Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
Countly icon
Sec9

This server enables AI assistants and MCP clients to interact with Countly's analytics data, manage applications, view dashboards, track events, and perform comprehensive analytics operations.

Setup Requirements

  • ⚠️Requires Node.js 18+ runtime environment.
  • ⚠️Requires access to an existing Countly instance (cloud or self-hosted) with a valid authentication token and appropriate permissions.
  • ⚠️Requires a modern MCP client that supports protocol version 2025-03-26 (Streamable HTTP specification).
Verified SafeView Analysis
The project demonstrates strong security awareness with robust authentication mechanisms (HTTP headers, environment variables, token files, tool arguments), clear error handling to prevent information leakage, and a LoopDetector to mitigate potential DoS from recursive tool calls. It also supports fine-grained CRUD control for tools, allowing administrators to restrict AI agent capabilities. While URL parameters are mentioned as less secure for tokens, the documentation explicitly advises against them for sensitive data and provides better alternatives.
Updated: 2026-01-07GitHub
0
0
Medium Cost
kaustubhdeshmukh11 icon

Mcp_client-server

by kaustubhdeshmukh11

Sec9

A remote server for tracking and managing personal or small-scale expenses, accessible via a custom connector.

Setup Requirements

  • ⚠️Requires Python 3.12+.
  • ⚠️The `pyproject.toml` file is missing `fastmcp` and `aiosqlite` dependencies, which need to be installed manually (e.g., `pip install fastmcp aiosqlite`).
  • ⚠️The SQLite database is stored in a temporary directory (`tempfile.gettempdir()`), meaning all expense data will be lost upon server restart or redeployment unless the hosting environment specifically persists this directory.
Verified SafeView Analysis
The code uses parameterized SQL queries, effectively preventing SQL injection vulnerabilities. No 'eval' or other directly dangerous functions are used. No hardcoded secrets are visible. The use of a temporary directory for the SQLite database means data is ephemeral, which is a functional limitation rather than a security vulnerability of the code itself.
Updated: 2025-12-17GitHub
0
0
Low Cost
AaryaBhusal icon

aaryabhusal.github.io

by AaryaBhusal

Sec3

Manages CTFd challenges by allowing users to list, view details, control Docker instances, and submit flags through a local web interface.

Setup Requirements

  • ⚠️Requires Python 3.13 or higher.
  • ⚠️Requires CTFd server URL, and either a CTFd user token or session cookie for authentication.
Review RequiredView Analysis
The provided 'SOURCE CODE' is an `index.md` file, which is documentation, not executable application code. Therefore, a comprehensive security audit of the actual server logic (e.g., handling of `CTFD_TOKEN`, `CTFD_SESSION`, input validation, API interaction security) could not be performed. The `index.md` itself does not contain `eval`, obfuscation, hardcoded secrets, or malicious patterns. However, the application described handles sensitive CTFd authentication details. Without access to the Python source code (`app.py` and related modules), it's impossible to assess potential vulnerabilities in how these credentials are stored, transmitted, or used, or if the server is susceptible to common web vulnerabilities.
Updated: 2026-01-19GitHub
0
0
Low Cost
SumitKachare icon

hacker-news-mcp

by SumitKachare

Sec9

A web server that fetches and displays the top stories from Hacker News.

Setup Requirements

  • ⚠️Requires Go toolchain to build and run.
Verified SafeView Analysis
The server fetches data from the public Hacker News Firebase API. No hardcoded secrets or 'eval'-like patterns were found in the provided code. Standard web server risks apply, but no critical vulnerabilities are evident.
Updated: 2025-12-01GitHub
0
0
Low Cost
Donmandela icon

gsc-mcp

by Donmandela

Sec1

Analyzes Google Search Console data to monitor website performance, track keywords, and enhance SEO strategy.

Setup Requirements

  • ⚠️Requires a Google account with access to Google Search Console data.
  • ⚠️Distributed as a pre-compiled binary (.zip) without public source code for the application itself, requiring trust in the distributor.
  • ⚠️Operating System: Windows 10 or higher, or macOS 10.13 or higher.
Review RequiredView Analysis
The provided 'SOURCE CODE' for analysis is solely the README.md file. No executable source code (e.g., Python, JavaScript, C#, etc.) for the actual application was provided. The application is distributed as a pre-compiled binary within a ZIP file (.zip). Without access to the application's underlying source code, it's impossible to perform a security audit for patterns like 'eval', obfuscation, network risks, hardcoded secrets, or malicious logic. Therefore, a security score cannot be assigned based on source code analysis, and its safety cannot be guaranteed. Users are advised to exercise extreme caution when installing unknown binaries from the internet.
Updated: 2026-01-19GitHub
0
0
High Cost

mcp-server

by SingTheCode

Sec3

This agent facilitates CLI-based AI assistance for developers, leveraging a proprietary Shinsegae LLM and Model Context Protocol (MCP) to interact with development environments and perform tasks like file operations and code analysis.

