Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

49
65
Medium Cost
dnnyngyen icon

iron-manus-mcp

by dnnyngyen

Sec9

Orchestrates AI workflows with an 8-phase control flow and focused tools, acting as a Model Context Protocol (MCP) server for complex project management.

Setup Requirements

  • ⚠️Requires Node.js 20+ runtime environment.
  • ⚠️Requires a Python 3+ installation with data science libraries (e.g., pandas, numpy, scikit-learn, requests, beautifulsoup4) for computational tasks.
  • ⚠️Network access to external APIs may be required, subject to ALLOWED_HOSTS configuration.
Verified SafeView Analysis
The server demonstrates strong security practices including explicit Server-Side Request Forgery (SSRF) protection with allowlists, robust input validation using Zod schemas, and a Python code validator to sanitize user-provided scripts, mitigating common injection risks. It relies on environment variables for configuration, avoiding hardcoded secrets, and includes a runtime protection mechanism to remove legacy, potentially insecure JSON files. The inherent risk of executing arbitrary (albeit sanitized) Python code and making external API calls is managed but cannot be entirely eliminated.
Updated: 2026-01-19GitHub
49
51
Medium Cost
iceener icon
Sec8

This server allows Language Models (LLMs) to interact with Linear.app, managing issues, projects, teams, cycles, and comments through a streamable HTTP Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Bun or Node.js 24+ and a Linear.app account.
  • ⚠️For 'Local (API key)' setup, a Linear Personal Access Token (`BEARER_TOKEN`) is required.
  • ⚠️For 'Local + OAuth' setup, requires creating a Linear OAuth application and configuring `PROVIDER_CLIENT_ID`, `PROVIDER_CLIENT_SECRET`, `OAUTH_SCOPES`, `OAUTH_REDIRECT_URI`, and `OAUTH_REDIRECT_ALLOWLIST`.
  • ⚠️For production deployments, `RS_TOKENS_ENC_KEY` is highly recommended for encrypted token storage to prevent tokens from being stored in plaintext.
Verified SafeView Analysis
The codebase demonstrates good security practices including AES-256-GCM encryption for token storage (using Web Crypto API or Node.js crypto), secure file permissions (0o600 for files, 0o700 for directories), and input validation. It implements origin and protocol version validation for MCP requests. The README explicitly warns about hardening for production deployments, indicating awareness of remaining responsibilities for the deployer. Sensitive data redaction is also applied in logging. A key risk factor is if `RS_TOKENS_ENC_KEY` is not provided in production, leading to unencrypted token storage (which the server warns about).
Updated: 2026-01-14GitHub
49
93
Low Cost
wanaku-ai icon

wanaku

by wanaku-ai

Sec4

Centralized routing and management of AI agent access to diverse tools and resources via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires a running Keycloak instance for all authentication and authorization.
  • ⚠️The default 'exec' tool can execute arbitrary system commands; extreme caution is advised, and it should be disabled or tightly controlled in production.
  • ⚠️Building custom capabilities (tools/resource providers) often requires familiarity with Apache Camel and gRPC development.
Review RequiredView Analysis
The 'exec' tool, available by default, allows arbitrary command execution without input validation, posing a severe remote code execution risk. Proper OIDC authentication with Keycloak is implemented, but requires careful configuration (e.g., enabling TLS verification in production). Secret encryption at rest is supported but must be explicitly enabled with environment variables.
Updated: 2026-01-14GitHub
48
47
Medium Cost
mcp-use icon

mcp-use-cli

by mcp-use

Sec4

An interactive command-line interface (CLI) tool for connecting to and interacting with Model Context Protocol (MCP) servers using natural language, acting as an AI client that orchestrates LLM responses with external tools.

