Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
AGDevX icon
Sec8

Transforms any OpenAPI specification into MCP tools for AI assistants, enabling dynamic interaction with APIs.

Setup Requirements

  • ⚠️Requires Node.js 18.0.0 or higher.
  • ⚠️Requires a valid OpenAPI 3.0/3.1 specification URL for the API it will wrap.
  • ⚠️For development with self-signed API certificates, `NODE_TLS_REJECT_UNAUTHORIZED=0` might be needed (use with caution).
Verified SafeView Analysis
The server provides an option to disable TLS certificate verification (`NODE_TLS_REJECT_UNAUTHORIZED=0`), which is documented for development/testing but should be used with caution in production environments as it can expose the server to man-in-the-middle attacks. The configuration UI's URL validation also temporarily allows self-signed certificates for testing purposes. Rate limiting is implemented to prevent abuse. No 'eval' or obvious hardcoded secrets were found in the provided code snippets. All configuration is managed via environment variables.
Updated: 2026-01-19GitHub
0
0
Low Cost
exquisique icon

CineSage

by exquisique

Sec9

CineSage functions as an AI entertainment concierge, providing personalized movie/TV show recommendations, managing watchlists, logging watched content with reviews, and scheduling viewings via Google Calendar.

Setup Requirements

  • ⚠️Requires a TMDB API Key (free, but needs registration).
  • ⚠️Google Calendar features require downloading Google Cloud Console credentials.json and completing an OAuth flow.
  • ⚠️Python 3.10+ is required.
Verified SafeView Analysis
The server uses environment variables for API keys (TMDB_API_KEY) and Google credentials file path (GOOGLE_CREDENTIALS_FILE), which is good practice. It handles external API calls (TMDB, Google Calendar) and local data storage (SQLite, ChromaDB) without obvious critical vulnerabilities like 'eval' or hardcoded secrets. Google Calendar integration requires an OAuth flow to generate a local token.pickle.
Updated: 2025-11-25GitHub
0
0
Medium Cost
Enapter icon

mcp-server

by Enapter

Sec9

This server provides a Model Context Protocol (MCP) interface for AI assistants and other MCP clients to interact with Enapter EMS sites, devices, and telemetry data.

Setup Requirements

  • ⚠️Enapter API Token required for clients to authenticate with the MCP server.
  • ⚠️Docker is recommended for simplified deployment and environment management.
Verified SafeView Analysis
Authentication is token-based via `X-Enapter-Auth-Token` HTTP header, requiring clients to provide a valid Enapter API token. The server extracts this token from incoming requests to authenticate with the upstream Enapter HTTP API. No clear security vulnerabilities or dangerous patterns like `eval` detected in the provided source code. The 'FIXME' comment regarding client instance creation is a performance concern, not a security vulnerability.
Updated: 2026-01-19GitHub
0
0
Low Cost
simplyjackfoster icon

septa-mcp-python

by simplyjackfoster

Sec8

Provides a Model Context Protocol (MCP) server that exposes SEPTA's public transit APIs as structured tools for clients to fetch real-time and scheduled transit information.

Setup Requirements

  • ⚠️Python 3.11+ required
  • ⚠️Relies on external SEPTA public transit APIs
Verified SafeView Analysis
The project uses environment variables for configuration, including an optional API key, which is good practice. No critical vulnerabilities like 'eval' or direct command injection were found. The 'gtfs_feed' tool constructs a file path directly from user input (`f"gtfs/{feed}.zip"`). While the base URL is specific to SEPTA's API, direct use of user input in path construction without explicit validation (e.g., to prevent directory traversal like 'feed=../') can be a potential risk, even if unlikely to be exploitable against the public SEPTA API.
Updated: 2025-11-26GitHub
0
0
Medium Cost
josh-thurston icon

MCP-CrowdStrikeFalcon

by josh-thurston

Sec9

Provides a Model Context Protocol (MCP) and HTTP/REST interface to interact with the CrowdStrike Falcon API for security operations and threat management.

