Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
yfzhou0904 icon

chatgpt-handoff-mcp

by yfzhou0904

Sec8

A minimal MCP server for seamless handoff of prompts from Claude Code to ChatGPT by copying them to the system clipboard.

Setup Requirements

  • ⚠️Linux users require 'xclip' or 'xsel' to be installed for clipboard functionality.
  • ⚠️Requires manual configuration in Claude Code's settings.json file (~/.config/claude-code/settings.json).
  • ⚠️If using HTTP transport mode, the server must be manually started and kept running in a separate process.
Verified SafeView Analysis
The server uses `exec.Command` for cross-platform clipboard operations. While the prompt content is generally passed via stdin to `pbcopy`, `xclip`, or `xsel`, and securely via a PowerShell here-string on Windows, this pattern always carries a theoretical, albeit low, risk of command injection or unforeseen interpretation of special characters by the external utilities if the input is malicious. However, no 'eval' or direct command-line argument injection using user input was found. There are no hardcoded secrets, and network exposure is limited to a local HTTP server if enabled.
Updated: 2025-11-26GitHub
0
0
Low Cost
psimsa icon

oig_cloud_mcp

by psimsa

Sec8

Acts as a Model Context Protocol (MCP) server for OIG Cloud, providing an authenticated and observable tool-driven interface to the OIG Cloud API.

Setup Requirements

  • ⚠️Requires Python 3.12+.
  • ⚠️Depends on 'oig-cloud-client' from a direct Git repository, which might require Git to be installed and can be less stable than a PyPI package.
  • ⚠️Requires 'whitelist.txt' to be present for any user authentication to succeed, with user emails listed in it.
  • ⚠️For secure operation, the server should always be deployed behind HTTPS, as credentials are sent via HTTP headers (Base64-encoded or plaintext).
Verified SafeView Analysis
Implements whitelist and rate limiting for authentication (in-memory, suitable for single-process only). Uses SHA256 for credential hashing. Provides dedicated fail2ban logging for authentication failures. Basic Auth and custom header credentials are sent via HTTP headers, which implicitly requires HTTPS for secure transmission. No 'eval' or malicious patterns found. The primary security limitation is the in-memory nature of the whitelist and rate limiter, which is suboptimal for distributed production deployments.
Updated: 2025-12-03GitHub
0
0
Low Cost
srinivasan-govindaraj icon

MCPSERVE

by srinivasan-govindaraj

Sec1

A server backend, likely related to the Minecraft Protocol (MCP), intended for game hosting or application services.

Review RequiredView Analysis
CRITICAL: No source code was provided for analysis beyond the README title. Therefore, no security audit could be performed. Running any server without inspecting its source code for vulnerabilities (like 'eval', obfuscation, network risks, or hardcoded secrets) is extremely dangerous and highly discouraged. It is impossible to assess its safety, and it poses a severe security risk due to the complete lack of transparency.
Updated: 2025-12-05GitHub
0
0
Low Cost
jardhel icon

seu-claude

by jardhel

Sec8

Provides a local Model Context Protocol (MCP) server for Claude Code, enabling proactive semantic indexing of entire codebases using AST-based chunking, cross-reference tracking, and efficient local vector search to enhance Claude's understanding and retrieval capabilities.

Setup Requirements

  • ⚠️Requires Node.js version 20 or greater.
  • ⚠️Initial setup involves downloading Tree-sitter language grammars, typically handled automatically by a `postinstall` script or manually via `npm run download-grammars`.
  • ⚠️The embedding model (~30-70MB) will download on first use or can be pre-downloaded via `npm run download-model`.
  • ⚠️Requires the `git` CLI installed for git-aware features and for the automated setup script to detect the project root.
Verified SafeView Analysis
The server uses `execSync` for internal system operations (like Git commands and Node.js version checks), which is generally safe when inputs are controlled and not directly user-provided. Input validation (`validateFilePath`, `validateSearchQuery`) is implemented to prevent common path traversal and injection attacks on file paths and search queries. The embedding engine downloads models from HuggingFace, a standard external dependency for AI models. No hardcoded secrets were found. The primary risk is the inherent nature of running arbitrary `npx` commands or misconfiguring system paths, which is mitigated by input validation for tool arguments.
Updated: 2026-01-19GitHub
0
0
Medium Cost
MindPort-GmbH icon

MCP-tools-for-VR-Builder

by MindPort-GmbH

Sec8

Enables AI assistants to programmatically create and modify VR Builder training processes within the Unity editor.

