabilities were found in the provided core source code.
Updated: 2025-11-30GitHub
PreviousPage 544 of 713Next