Setup Requirements

  • ⚠️Requires a CrowdStrike API Key (which typically implies a paid CrowdStrike Falcon subscription and API access configured).
  • ⚠️Docker is the recommended deployment method for ease of setup and production readiness.
  • ⚠️Python 3.8+ is required due to modern type hints (e.g., `list[str]`, `str | None`).
Verified SafeView Analysis
The server follows good security practices for an API wrapper. No sensitive API keys or credentials are hardcoded; they are expected via environment variables or function parameters. The APIClient correctly handles OAuth2 token acquisition using `httpx` and applies `Bearer` tokens. It provides recommendations for secure HTTPS deployment via reverse proxies. Basic input validation is present for API keys, and further validation relies on the downstream CrowdStrike API or FastAPI's internal mechanisms. No 'eval' or other dynamic code execution vulnerabilities were found.
Updated: 2025-12-11GitHub
0
0
Low Cost
lbovboe icon
Sec7

A foundational Model Context Protocol (MCP) server template demonstrating tool and resource capabilities with dual transport (Stdio and Streamable HTTP), designed for integration with LLM clients.

Setup Requirements

  • ⚠️Requires Node.js 18+ (as indicated by SDK dependencies and 'node:crypto' usage).
  • ⚠️Requires 'npm install' to resolve Node.js dependencies.
  • ⚠️Clients must use 'Mcp-Session-Id' header for session identification and 'Accept: application/json, text/event-stream' header for Streamable HTTP transport.
Verified SafeView Analysis
No 'eval' or malicious patterns detected. Potential for information disclosure if raw error messages from tool calls are not sanitized in production. The template does not explicitly implement rate-limiting for its HTTP '/mcp' endpoint, which could leave it vulnerable to basic brute-force or denial-of-service attacks without external protection or added middleware. Session IDs are handled via standard HTTP headers.
Updated: 2026-01-19GitHub
0
0
Low Cost
sabariaz94 icon

MCP-SERVER

by sabariaz94

Sec10

The provided content is a biographical list of various individuals named Saba Riaz, detailing their professions and affiliations.

Verified SafeView Analysis
The provided content is a plain markdown file. It contains no executable code, scripts, or active components, and therefore presents no inherent security risks such as 'eval', obfuscation, network vulnerabilities, or hardcoded secrets. It is entirely safe.
Updated: 2025-11-23GitHub
0
0
Medium Cost
axinova-ai icon
Sec8

Provides a Model Context Protocol (MCP) server for LLM/agent access to Axinova's internal infrastructure and productivity tools.

Setup Requirements

  • ⚠️Requires API tokens for Portainer, Grafana, SilverBullet (optional), and Vikunja. Generation of these tokens can be a multi-step process for each service.
  • ⚠️Designed for Axinova's internal network infrastructure (`ax-tools`, `ax-sas-tools`) and requires direct network access to these internal services.
  • ⚠️Prerequisites include Go 1.22+ for development and Docker/docker-compose for deployment.
Verified SafeView Analysis
The server uses `stdio` transport, limiting direct external network exposure for the MCP protocol itself. Critical API tokens are handled via environment variables and `.env` files, with clear instructions against hardcoding and recommendations for secure file permissions (`chmod 600 .env`). Input validation is present through Go's type system and explicit checks. A deliberate design choice for internal network communication is `tls.skip_verify: true`, justified by TLS termination at an internal Traefik proxy. While acceptable in a controlled internal environment with proper perimeter security, this setting would be a significant vulnerability in a public internet context. The extensive documentation around this choice (e.g., in `DEPLOYMENT.md`, `VALIDATION.md`) indicates awareness of the risk and its specific context.
Updated: 2026-01-19GitHub
0
0
Low Cost
ALITAYYAB2K1 icon

NextGenPortfolio

by ALITAYYAB2K1

Sec9

A personal portfolio website with a headless CMS (Sanity.io) for managing content like projects, blog posts, skills, and professional background.

