Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost

mcp-oidc-nx-poc

by adem-hassine

Sec8

Demonstrates a Keycloak-protected Model Context Protocol (MCP) server for OIDC-based authentication and authorization of various backend tools.

Setup Requirements

  • ⚠️Requires Node.js v20.19.3 to be installed and used (e.g., via nvm).
  • ⚠️Docker and Docker Compose are essential for running Keycloak and MySQL services locally.
  • ⚠️The Keycloak realm configuration, including users, roles, and clients (e.g., 'mcp-react-client' and the 'math-ops' role), is pre-defined in `docker/keycloak-realm-config/realm-export.json` and must be imported into Keycloak for the demo to function.
  • ⚠️The React client's OIDC `redirect_uri` is explicitly configured as `http://localhost:3333/react`, which must match the Keycloak client setup and where the React application is served by the `mcp-server`.
Verified SafeView Analysis
The server uses `jose` for JWT verification and implements role/scope-based authorization, with `zod` for input validation, which are good practices. CORS is configurable. The `execSync` import in `AppController.ts` is present but not used in the provided code, which could be a risk if activated without care. Development Keycloak credentials (`admin`/`admin`) and empty MySQL password are used in `docker-compose.yml`, explicitly noted as needing hardening for production.
Updated: 2025-11-29GitHub
0
0
Low Cost
VshareCloud-Project icon

awesome-mcp-servers

by VshareCloud-Project

Sec10

This repository serves as a curated catalog for discovering production-ready MCP servers.

Verified SafeView Analysis
The provided source code is limited to a README.md file, which does not contain executable code to audit for security risks. The repository itself is a static list of external servers, thus posing no direct security threat from its own code.
Updated: 2025-11-20GitHub
0
0
Low Cost
Grohith17 icon
Sec2

Manages inventory data by providing tools to add, remove, check stock, and list items.

Setup Requirements

  • ⚠️Python 3.13+ required
  • ⚠️MySQL database server must be running and accessible with a database named 'inventory_system'
  • ⚠️Database user 'root' with an empty password is used (highly insecure and often requires specific MySQL configuration for this privilege)
  • ⚠️`mysql-connector-python` library must be installed (`pip install mysql-connector-python`)
Review RequiredView Analysis
CRITICAL: Hardcoded MySQL root user with an empty password in `db_config`. This poses a severe security risk, allowing unauthorized database access if exposed. No environment variables are used for credentials.
Updated: 2025-12-03GitHub
0
0
Low Cost
gmantri icon
Sec9

Exposing secure, role-based tools to LLMs via the Model Context Protocol (MCP) using ASP.NET Core and Azure Entra ID.

Setup Requirements

  • ⚠️Requires a comprehensive Azure Entra ID (App Registration, role definitions, API exposure, client authorization) setup, which can be complex.
  • ⚠️Manual configuration of Azure AD tenant ID and client ID in appsettings.json or as environment variables is necessary.
  • ⚠️This demo is specifically tailored to work with VS Code as an authorized MCP client, using its client ID.
Verified SafeView Analysis
The server explicitly prioritizes security by integrating Azure Entra ID (OAuth2/OpenID Connect) for authentication and granular Role-Based Access Control (RBAC) for tool authorization. JWT Bearer token authentication is used. Configuration relies on appsettings.json or environment variables for sensitive Azure AD details, preventing hardcoding. The deployment script (`deploy.sh`) uses standard Azure CLI commands for secure configuration and deployment. No `eval` or obvious malicious patterns were found. The primary security model is robust, relying on established Microsoft security practices.
Updated: 2025-12-06GitHub
0
0
Low Cost
mark-hingston icon

query-tool

by mark-hingston

Sec8

An MCP (Model Context Protocol) server for querying vector stores and knowledge graphs using semantic and relationship-aware search.

