Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
burnworks icon
Sec9

This server integrates AI tools with Movable Type to facilitate AI-driven drafting and editing of blog posts, specifically focusing on creating and managing draft articles.

Setup Requirements

  • ⚠️Requires Movable Type Data API to be enabled in system and blog settings.
  • ⚠️Requires a specific 'Web Services Password' from the Movable Type user profile, distinct from the regular login password.
  • ⚠️Node.js 22.7.5 or newer is required.
Verified SafeView Analysis
The server uses environment variables for sensitive Movable Type API credentials (MT_USERNAME, MT_PASSWORD, MT_API_URL). It explicitly prohibits dangerous operations like deleting articles, publishing drafts, or editing published articles, by design. Input from the AI client is structured via MCP SDK schemas and passed through an `axios`-based client that correctly encodes parameters, mitigating common injection risks. Session data is stored locally on the file system and is not exposed over the network. The code is well-structured and avoids direct use of 'eval' or similar high-risk functions.
Updated: 2025-11-19GitHub
0
0
Low Cost
worklocalinc icon

unicorn-site

by worklocalinc

Sec3

A magical unicorn website deployed via the MCP Server framework.

Setup Requirements

  • ⚠️Requires an MCP Server environment for deployment.
Review RequiredView Analysis
The provided source code is highly truncated/summarized. A full security audit for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns is not possible. The score reflects this lack of visibility and the unknown risk inherent in running un-audited code.
Updated: 2025-11-26GitHub
0
0
Low Cost
Dannycalvin icon

exchange-rate-mcp

by Dannycalvin

Sec9

This server provides real-time currency conversion using an external API, making it easy to convert amounts between different currencies.

Setup Requirements

  • ⚠️Requires EXCHANGE_RATE_API_KEY environment variable (obtainable from ExchangeRate-API.com)
  • ⚠️Requires Python 3.12 or higher
  • ⚠️Requires an active internet connection to retrieve exchange rates
Verified SafeView Analysis
The server correctly uses environment variables for sensitive API keys, preventing hardcoding. It employs `httpx` for network requests, a standard and secure library. Robust error handling is implemented for various API response errors (e.g., invalid key, unknown currency, quota reached). No 'eval', obfuscation, or other known malicious patterns were identified in the provided source code. The server's functionality relies on an external API, which is an inherent part of its design, and potential risks associated with that API (e.g., its availability or data integrity) are external to this specific server's code security.
Updated: 2026-01-19GitHub
0
0
High Cost
fernandes01032000 icon

MyVpsSuper

by fernandes01032000

Sec8

An AI orchestration platform for managing intelligent agents, their interactions with various microservices (MCP Servers), and monitoring via a web dashboard.

Setup Requirements

  • ⚠️Requires Claude API Key (Paid) for core AI functionality.
  • ⚠️Requires Docker and Docker Compose for core services (PostgreSQL, Redis, Puppeteer).
  • ⚠️Requires Python 3.10+ and Node.js 20+ (for certain MCPs like Puppeteer).
  • ⚠️Requires configuration of multiple external API keys (e.g., MercadoPago, Evolution API, n8n, Supabase) if these integrations are desired.
Verified SafeView Analysis
The project generally follows good practices by using environment variables for sensitive credentials. However, `docker-compose.yml` and Python MCPs provide hardcoded default passwords/tokens (e.g., 'orchestrator_secret_2024', 'puppeteer_token_2024') for local containers. While these can be overridden, relying on such defaults, even for local development, poses a minor risk. The FastAPI backend listens on `0.0.0.0`, meaning it's accessible from all network interfaces, requiring careful firewall configuration if exposed to the internet. `subprocess.run` calls are used for internal scripts or fixed commands, mitigating command injection risks. SQL queries appear to use parameterized statements, which helps prevent SQL injection.
Updated: 2025-11-25GitHub
0
0
Medium Cost
DawoodTahir icon