Setup Requirements

  • ⚠️Requires a Sanity.io project setup (account and project configuration are external).
  • ⚠️Requires a Clerk.dev account setup for authentication.
  • ⚠️Database (Sanity.io) is external and needs to be maintained.
Verified SafeView Analysis
The project uses standard and well-maintained libraries like Next.js, Clerk, and Sanity.io. Environment variables are used for Sanity project configuration and are explicitly validated. Clerk handles authentication securely. No obvious 'eval' or malicious patterns were found. Sensitive API keys (e.g., Sanity write tokens) are not hardcoded or exposed client-side in the provided code, following good security practices for public-facing data (read-only for Sanity).
Updated: 2025-12-06GitHub
0
0
Medium Cost
Codewithnavy icon
Sec8

An MCP server for intelligent keyword searching within files and directories to analyze logs, documentation, and code.

Setup Requirements

  • ⚠️Requires Node.js 18+ runtime
  • ⚠️Requires TypeScript build step (`npm run build`) before production use
Verified SafeView Analysis
Path traversal prevention is implemented with `path.resolve` and `fs.statSync` checks. File types are restricted for directory searches to .txt, .log, and .md. However, `fs.readFileSync` is used to read entire file contents into memory for single file search, which contradicts the 'Memory Efficient: Streams files without loading entire contents into memory' claim in the README. This could lead to high memory consumption or denial-of-service if very large files are searched. Output lines are truncated to 200 characters to limit result size. No direct `eval` or hardcoded secrets were found.
Updated: 2025-11-24GitHub
0
0
Medium Cost
TalaoDAO icon

connectors

by TalaoDAO

Sec8

Wallet4Agent provides a trust layer for AI Agents, enabling them to establish verifiable identities (DIDs), manage credentials (VCs, SD-JWT), and securely interact with humans, companies, services, and other agents using OIDC4VCI/OIDC4VP and cryptographic signing.

Setup Requirements

  • ⚠️Python 3.9+ is required.
  • ⚠️Didkit 0.3.0 is a dependency.
  • ⚠️A `keys.json` file must be created and securely populated with sensitive credentials (e.g., SMTP password, secret key, encryption key, OpenAI API key, AWS KMS related details, pepper for deterministic keys).
  • ⚠️AWS KMS setup is required for production-grade key management.
  • ⚠️A Redis server is required for session management and ephemeral data storage.
  • ⚠️A local Universal Registrar instance (likely Docker-based) is a dependency for DID operations.
  • ⚠️OpenAI API Key (paid) is required for the integrated chat agent functionality.
Verified SafeView Analysis
The server employs robust cryptographic practices, utilizing jwcrypto, cryptography, DIDKit, and AWS KMS for secure key management and signing operations. It adheres to various identity standards (DID, OIDC4VCI/P, SD-JWT). Authentication methods are layered, supporting PATs, OAuth2 client credentials, and OAuth2 private_key_jwt. Sensitive configuration parameters and API keys (e.g., SMTP password, Agntcy keys, OpenAI key) are loaded from a `keys.json` file, which is common for development but requires proper secret management (e.g., environment variables or a dedicated secret store) in production environments. Input validation for certain API calls is present, but general JSON parsing (e.g., credential offers) might warrant additional scrutiny for edge cases. External DID resolution and API calls are made to trusted services, minimizing direct SSRF risk, but dependencies on external resolvers should be noted.
Updated: 2026-01-13GitHub
0
0
Medium Cost
Dadykad icon

airtable-mcp

by Dadykad

Sec5

A server-side application designed to integrate with and manage data in Airtable, potentially automating workflows or providing a custom API layer.

Setup Requirements

  • ⚠️Requires Airtable API Key for authentication.
  • ⚠️Requires Node.js runtime (or similar server environment).
  • ⚠️Requires internet access to communicate with Airtable API.
Review RequiredView Analysis
Source code was not provided for analysis, therefore a specific security audit for 'eval', obfuscation, hardcoded secrets, or malicious patterns could not be performed. The score is a generic estimate. Typical risks for a server interacting with external APIs like Airtable include improper handling of API keys, lack of input validation, or unauthenticated/unauthorized access to endpoints.
Updated: 2025-11-19GitHub
PreviousPage 572 of 713Next