Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
leandrodpaula icon

tutto-mcp-server

by leandrodpaula

Sec8

Implements a Model Context Protocol (MCP) server in Python using FastMCP to expose custom tools and resources for consumption by language models.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher
Verified SafeView Analysis
The provided code for tools (`hello`, `add_numbers`, `uppercase_text`, etc.) is simple and does not contain obvious vulnerabilities like 'eval', direct shell calls, or hardcoded secrets. Type hints are used for parameter validation. The project documentation explicitly acknowledges the need for implementing sanitization, rate limiting, and authentication for a robust production environment, suggesting a good awareness of security considerations beyond the current basic implementation.
Updated: 2025-11-18GitHub
0
0
Medium Cost
shueisha-arts-and-digital icon

backlog-mcp-server

by shueisha-arts-and-digital

Sec9

Enables AI agents to interact with the Backlog API to retrieve issue details, comments, and attachments for project management and task analysis.

Setup Requirements

  • ⚠️Requires Node.js 20 or higher and NPM 10 or higher.
  • ⚠️Requires a Backlog API Key and your Backlog domain to be configured as environment variables (BACKLOG_API_KEY, BACKLOG_DOMAIN).
  • ⚠️The README states that an 'official backlog-mcp-server' by Nulab has been released and suggests using that instead, implying this repository might be an older or community-maintained version.
Verified SafeView Analysis
The server correctly loads API keys and domain from environment variables, avoiding hardcoded secrets. It utilizes HTTPS for all API communication via axios. There are no explicit uses of 'eval' or obfuscation. Error handling for API calls is implemented. The 'get_issue_attachment' tool truncates the Base64 file data for the content returned to the LLM, which helps manage output size, but the full file content is still processed internally during the API call.
Updated: 2025-12-17GitHub
0
0
Low Cost
itoyuya1005 icon
Sec9

A remote Model Context Protocol (MCP) server deployed on Cloudflare Workers, providing AI tools authenticated via Google OAuth for consumption by AI clients.

Setup Requirements

  • ⚠️Requires a Cloudflare Workers account for deployment.
  • ⚠️Requires Google OAuth credentials (Client ID and Client Secret) to be configured as environment variables.
  • ⚠️Requires Cloudflare KV Namespace ('OAUTH_KV') and Durable Object Namespace ('MCP_OBJECT') bindings.
  • ⚠️Requires a `COOKIE_ENCRYPTION_KEY` environment variable for the OAuth provider.
Verified SafeView Analysis
The server implements Google OAuth for user authentication, using environment variables (`GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, `COOKIE_ENCRYPTION_KEY`) for sensitive credentials. OAuth state is stored in a KV namespace with an expiration TTL for CSRF protection. Email verification and optional domain restriction (`ALLOWED_DOMAIN`) enhance security. The current implementation of MCP tools (`add`, `calculate`, `whoami`) are simple and do not pose direct execution risks or external API calls beyond the OAuth flow. No 'eval' or obvious obfuscation is detected. The name 'remote-mcp-server-authless' in the README is misleading given the actual source code includes full OAuth.
Updated: 2025-12-03GitHub
0
0
Medium Cost
Gegelascience icon

my_mcp_server

by Gegelascience

Sec6

This Next.js server exposes various external data sources (Paris public transport, NPM package information, EAN barcode generation) as tools via the Model Context Protocol, enabling integrations with AI models or other systems.

Setup Requirements

  • ⚠️Requires an API key from Ile-de-France Mobilités (IDF Mobilités) for the `/api/idfTraficInfo` endpoint, which must be provided in the request URL path.
  • ⚠️The `mcp-handler` dependency might implicitly require a Redis server for session management or tool catalog storage, although no explicit configuration for Redis is found in the provided server code.
Verified SafeView Analysis
The 'apikey' for the 'idfTraficInfo' service is expected to be passed directly in the URL path, meaning it is exposed in network requests, URL history, and server logs. While this is likely intended as a client-provided key for the external service, logging it via `console.log("apikey", apikey);` poses a minor information leak risk. No 'eval' or deliberate obfuscation was found. The server acts as a proxy to external APIs, inheriting potential network risks from those services.
Updated: 2025-12-21GitHub
0
0
Low Cost
jarif87 icon
Sec8