Setup Requirements

  • ⚠️Requires Unity 6000.0.x or higher.
  • ⚠️Requires VR Builder Core 5.5.0 or higher package.
  • ⚠️Requires at least one Unity MCP framework (CoplayDev or IvanMurzak) to be installed.
  • ⚠️When using com.ivanmurzak.unity.mcp, JSON input field names must be camelCase.
Verified SafeView Analysis
The Python tool `create_vr_builder_process` constructs a structured JSON payload to send commands to a Unity-based MCP server. There are no explicit `eval` or direct arbitrary code execution patterns visible in the provided Python code. The primary security consideration would be the robustness of the Unity-side implementation of `VRBuilderProcessService` against crafted inputs, which is not provided. Given it operates within a Unity development environment, typical remote server risks are mitigated.
Updated: 2025-12-05GitHub
0
0
Medium Cost
Runscope icon

mcp-bzm-apitest

by Runscope

Sec9

The BlazeMeter API Test MCP Server allows AI agents to manage teams, buckets, tests, schedules, steps, environments, and analyze results within the BlazeMeter API Monitoring platform.

Setup Requirements

  • ⚠️Requires a BlazeMeter API Monitoring Access Token.
  • ⚠️Requires compliance with BlazeMeter API Monitoring AI Consent settings.
  • ⚠️Python 3.11+ is required for installation from source code.
Verified SafeView Analysis
The server employs good security practices, including the use of `defusedxml` to prevent XML External Entity (XXE) attacks and `nh3` for HTML sanitization to mitigate Cross-Site Scripting (XSS) vulnerabilities. API tokens are designed to be handled via environment variables or secure files, avoiding hardcoding. Input validation is applied for different body types (JSON, XML, HTML, text).
Updated: 2025-11-27GitHub
0
0
Medium Cost
pravinmenghani1 icon

mcp-server-langgraph-demo

by pravinmenghani1

Sec1

This project demonstrates a server-side application integrating the LangGraph library, likely for building and orchestrating AI agent workflows.

Setup Requirements

  • ⚠️Requires an API key for a Language Model Provider (e.g., OpenAI, Anthropic).
Review RequiredView Analysis
No source code was provided for analysis beyond the README title. Therefore, a comprehensive security audit is impossible. Cannot verify the absence of dangerous patterns like 'eval', hardcoded secrets, or malicious network interactions. Running this code without review would be highly risky.
Updated: 2025-12-13GitHub
0
0
Medium Cost
cardosolucass96 icon

kommo-mcp-server

by cardosolucass96

Sec9

Enables AI agents to interact with Kommo CRM by providing a Model Context Protocol (MCP) server over HTTP.

Setup Requirements

  • ⚠️Requires `MCP_PASSWORD` environment variable to be set; the server will not start without it.
  • ⚠️Requires a valid Kommo CRM subdomain and an API Access Token, both to be provided in the Bearer authentication token.
  • ⚠️The server is a Node.js application, requiring Node.js (v18+) and npm/yarn for installation and execution.
Verified SafeView Analysis
The server implements strong security practices including a mandatory `MCP_PASSWORD` environment variable, robust input validation using Zod schemas for all tool parameters, and structured JSON-RPC error handling. Authentication relies on a multi-part bearer token (MCP_PASSWORD|subdomain|kommoAccessToken), with server-side validation of the `MCP_PASSWORD`. CORS is enabled with a wildcard origin (`*`), which is generally permissive but may be acceptable for AI agent integrations. No 'eval' or malicious patterns were found in the provided source code.
Updated: 2025-12-17GitHub
0
0
High Cost
floydw1234 icon

badger-graph

by floydw1234

Sec4

Visualizes, searches, and queries code graphs to enhance code understanding and assist LLMs in coding tasks.