MCP-Chatbot

by DawoodTahir

Sec7

An AI-powered recruitment chatbot that conducts structured interviews, analyzes candidate's soft skills and technical fit against job descriptions, and sends interview summaries to hiring managers via WhatsApp.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid) for LLM interactions and transcription.
  • ⚠️Requires WhatsApp Business API credentials (Paid) for sending messages to the hiring manager.
  • ⚠️Requires a running Neo4j database for Graph RAG features (can be deployed locally via Docker/Kubernetes or cloud-hosted).
  • ⚠️Requires AWS S3 bucket for resume storage and SQS queue for processing (can be mocked with LocalStack for development).
  • ⚠️Heavy reliance on Docker and Kubernetes for recommended deployment, requiring familiarity with these tools.
Verified SafeView Analysis
The system implements prompt injection heuristics and leverages OpenAI's moderation API, significantly enhancing defense against malicious user input. Sensitive API keys and credentials (OpenAI, WhatsApp, Neo4j, AWS) are correctly managed via environment variables and Kubernetes secrets, avoiding hardcoding. File uploads are sanitized using `secure_filename`. Web scraping is limited by page count and keyword filtering, reducing external data risks. However, reliance on third-party APIs (OpenAI, WhatsApp, AWS) inherently introduces external dependencies. Data privacy policies, especially regarding the collected PII from resumes and conversation history, should be robustly implemented beyond the UI mention of deletion requests. Ensure proper AWS S3 bucket and Neo4j database access controls are in place. The 'owner' phone number for WhatsApp reports is a configuration point that needs careful management to avoid misdirection.
Updated: 2025-12-17GitHub
0
0
Low Cost
abg011 icon

WeatherMCP

by abg011

Sec10

A simple Model Context Protocol (MCP) server for fetching live weather alerts and forecasts from the U.S. National Weather Service (NWS) API.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher
Verified SafeView Analysis
The source code appears very safe. It uses the standard 'httpx' library for network requests and does not contain 'eval' or similar dangerous functions. There are no hardcoded secrets or sensitive information. The NWS API used is public and does not require authentication. All network requests have a timeout.
Updated: 2025-12-13GitHub
0
0
Low Cost
taufiqur0991 icon

mcp-ping-server

by taufiqur0991

Sec9

Provides a simple network utility microservice for checking host reachability via ping.

Setup Requirements

  • ⚠️Requires Python 3.10 or newer.
  • ⚠️Relies on the `mcp[cli]` library for server functionality.
Verified SafeView Analysis
The code correctly uses `subprocess.run` with a list of arguments for the `ping` command, which effectively prevents shell injection vulnerabilities. The `host` parameter is passed directly as a distinct argument to the system's `ping` utility, rather than being interpreted by a shell. No `eval`, `exec`, hardcoded secrets, or other immediately apparent malicious patterns are present. The primary remaining risk, albeit low, would stem from potential vulnerabilities within the system's `ping` utility itself when processing extremely malformed hostnames, which is outside the control of this application's direct code.
Updated: 2025-11-25GitHub
0
0
Low Cost
Babajan-B icon

BioQC-MCP

by Babajan-B

Sec3

A Model Context Protocol (MCP) server for AI-assisted bioinformatics quality control analysis of sequencing data, including report generation and advanced visualization.

Setup Requirements

  • ⚠️Requires external installation of FastQC (operating system specific: `brew` for macOS, `apt-get` for Linux).
  • ⚠️Requires external installation of MultiQC (Python package installed via `pip`).
  • ⚠️Requires careful manual configuration of full, absolute file paths to the Python interpreter within the virtual environment and the server script in the AI client's (e.g., Claude Desktop, Cursor IDE) `mcp.json` configuration file.
Review RequiredView Analysis
The `run_qc_pipeline` tool directly executes arbitrary Python code using `exec()` within a supposedly sandboxed environment (`safe_globals`). While an attempt is made to restrict the available functions, perfect sandboxing of `exec()` is notoriously difficult to achieve. This makes the server highly susceptible to arbitrary code execution if an AI agent is compromised or given a malicious prompt, leading to potential data breaches, denial-of-service, or system compromise. Subprocess calls to external tools (`fastqc`, `multiqc`) also pose a minor risk if input paths are not fully validated against path traversal attacks, though `Path().expanduser()` provides some protection.
Updated: 2025-12-06GitHub
0
0
Medium Cost
wernerglinka icon
Sec9