Setup Requirements

  • ⚠️Requires Node.js 18+.
  • ⚠️Requires an existing embeddings index generated by the `lance-embedder` project.
  • ⚠️Requires LM Studio (or compatible service) running locally with an embedding model loaded, accessible via `--base-url`.
Verified SafeView Analysis
The server primarily uses standard I/O (MCP Stdio Transport), minimizing direct network exposure. It relies on a user-provided `--base-url` for embedding generation, typically pointing to a local LM Studio instance. While a misconfigured `--base-url` could potentially direct embedding data to a malicious external service, this vulnerability requires an initial compromise of the host running the server. File system access is confined to the specified `--index-path`. No explicit use of `eval`, code obfuscation, or hardcoded sensitive API keys (OpenAI API key is explicitly 'not-needed') was found.
Updated: 2025-12-05GitHub
0
0
High Cost
ebullient icon

obsidian-vault-mcp

by ebullient

Sec8

An Obsidian plugin that runs an MCP server, enabling external LLM tools to access and interact with your vault.

Setup Requirements

  • ⚠️Requires Node.js 18+ for the mcp-bridge.js script (for Claude Desktop integration).
  • ⚠️Requires a desktop environment (Obsidian desktop application).
  • ⚠️Requires the Templater plugin for advanced template functionality when using 'create_note' with templates.
  • ⚠️The Obsidian vault containing the plugin must be open and the plugin enabled for the server to run.
Verified SafeView Analysis
The plugin runs a local HTTP server and can optionally bind to all network interfaces (0.0.0.0). When enabling network access, bearer token authentication is available and highly recommended for security. Path-based Access Control Lists (ACLs) are implemented to restrict read and write access to vault files based on user-defined glob patterns, but depend on responsible configuration by the user. The plugin explicitly states it does not connect to external services or collect telemetry. No hardcoded secrets were found. Regex is used for ACL patterns and link exclusion, which are configured by the user or provided by the LLM client; this introduces a configurable risk if malicious patterns are used by a compromised LLM client, though this is mitigated by the ACLs and authentication.
Updated: 2026-01-19GitHub
0
0
Medium Cost
hkaanengin icon

opendota-mcp-server

by hkaanengin

Sec9

Provides a Model Context Protocol (MCP) server to query Dota 2 player statistics, match data, and hero information from the OpenDota API for AI assistants.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher for local installation.
  • ⚠️An OpenDota API key is optional but highly recommended to avoid anonymous rate limits (50 requests/minute).
Verified SafeView Analysis
The server fetches data from the OpenDota API and exposes it via Model Context Protocol (MCP) tools. It correctly handles sensitive information like the OpenDota API key by reading it from environment variables. No 'eval' or obfuscated code was identified. Network communication (HTTPX) is standard, and rate limiting is implemented to respect external API limits. The use of pre-loaded local JSON files for reference data is safe. Overall, the server appears robust and secure for its intended purpose of providing game data.
Updated: 2026-01-18GitHub
0
0
Low Cost
vyshnev icon

mcp-server-test

by vyshnev

Sec10

This server provides a simple Micro-service Control Protocol (MCP) interface for basic arithmetic and random number generation.

Setup Requirements

  • ⚠️Python 3.13+ required
Verified SafeView Analysis
The code is very simple, performing basic arithmetic and random number generation without any dynamic code execution, external process calls, or handling of sensitive inputs that could lead to vulnerabilities. No hardcoded secrets or malicious patterns were observed.
Updated: 2025-11-24GitHub
0
0
Low Cost
audreymhw icon
Sec5

Provides a curated collection of free APIs for development, learning, and testing, including support for AI Agent integration via an MCP Server.