Setup Requirements

  • ⚠️Requires API keys for chosen LLM providers (e.g., OpenAI, Anthropic, Google), most of which are paid services.
  • ⚠️For local MCP servers, execution relies on `npx` (Node.js Package Executor) and specific `@modelcontextprotocol/*` packages, which might be auto-installed but incur runtime dependencies.
  • ⚠️The `mcp-use` core dependency lists Node.js >=22.0.0 as an engine requirement, potentially conflicting with the CLI's own Node.js >=16 requirement.
Review RequiredView Analysis
The CLI stores API keys and server configurations in a local file (`~/.mcp-use-cli/config.json`) with client-side encryption. However, the encryption key is deterministically derived from hardcoded strings, making it vulnerable to decryption by anyone with access to the source code. A critical risk lies in the core functionality allowing users to add 'Local Server' configurations that specify arbitrary commands and arguments (e.g., `npx @modelcontextprotocol/server-filesystem`). While intended for tool integration, this design means that loading a malicious server configuration could lead to arbitrary code execution on the user's machine, requiring users to fully trust the source of all added MCP server configurations. Telemetry is collected via Scarf, with opt-out options.
Updated: 2025-11-24GitHub
48
73
Medium Cost
Qoyyuum icon
Sec8

Allows AI assistants to control MetaTrader 5 terminal for trading operations and market data analysis.

Setup Requirements

  • ⚠️Requires MetaTrader 5 terminal installed on Windows.
  • ⚠️Python 3.11 or higher is required.
  • ⚠️The 'uv' package manager is recommended for dependency management and running the server.
Verified SafeView Analysis
The server primarily acts as a bridge to a local MetaTrader 5 terminal. It uses environment variables (loaded via python-dotenv) for its own transport configuration, which is a good practice. Input to trading tools (like order_send) is validated using Pydantic models. There are no obvious signs of 'eval', obfuscation, or malicious network patterns. The server can run in stdio mode (default, generally safer for local client interaction) or HTTP mode (configurable to localhost for development). The primary security risk lies in improper usage by the end-user (e.g., connecting to live trading accounts without robust risk management, exposing the HTTP endpoint publicly) rather than inherent code vulnerabilities. The test_client.py has hardcoded fallback credentials, but this is for a test script and not the main server runtime logic.
Updated: 2026-01-19GitHub
48
116
Medium Cost
MariaDB icon

mcp

by MariaDB

Sec9

Provides a Model Context Protocol (MCP) interface for managing and querying MariaDB databases, supporting standard SQL operations and advanced vector/embedding-based search for AI assistants.

Setup Requirements

  • ⚠️Requires a running MariaDB server instance.
  • ⚠️Requires Python 3.11 or newer.
  • ⚠️If embedding features are enabled (`EMBEDDING_PROVIDER` is set), requires API keys for OpenAI/Gemini (paid services) or a configured HuggingFace model which might involve large model downloads.
  • ⚠️For network transports (SSE/HTTP) outside localhost, authentication needs to be explicitly configured for security (not provided by default, but FastMCP supports it).
Verified SafeView Analysis
The server implements strong security practices by explicitly disabling 'MULTI_STATEMENTS' in database connections to prevent SQL injection, as verified by automated tests. It uses parameterized queries for user-supplied values and validates database/table names using `isidentifier()` before string interpolation. A configurable read-only mode restricts write operations. CORS and Trusted Host middleware are used for HTTP transports, and sensitive credentials are loaded from environment variables or .env files, not hardcoded. No 'eval' or similar dangerous functions are found.
Updated: 2026-01-05GitHub
48
303
Medium Cost
tinystruct icon