Setup Requirements

  • ⚠️Requires access to a Shinsegae internal LLM API and a valid 'LLM_API_TOKEN' from DevX, which is not publicly available.
  • ⚠️Relies on specific MCP servers (e.g., filesystem, playwright, serena, chrome-devtools) configured in 'mcp-config.json', which may have their own installation and dependency requirements (e.g., 'npx', 'uvx', specific project contexts).
  • ⚠️Requires Python 3.14 or newer, as specified in 'pyproject.toml', which might be a more recent version than many users have installed.
Review RequiredView Analysis
The agent allows direct execution of shell commands via user input prefixed with '!' (src/cli/app.py -> run_shell). This feature, combined with the LLM's potential to generate or misinterpret commands, poses a significant risk for arbitrary code execution on the host system. While the primary ReAct loop focuses on MCP tools, the direct shell command input is a critical vulnerability. The use of 'subprocess.Popen' is temporarily altered to suppress stderr during MCP server connection, which could hide potential issues from a user but is restored.
Updated: 2025-11-27GitHub
0
0
Medium Cost
thabiso-m-absa icon

opensearch-mcp-server

by thabiso-m-absa

Sec4

This server integrates OpenSearch clusters with AI systems via the Model Context Protocol (MCP), enabling AI to perform search, indexing, aggregation, and management tasks across multiple clusters.

Setup Requirements

  • ⚠️Requires Node.js 18+.
  • ⚠️Requires access to an OpenSearch cluster (local or remote).
  • ⚠️The `aws-sdk` package is a silent dependency if AWS authentication is used, and it's not listed in `package.json`.
  • ⚠️Configuration for multi-cluster support can be complex, involving a JSON string in environment variables or multiple separate environment variable sets.
Verified SafeView Analysis
The source code, specifically `src/mcp.json`, contains hardcoded OpenSearch production-like credentials (URL, username, and password). While this might be intended as an example for VS Code configuration, storing such secrets directly in the repository is a critical security vulnerability if the repository is public or accessed by unauthorized individuals. The application itself relies on environment variables for configuration, which is a better practice, but the presence of this example reduces the overall security posture due to potential misuse. Additionally, `aws-sdk` is `require`d dynamically for AWS authentication but is not listed as a dependency in `package.json`, which could lead to runtime errors in AWS-configured environments.
Updated: 2025-11-25GitHub
0
0
Medium Cost
No-Smoke icon

tos-bridge

by No-Smoke

Sec8

Bridges Claude Desktop/Code to a VPS-hosted Token Optimization System using Qdrant (vector database) and Neo4j (knowledge graph) for graph-enhanced search and document management.

Setup Requirements

  • ⚠️Requires a running Ollama server for embedding generation.
  • ⚠️Requires a running Qdrant server for vector storage.
  • ⚠️Requires a running Neo4j server for graph storage and traversal.
  • ⚠️Requires Python 3.10 or newer.
Verified SafeView Analysis
The server uses environment variables for sensitive configurations like Qdrant API keys and Neo4j passwords, which is good practice. Database queries are parameterized, preventing SQL/Cypher injection. There are no obvious signs of 'eval' or direct shell command execution from user input. The primary security consideration for deployment is controlling environment variables (QDRANT_URL, NEO4J_URI, OLLAMA_URL), as malicious manipulation could lead to SSRF (Server-Side Request Forgery) by directing the server to internal network resources. However, this is an operational risk common to services that connect to configurable external endpoints, not a direct vulnerability in the code logic itself.
Updated: 2026-01-16GitHub
0
0
Medium Cost
alpha-hack-program icon

cluster-insights-mcp-rs

by alpha-hack-program

Sec9

Provides conversational AI access to Kubernetes cluster resource analysis and capacity planning for platform engineers, SREs, and developers.