Setup Requirements

  • ⚠️Requires downloading and installing OS-specific binaries from GitHub releases, rather than building from source.
  • ⚠️The actual server/application source code is not provided, hindering a full security and architectural review.
Review RequiredView Analysis
The provided source code is a documentation file (`index.md`) and does not contain the executable code for the 'MCP Server' or the 'free-apis-collection' application it describes. Therefore, direct analysis for `eval`, obfuscation, network risks, hardcoded secrets, or malicious patterns within the server's actual implementation is not possible based on the given input. The security of the downloadable binaries from the GitHub releases cannot be assessed without access to their source code. Running the described software without reviewing its source code carries inherent risks.
Updated: 2026-01-19GitHub
0
0
Medium Cost
limehawk icon

superops-mcp

by limehawk

Sec7

Enables AI assistants to understand and interact with the SuperOps MSP GraphQL API for managing IT services for multiple client businesses.

Setup Requirements

  • ⚠️Requires SUPEROPS_API_KEY for authentication (obtained from SuperOps Admin > API Settings).
  • ⚠️Requires SUPEROPS_SUBDOMAIN (e.g., 'acme' from 'acme.superops.ai').
  • ⚠️Recommends 'bun' for faster startup times, although 'npx' also works.
  • ⚠️Underlying SuperOps API has a rate limit of 800 requests per minute.
  • ⚠️Date/time values in GraphQL operations must be in UTC timezone with ISO format (e.g., 2022-04-10T10:15:30).
  • ⚠️Mutations (write operations) can be blocked by setting SUPEROPS_READ_ONLY=true.
Verified SafeView Analysis
The core application logic (src/index.mjs) for the MCP server was not provided, limiting a full security audit of the executable code. However, based on the available package.json and README.md files, there are no hardcoded secrets or immediately obvious malicious patterns. API keys and sensitive information are correctly configured to be passed via environment variables, which is a good security practice. Network communication is directed to standard HTTPS SuperOps API endpoints.
Updated: 2026-01-17GitHub
0
0
Medium Cost
Kevthetech143 icon

hivemind-mcp

by Kevthetech143

Sec6

MCP server for collective debugging knowledge and project-specific knowledge bases for AI agents, aimed at improving AI's ability to troubleshoot and learn from developer experiences.

Setup Requirements

  • ⚠️Requires `git` installed in the execution environment for project scanning features.
  • ⚠️The Supabase backend, though not directly configured by the local MCP server, has a critical 'RLS Not Applied' security warning.
  • ⚠️User ID is generated and stored locally (`.user_id` file) or provided; this ID is crucial for interacting with project-specific knowledge bases.
Review RequiredView Analysis
The server uses `child_process.execSync` within the `scanProject` function, which can be a security risk if the `projectPath` argument is not properly sanitized or if the execution environment is compromised. The `INTERNAL_ARCHITECTURE.md` explicitly states that Row-Level Security (RLS) is 'PENDING' on the Supabase database, which is a critical backend vulnerability, potentially allowing unauthorized access to data if the service role key is compromised or misused. However, the system includes strong positive security features for its public gateway, such as credential scanning on contributions (rejecting submissions with API keys, tokens, etc.), rate limiting per IP, IP banning capabilities, and the removal of previously hardcoded anonymous keys.
Updated: 2025-11-30GitHub
0
0
Medium Cost
ryddle icon

rag-mcp

by ryddle

Sec8

A Model Context Protocol (MCP) server that provides Retrieval-Augmented Generation (RAG) capabilities using local embeddings and Qdrant vector database.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Requires Ollama or LMStudio running locally for embedding generation.
  • ⚠️Requires Qdrant vector database running (e.g., via Docker).
Verified SafeView Analysis
The server's network interactions are primarily with locally running services (Ollama/LMStudio for embeddings, Qdrant for vector storage), configurable via environment variables. There is no usage of 'eval' or direct system command execution identified. Input validation for tool parameters is provided through the MCP `inputSchema`. The main security consideration is ensuring that the `QDRANT_URL` and `EMBEDDING_BASE_URL` environment variables are configured to trusted local endpoints, as intended by the project's 'local embeddings' focus, to prevent unintended communication with malicious external services.
Updated: 2025-12-14GitHub
PreviousPage 599 of 713Next