tinystruct

by tinystruct

Sec3

Provides a framework for building and interacting with AI models, managing tools, data resources, and prompts via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Java Runtime Environment (JRE/JDK).
  • ⚠️Requires careful management of the `mcp.auth.token` for secure server access.
  • ⚠️Potential dependency on Redis for distributed locking (`DistributedRedisLock.java`) or other data storage (`tinystruct.data`) which may need to be running and configured.
Review RequiredView Analysis
CRITICAL: The framework includes functionality for arbitrary code execution via `ScriptEngine.eval()` in `DefaultTemplate.java` and command injection via `Runtime.getRuntime().exec()` in `Dispatcher.java`. If user-controlled input reaches these functions, it can lead to severe security vulnerabilities. The MCP server component itself implements an authentication token mechanism (`mcp.auth.token`), which is a good practice, but the underlying framework elements present significant risks if not carefully managed or disabled in production environments. Default Redis URI is localhost:6379, which is safe for local development but risky if exposed publicly without authentication.
Updated: 2026-01-15GitHub
48
2
Low Cost
IntranetFactory icon

hono-oauth-mcp

by IntranetFactory

Sec8

A Hono-based Model Context Protocol (MCP) server that integrates with any MCP-compliant OAuth2 server for authentication, deployable across Supabase Edge Functions, Cloudflare Workers, and Deno Deploy.

Setup Requirements

  • ⚠️Requires Supabase CLI for local development and deployment to Supabase Edge Functions.
  • ⚠️Requires Deno runtime installed for local development and deployment to Deno Deploy.
  • ⚠️Older versions of MCP Inspector (pre-January 2026) may not correctly handle the `resource_metadata` parameter in WWW-Authenticate headers when the metadata endpoint is at an uncommon path, though Claude Desktop/Web are noted to handle this correctly.
Verified SafeView Analysis
The server's bearer token verification (`verifyToken: (token: string) => { return !!token; }`) only checks for the presence of a token, not its validity. This design relies on a downstream service (e.g., Supabase PostgREST) or the OAuth client's interaction with the authorization server to perform actual JWT validation. For Supabase Edge Functions, `verify_jwt = false` is explicitly set, confirming this delegated security model. The `cors` configuration is permissive (`origin: (origin) => origin`), which may need tightening in production environments depending on direct browser access requirements. No 'eval', hardcoded secrets, or malicious patterns were found in the provided source code.
Updated: 2026-01-17GitHub
48
100
Low Cost
aashari icon
Sec2

Connects AI assistants (LLMs) to Atlassian Bitbucket repositories for code review, repository management, and workflow automation via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Node.js 18.0.0 or higher.
  • ⚠️Requires a Bitbucket Cloud account (not Bitbucket Server/Data Center).
  • ⚠️Requires manual generation of authentication credentials: either a Scoped API Token (recommended, using ATLASSIAN_USER_EMAIL + ATLASSIAN_API_TOKEN) or a Bitbucket App Password (legacy, using ATLASSIAN_BITBUCKET_USERNAME + ATLASSIAN_BITBUCKET_APP_PASSWORD), set as environment variables or in a `~/.mcp/configs.json` file.
  • ⚠️The `bb_clone` tool performs `git clone` to the local filesystem, which requires appropriate file system permissions and disk space on the machine running the server.
Review RequiredView Analysis
CRITICAL: The `bb_clone` tool executes `git clone` shell commands using user-supplied `repoSlug` and `targetPath` parameters. Although `path.join` is used and the `targetDir` is quoted in the shell command, direct execution of external commands with user-controlled input can be vulnerable to shell injection (Remote Code Execution) if malicious characters can escape the quoting. This risk is amplified when connected to AI agents, which may generate unexpected or exploitable input strings. Further input sanitization or using a Git library instead of shell execution for cloning would significantly improve security. Network requests (fetch) also log raw responses to `/tmp`, which could contain sensitive data if the host system is compromised.
Updated: 2026-01-07GitHub
48
73
Medium Cost
heroku icon
Sec7

The Heroku Platform MCP Server enables large language models (LLMs) to interact with and manage Heroku Platform resources through a set of specialized tools.