An AI-powered financial analysis CrewAI project that identifies trending companies, conducts detailed research, and picks the best investment opportunity.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid Service)
  • ⚠️Requires Serper API Key (Paid Service)
  • ⚠️Requires Pushover User Key and Token (Registration for service)
Verified SafeView Analysis
Uses os.getenv for API keys (good practice). Makes external API calls to Serper (web search) and Pushover (notifications), which are standard for such applications but rely on secure management of API keys. Local SQLite for memory storage is generally safe. No 'eval' or other obvious malicious patterns found.
Updated: 2025-11-27GitHub
0
0
Medium Cost
matthewbergvinson icon

fathom-mcp

by matthewbergvinson

Sec9

Integrates Fathom.video with AI coding assistants to access meeting transcripts, summaries, and action items via natural language queries.

Setup Requirements

  • ⚠️Requires a Fathom API Key, which must be generated from Fathom settings.
  • ⚠️Requires Node.js version 18 or higher.
  • ⚠️Intended for use with Cursor IDE, requiring specific configuration in `~/.cursor/mcp.json`.
  • ⚠️The output directory for exported transcripts (`FATHOM_OUTPUT_DIR`) needs to be configured, defaulting to `process.cwd()/transcripts` if not set.
Verified SafeView Analysis
The server primarily interacts with the Fathom API and performs local file system operations for exports. API keys are handled via environment variables, not hardcoded. The use of `path.join` for file paths helps mitigate basic path traversal risks for exports. No 'eval' or malicious patterns were found. The primary security consideration is ensuring the `FATHOM_OUTPUT_DIR` environment variable is set to a safe and appropriate location on the user's local file system.
Updated: 2025-12-01GitHub
0
0
Low Cost
eviltik icon

docker-tui

by eviltik

Sec7

A Terminal User Interface (TUI) for managing Docker containers and exposing container operations via an MCP HTTP server for AI integration.

Setup Requirements

  • ⚠️Docker daemon must be installed and running.
  • ⚠️User requires permissions to access the Docker socket (e.g., by being in the 'docker' group).
Verified SafeView Analysis
The MCP server exposes full control over Docker containers (start, stop, remove, logs) via an HTTP API. While it defaults to localhost, exposing this port to an untrusted network grants significant power, including forced container removal. The application demonstrates strong internal code safety (goroutine leak prevention, mutexes, panic recovery) but the inherent function of exposing Docker daemon control over a network interface carries high security implications. Users should ensure network isolation or appropriate authentication for the MCP server if it's not strictly local.
Updated: 2025-11-29GitHub
0
0
Medium Cost
markdojo icon
Sec5

Connects AI assistants to Figma for real-time console access, visual debugging, design system extraction, and design creation/variable management, primarily in local development environments.

Setup Requirements

  • ⚠️Requires manually launching Figma Desktop with the `--remote-debugging-port=9222` flag every time Figma is opened.
  • ⚠️Requires manual installation and continuous running of the 'Figma Desktop Bridge' plugin within Figma Desktop for critical features like variables (without Enterprise plan), reliable component descriptions, and all design write operations.
  • ⚠️Key features, such as reliable library variable ID resolution and all 'Desktop Bridge' functionalities, are explicitly stated to work only in 'Local Mode', not in the Cloudflare Worker 'Remote Mode'.
  • ⚠️A Figma API Token (`FIGMA_ACCESS_TOKEN`) is optional for the primary `figma_get_library_variables` tool (when using the Desktop Bridge plugin) but is required for other REST API-dependent tools like `figma_get_variables` (without console fallback) and `figma_get_file_data`.
Review RequiredView Analysis
The `figma_execute` tool allows arbitrary JavaScript code execution within the powerful Figma Plugin API context, presenting a significant risk if the AI is compromised or misused. The default configuration for Puppeteer (`src/core/config.ts`) uses the `--no-sandbox` argument, which is explicitly warned against for untrusted environments. While OAuth is implemented for Cloudflare mode, local mode relies on a direct Figma Desktop connection, which requires specific manual setup. The 'Desktop Bridge' plugin, a core component, has `networkAccess: allowedDomains: ["none"]`, which is a good security practice for the plugin itself by preventing external network requests. Overall, running this project requires a high degree of trust in the AI's generated code and a securely configured local execution environment.
Updated: 2026-01-17GitHub
0
0
Medium Cost
RoleModel icon

optics-mcp

by RoleModel

Sec9

Enables LLMs to understand, query, and generate content based on the Optics Design System's design tokens, components, and documentation.