Setup Requirements

  • ⚠️Requires Docker for Dgraph setup (`badger init_graph`)
  • ⚠️Requires GPU with CUDA support for embedding generation (`EmbeddingService` checks `torch.cuda.is_available()` and compute capability)
  • ⚠️Relies on local (vLLM/Ollama) or remote OpenAI-compatible LLMs for semantic search and agent responses
  • ⚠️Requires a Dgraph instance (local or remote) to be running and accessible
Review RequiredView Analysis
The compiled JavaScript for the VSCode extension (`vscode_ext/out/extension.js`) contains `eval(func);`, which is an inherent security risk, even if intended for legitimate dynamic loading. The `tool_edit_file` function (`cli/badger/main.py`) allows modifications to arbitrary files, though it is mitigated by a preview and user confirmation step. The system connects to a Dgraph instance (potentially remote) and external LLMs, introducing network-based risks related to data transmission and endpoint security. The `EmbeddingService` loads external models, which could be a supply chain risk if not from trusted sources.
Updated: 2025-11-21GitHub
0
0
Low Cost
relix23 icon
Sec8

Provides a lightweight Model Context Protocol (MCP) server for integrating with GitHub APIs to fetch, transform, cache, and route GitHub data, acting as a bridge for client applications.

Setup Requirements

  • ⚠️Requires Python 3.10 or newer.
  • ⚠️An active GitHub API token is mandatory for authenticating with GitHub, particularly for accessing private resources or performing write operations.
Verified SafeView Analysis
The server adheres to good practices by loading the GitHub token from environment variables. No direct use of 'eval' or code obfuscation is present. The 'get_file_content' function constructs URLs to raw.githubusercontent.com, which is designed to fetch public raw file content from GitHub and is inherently limited to that domain, reducing arbitrary Server-Side Request Forgery (SSRF) risk to internal networks. The primary security consideration lies in the scope of the `GITHUB_TOKEN` provided; if granted broad permissions (e.g., 'repo' scope), the server acts as a powerful proxy, enabling clients capable of invoking its MCP tools to perform sensitive GitHub actions. Secure deployment requires careful token scope management and robust authentication/authorization for clients interacting with the MCP server.
Updated: 2026-01-19GitHub
0
0
Low Cost
Ali2220 icon
Sec8

Enables an AI model (specifically Google Gemini) to interact with and utilize custom external tools/functions defined on a local server via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires a Google Gemini API Key configured as GEMINI_API_KEY in a .env file (likely a paid service).
  • ⚠️Requires Node.js runtime (version 20.0.0 or higher as per @google/genai dependency).
Verified SafeView Analysis
The server uses `dotenv` to load API keys from environment variables, avoiding hardcoded secrets. Communication between the client and server is handled via STDIN/STDOUT using `StdioClientTransport` and `StdioServerTransport`, which limits direct external network exposure for the server itself, enhancing security. The system's overall security depends on the nature of the tools registered and the access permissions granted to the Node.js process.
Updated: 2025-11-25GitHub
0
0
Medium Cost
quercledev icon

quercle-mcp

by quercledev

Sec9

Provides AI-powered web fetching and search capabilities to AI agents via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires a Quercle API key (paid service) from quercle.dev.
  • ⚠️Relies on the external Quercle API for all core functionality.
  • ⚠️Requires Node.js version 18 or higher.
Verified SafeView Analysis
The server primarily acts as a wrapper, forwarding requests to the external Quercle API. It correctly handles the API key via environment variables, avoiding hardcoding. No 'eval' or direct execution of user-provided code on the local server is observed. Potential security considerations are primarily inherited from the underlying Quercle API and its handling of prompts and queries. The immediate server code appears clean and focused.
Updated: 2025-12-15GitHub
PreviousPage 596 of 713Next