Setup Requirements

  • ⚠️Requires Heroku CLI version 10.10.0 or higher to be installed globally.
  • ⚠️Requires Node.js version 20 or higher.
  • ⚠️If using the `npx` command to run, the `HEROKU_API_KEY` environment variable must be explicitly set with a Heroku authorization token.
Verified SafeView Analysis
The server uses `execSync` and `spawn` to interact with the Heroku CLI. While this is fundamental to its operation, it carries inherent risks if command inputs are not meticulously sanitized. The project mitigates this by using Zod schemas for input validation and a `CommandBuilder` to construct CLI commands. Sensitive API keys (`HEROKU_API_KEY`) are handled via environment variables, which is a good practice. The `git remote add` command executed via `execSync` takes values from Heroku API responses, which are considered trusted in this context. No hardcoded secrets or obvious malicious patterns were found, and the project is open-source and maintained by Salesforce/Heroku.
Updated: 2026-01-18GitHub
48
204
Low Cost
DataSQRL icon

sqrl

by DataSQRL

Sec5

A build tool and CLI for compiling, running, and testing DataSQRL projects, including the deployment of GraphQL, REST, and Micro-Context Protocol (MCP) API servers, Flink stream processing jobs, and database interactions.

Setup Requirements

  • ⚠️Docker required for full local development/testing environment, orchestrating services like PostgreSQL, Kafka (Redpanda), and Flink.
  • ⚠️Requires `jbang` CLI tool to be installed and available in the system PATH for compiling Java User-Defined Functions (UDFs).
  • ⚠️Requires `rpk` (Redpanda) and `postgresql` binaries for local service management if internal services are enabled and not overridden by external configurations.
  • ⚠️Java 11 or higher Runtime Environment is required.
Review RequiredView Analysis
1. Dynamic Code Generation: The `FlinkExecFunctionFactory` and `CodeGenBridge` classes dynamically generate Flink `FlatMapFunction`s at runtime based on `RexNode` expressions. While `RexNode`s are internal Calcite representations, the security relies heavily on robust validation and sanitization of the initial input to the compiler to prevent code injection vulnerabilities. 2. External Command Execution: The `JBangPreprocessor` invokes the `jbang` CLI tool to compile Java User-Defined Functions (UDFs) into JARs. The `OsProcessManager` also executes `rpk` (Redpanda/Kafka) and `psql` (PostgreSQL) commands. If an attacker can control file paths or arguments passed to these external commands, it could lead to arbitrary command execution. 3. Default Insecure Passwords: `OsProcessManager.java` uses hardcoded default `postgres` username and password for initializing the PostgreSQL database. While this is acceptable for local development/containerized environments, it poses a significant security risk if not explicitly overridden with strong credentials in production deployments. 4. File System Operations: The `FilePreprocessingPipeline` and `Packager` perform various file system operations like copying, creating, and deleting directories. This introduces potential for path traversal vulnerabilities if user-controlled input is used to construct file paths without proper validation. 5. Network Exposure: The server exposes HTTP, GraphQL, REST, and MCP endpoints. While authentication (JWT, OAuth2) and CORS handlers are implemented, the overall security depends on the robustness of these implementations and proper configuration. Overall, the dynamic code generation and external command execution are high-risk areas. The default insecure database credentials make it unsafe for non-development environments.
Updated: 2026-01-19GitHub
48
62
Medium Cost
PSPDFKit icon
Sec7

Integrates Nutrient DWS Processor API with AI assistants for powerful PDF document processing, including digital signing, editing, OCR, and redaction.

Setup Requirements

  • ⚠️Requires a Nutrient DWS API key (Paid service).
  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️Strongly recommended to enable sandbox mode by setting `SANDBOX_PATH` environment variable; otherwise, file operations are unrestricted and pose a security risk.
Verified SafeView Analysis
The server can operate in a secure, sandboxed mode by setting the `SANDBOX_PATH` environment variable, restricting file operations to a designated directory. Running without sandbox mode allows unrestricted file system access to any location the server process has permissions for, which is explicitly not recommended and poses a significant security risk. No 'eval' or obvious hardcoded secrets were found in the provided source code. The API key is correctly read from environment variables.
Updated: 2026-01-14GitHub
PreviousPage 56 of 713Next