Setup Requirements

  • ⚠️Requires Rust 1.70+ and Cargo to build and run locally.
  • ⚠️Requires Kubernetes cluster access with a valid `kubeconfig` configured for read-only RBAC permissions (get/list for nodes, pods, namespaces).
  • ⚠️Requires `jq` for certain development scripts (like version sync), though not for server runtime.
Verified SafeView Analysis
The server is explicitly designed for read-only operations on Kubernetes clusters, which significantly reduces the attack surface compared to tools with write access. It utilizes existing kubeconfig credentials and advises proper RBAC setup. It avoids 'eval' or similar dynamic code execution. The container setup runs as a non-root user (1001) and mentions 'cargo audit' in its CI/CD pipeline, indicating a proactive security stance. The main security consideration is ensuring the provided kubeconfig has appropriately scoped read-only permissions and that the server is not exposed publicly without additional authentication.
Updated: 2025-12-03GitHub
0
0
Medium Cost
FlyAgileWithGiom icon

miro-remote-mcp

by FlyAgileWithGiom

Sec9

Enables Claude AI to programmatically create and manipulate Miro boards, facilitating complex visualization generation through natural language conversations.

Setup Requirements

  • ⚠️Requires a Miro OAuth application to be created with a Redirect URI configured (e.g., `http://localhost:3003/oauth/callback`) in both Miro settings and the server's configuration.
  • ⚠️Miro OAuth2 tokens (access and refresh tokens) are required and expire, necessitating initial acquisition and potential reauthentication via the `npm run oauth` helper script.
  • ⚠️Requires Node.js (version 16 or newer) and a TypeScript build (`npm run build`) before execution.
  • ⚠️For Claude Desktop/Code, an absolute path to the compiled `dist/index.js` file must be configured, along with client credentials and tokens as environment variables.
Verified SafeView Analysis
The codebase follows good security practices, explicitly avoiding hardcoded secrets by relying on environment variables (often base64 encoded for sensitive keys) or a dedicated token file (`/data/tokens.json` in production). OAuth tokens are managed with automatic refresh and race-condition prevention. Network communication uses `axios` and `https.Agent` for robust connections. No `eval` or obvious malicious patterns found. Security largely depends on proper environment variable management (e.g., in Claude Desktop configuration) and secure file system for `tokens.json`.
Updated: 2026-01-09GitHub
0
0
Medium Cost
dyelland-lt icon

mcp-example

by dyelland-lt

Sec9

A Model Context Protocol (MCP) server that acts as a bridge between Claude Desktop and the Rick and Morty GraphQL API, demonstrating MCP functionality with HTTPS transport.

Setup Requirements

  • ⚠️Requires Node.js and pnpm to be installed.
  • ⚠️Requires `mkcert` for local SSL certificate generation (with OS-specific installation steps).
  • ⚠️Requires `ngrok` (and a registered authtoken) for public access to connect with Claude Desktop remotely.
  • ⚠️Claude Desktop requires a Pro, Max, Team, or Enterprise plan to use custom connectors.
  • ⚠️Manual SSL certificate generation step `mkcert localhost 127.0.0.1 ::1`.
Verified SafeView Analysis
The server uses HTTPS with locally generated SSL certificates via mkcert, providing TLS security. CORS is broadly enabled (`origin: true`), which is common for development but would ideally be restricted in a production environment. There are no direct uses of `eval`, obfuscation, or hardcoded sensitive API keys (the Rick and Morty API is public). The `start-public.sh` script handles ngrok, which exposes localhost publicly, but this is an explicit action by the user and clearly documented for remote access to Claude Desktop. The `http-server.ts` includes a helpful warning about regenerating SSL certificates for non-localhost IP access, showing security awareness.
Updated: 2025-11-26GitHub
0
0
Low Cost
khushboosaini icon

activity-2-MCP-server

by khushboosaini

Sec8

Demonstrates a minimal server implementation using the `fastmcp` library with a FastAPI fallback for local testing and experimentation.

Setup Requirements

  • ⚠️The `fastmcp` library might require specific versions or API adaptations, as the example includes fallback logic and notes about matching the 'real library API'.
  • ⚠️Relies on Python and `pip` for dependency management, requiring `requirements.txt` installation.
Verified SafeView Analysis
The source code does not contain obvious security vulnerabilities such as 'eval' of user input, hardcoded secrets, or direct system command execution. Endpoints perform simple echo or arithmetic operations. The primary security consideration would be the underlying `fastmcp` or `FastAPI` libraries themselves, which are well-vetted. User input is echoed, which is generally safe but could lead to verbose logs if complex objects are passed.
Updated: 2025-12-11GitHub
PreviousPage 574 of 713Next