Setup Requirements

  • ⚠️Requires Node.js 18 or higher to run.
  • ⚠️For zero-install `npx optics-mcp` from GitHub Packages (current status), users may need to configure a GitHub Personal Access Token (`read:packages` scope) in their `.npmrc` for authentication.
  • ⚠️When installing from source, MCP client configurations (e.g., Claude Desktop) require absolute paths to `dist/index.js`, not relative paths like `~/`.
Verified SafeView Analysis
The server primarily uses stdio transport for communication, limiting direct network exposure. It's designed for local use by an MCP client, storing no sensitive data and performing only read-only operations on bundled design system data. There are no explicit uses of `eval`, code obfuscation, or hardcoded secrets for its runtime operation. The `@modelcontextprotocol/sdk` dependency includes modules like `express` and `jose`, but the server's `StdioServerTransport` implementation bypasses typical web server setups, mitigating associated risks. GitHub token mentioned in installation is for package access, not server runtime.
Updated: 2026-01-07GitHub
0
0
Low Cost
nohuiam icon
Sec4

The server acts as an ecosystem's long-term memory, recording, recalling, and learning from experiences using Case-Based Reasoning (CBR).

Setup Requirements

  • ⚠️Requires Node.js >= 18 for full compatibility with dependencies.
  • ⚠️Full functionality within the 'ecosystem' requires other Model Context Protocol (MCP) services (e.g., consciousness, verifier) to be running and configured in 'config/interlock.json'.
Review RequiredView Analysis
The server's HTTP, WebSocket, and UDP interfaces lack explicit authentication and authorization. The HTTP API exposes internal tool handlers via an endpoint (`/api/tools/:toolName`) that directly executes tool functions with unvalidated user input (`req.body`) against the defined JSON schemas. This design, coupled with permissive CORS (`Access-Control-Allow-Origin: *`), makes the server vulnerable to unauthenticated access, arbitrary tool execution, and potential data manipulation or denial-of-service if exposed to untrusted networks or compromised peers. The UDP InterLock mesh also operates without authentication, relying solely on a basic signal whitelist (tumbler).
Updated: 2026-01-17GitHub
0
0
Low Cost
shalusingh-tech icon

rolling-dice-mcp-server

by shalusingh-tech

Sec10

This server provides a simple API to simulate rolling a dice with a specified number of sides.

Setup Requirements

  • ⚠️Requires Python installed
  • ⚠️Requires fastmcp library (pip install fastmcp)
Verified SafeView Analysis
The code is extremely simple, utilizing only the `random` module for dice rolls and `fastmcp` for server functionality. There are no 'eval' or 'exec' calls, no network risks beyond the stdio transport, no hardcoded secrets, and no apparent malicious patterns. It is very safe based on the provided source.
Updated: 2025-11-27GitHub
0
0
Low Cost
nmnewnham icon
Sec8

Deploys an authentication-less Model Context Protocol (MCP) server on Cloudflare Workers, exposing basic calculator tools for AI models or clients.

Setup Requirements

  • ⚠️Requires a Cloudflare Workers account for deployment.
  • ⚠️Relies on Cloudflare's `wrangler` CLI for local development and deployment.
  • ⚠️Designed to be 'authless' for demonstration purposes; lacks inherent authentication/authorization for exposed tools, making it unsuitable for sensitive operations without modifications.
Verified SafeView Analysis
The provided source code is clean, utilizes Zod for input validation, and does not contain obvious malicious patterns or direct 'eval' calls. It relies on the security of the `@modelcontextprotocol/sdk` and `agents` libraries. The server is explicitly designed to be 'authless' for demonstration purposes, meaning it lacks inherent authentication or authorization, which is a design choice for this demo but would be a critical security concern for sensitive operations.
Updated: 2025-11-22GitHub
PreviousPage 583 of 713Next