The Metalsmith Plugin MCP Server provides tools for AI assistants to scaffold, validate, and maintain high-quality Metalsmith plugins, enforcing best practices and modern development standards.

Setup Requirements

  • ⚠️Requires Node.js v20.0.0 or higher.
  • ⚠️GitHub CLI (`gh`) must be installed and authenticated for release automation and some validation checks.
  • ⚠️Specific configuration is needed for AI assistant (e.g., Claude Desktop/Code) integration.
Verified SafeView Analysis
The server incorporates robust path sanitization (`sanitizePath`) across all tools to prevent directory traversal vulnerabilities. It uses `spawn` and `execSync` for necessary interactions with `npm`, `git`, `eslint`, and `prettier`, which is appropriate for a development tool, and the commands are largely fixed. The server itself actively *validates* user-provided plugins for security anti-patterns like `eval()`, shell execution without input validation, hardcoded secrets, and environment variable logging, indicating strong security awareness in its design. Release processes leverage `gh auth token` for secure GitHub token handling.
Updated: 2026-01-18GitHub
0
0
High Cost
artmamedov icon

ios-sim-mcp

by artmamedov

Sec2

Enables AI assistants to visually interact with and automate iOS Simulator apps for testing or task completion.

Setup Requirements

  • ⚠️Requires macOS, Xcode with iOS Simulator.
  • ⚠️Node.js 18+ is a prerequisite.
  • ⚠️Requires manual installation of `idb` via Homebrew and pip3 (`brew install idb-companion` and `pip3 install fb-idb`).
Review RequiredView Analysis
The server uses `child_process.execAsync` to run `idb` commands. String arguments for tools like `boot_simulator`, `launch_app`, `open_url`, `find_elements`, `tap_element` (and potentially others that take user-provided strings) are directly interpolated into shell commands without comprehensive sanitization. This creates a critical command injection vulnerability, allowing arbitrary commands to be executed on the host system if malicious input is provided to these tools. For example, a `udid` containing shell metacharacters could execute unintended commands.
Updated: 2026-01-18GitHub
0
0
Low Cost
carrmen03-blip icon

carmen-mcp-server

by carrmen03-blip

Sec6

This server provides a central configuration management service, allowing clients to get and set configuration data for a distributed system or application.

Review RequiredView Analysis
The server does not use `eval` or exhibit obfuscation, nor does it contain hardcoded secrets in the provided snippets. However, the primary security risk is the lack of authentication and authorization for the `SET_CONFIG` command. Any client that can connect to the server can modify its configuration, which could lead to service disruption, misconfiguration, or potentially impact dependent systems if the configuration controls critical operations. This design choice makes it vulnerable if exposed to untrusted networks or clients without additional security layers.
Updated: 2026-01-16GitHub
0
0
Low Cost
dev-houssam icon

mcp-server-ai

by dev-houssam

Sec10

This repository serves as a centralized directory and curated list of various MCP (Multi-Modal Compute Protocol) servers and their respective clients, facilitating discovery and integration for AI applications.

Verified SafeView Analysis
The provided source code consists solely of a README file, which is static text and contains no executable code. Therefore, there are no direct security vulnerabilities within this repository's code itself. Any potential risks would stem from vulnerabilities in the *linked* third-party repositories, which are outside the scope of this analysis.
Updated: 2025-11-29GitHub
PreviousPage 569 of 713Next