Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
samzhu icon

docmcp-server

by samzhu

Sec9

A Documentation Model Context Protocol (MCP) Server for AI agents, providing indexed technical documentation, full-text and semantic search, code examples, and API key management.

Setup Requirements

  • ⚠️Requires Java 21+ for Virtual Threads support
  • ⚠️Requires PostgreSQL database with pgvector extension (can be run via Docker Compose locally)
  • ⚠️Requires Google GenAI API Key (Paid service) for embedding generation
  • ⚠️GitHub Token is highly recommended for documentation synchronization to avoid hitting lower API rate limits
Verified SafeView Analysis
The application implements robust API Key authentication using BCrypt hashing and rate limiting. Spring Security is used for access control to API and MCP endpoints. CSRF protection is explicitly disabled for the web UI, which is noted in the code as a simplification and should be reviewed for production environments if the web UI is exposed to external users. No obvious hardcoded secrets or malicious patterns were found in the provided code snippets.
Updated: 2026-01-19GitHub
0
0
Low Cost
acorn025 icon

mcp-server

by acorn025

Sec3

An MCP server providing tools for basic text/math operations, resource fetching, and AI-assisted nickname generation by orchestrating a Python module.

Setup Requirements

  • ⚠️Requires Node.js 18+ to run the server.
  • ⚠️Requires Python 3 (callable as 'python' in PATH) for the `generate_nickname` tool.
Review RequiredView Analysis
The server uses `child_process.exec` to run a dynamically generated Python script. User-provided tool arguments are embedded into this Python script's source code, written to a temporary file, and then executed. While `JSON.stringify` is used to escape the arguments for Python's `json.loads`, and the script path is controlled, this pattern is inherently risky. Any subtle flaw in the escaping or shell command interpolation could lead to arbitrary code execution, making it a critical vulnerability.
Updated: 2025-11-25GitHub
0
0
Low Cost
carm-outsource icon

SpigotMCP

by carm-outsource

Sec4

Provides a Model Context Protocol (MCP) server for a Spigot (Minecraft) plugin, allowing external AI models or clients to interact with the game state and perform actions via registered tools.

Setup Requirements

  • ⚠️Requires a running Minecraft Spigot/Paper server.
  • ⚠️The 'CoreProtect' plugin is required on the Minecraft server for the 'player-session-lookup' tool to function correctly.
Review RequiredView Analysis
The server starts an embedded Jetty web server, exposing Spigot server functionalities (like player status and CoreProtect session lookups) via the Model Context Protocol. There are no visible authentication or authorization mechanisms in the provided source code for accessing these MCP endpoints. Exposing this server to an untrusted network or the internet could lead to unauthorized access to game data and potential abuse of server resources. Input parameters for tools are directly used in Bukkit/CoreProtect API calls, which, while type-checked by Java, could potentially be crafted to induce unexpected behavior or resource exhaustion depending on the robustness of the underlying APIs.
Updated: 2026-01-09GitHub
0
0
Low Cost
rasidabdul icon
Sec4

An MCP (Model Context Protocol) server that provides AI assistants with real-time weather forecasts and alerts by integrating with the National Weather Service (NWS) API.

Setup Requirements

  • ⚠️Requires Java 21 JVM
Verified SafeView Analysis
The server explicitly lacks Spring Security integration, robust input validation for coordinates and state codes, and rate limiting mechanisms. This design makes it highly susceptible to input-related vulnerabilities and potential abuse. Additionally, error information leakage (e.g., stack traces) is not explicitly handled, which could expose internal details.
Updated: 2025-11-19GitHub
0
0
Medium Cost
GlacierEQ icon
Sec1

Tracks TRO expirations and motion deadlines in legal case management systems.

Review RequiredView Analysis
Insufficient source code provided for a security audit. Only README.md was available, making it impossible to check for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns. Therefore, safety cannot be guaranteed.
Updated: 2025-11-23GitHub
0
0
Medium Cost
MuhammadDastgeer icon

Manim-Mcp-Server

by MuhammadDastgeer

Sec1

This server provides an MCP interface to execute Manim code for generating animations and videos, allowing remote control over Manim's rendering capabilities.

Setup Requirements

  • ⚠️Requires the Manim animation engine to be installed and accessible (either in PATH or via MANIM_EXECUTABLE environment variable).
  • ⚠️Manim often requires a specific Python environment setup, which needs to be managed by the user.
  • ⚠️Generated video files can consume significant disk space; manual cleanup or robust automatic cleanup of temporary directories is essential to prevent disk exhaustion.
Review RequiredView Analysis
The `execute_manim_code` function allows arbitrary Python code to be executed via `subprocess.run` by writing user-supplied `manim_code` to a script file (`scene.py`) and then invoking the Manim executable on it. This presents a critical Remote Code Execution (RCE) vulnerability. An attacker can craft `manim_code` to execute any command on the host system, leading to severe compromise.
Updated: 2025-11-25GitHub
0
0
Medium Cost
mlamoure icon
Sec8

Provides browser automation capabilities via Selenium Grid, allowing AI agents to drive web browsers step-by-step using MCP tools.

Setup Requirements

  • ⚠️Requires Python 3.12+ for manual installation.
  • ⚠️Requires a running Selenium Grid instance, typically deployed via Docker Compose or separately.
  • ⚠️Optional API key authentication can be configured for secure deployment.
Verified SafeView Analysis
The server relies on client (AI agent) instructions to drive the browser. It includes domain guardrails to restrict navigation and supports optional API key authentication for access control. Direct JavaScript execution is a core feature, meaning the server trusts its clients not to execute malicious scripts within the browser context. Configuration defaults for `SELENIUM_GRID_URL` are often localhost, but `start-local.sh` points to an external URL as a default, which might expose unintended network traffic if not reviewed.
Updated: 2025-12-02GitHub
0
0
Medium Cost
Procentaurus icon

MCP-Server

by Procentaurus

Sec9

An LLM-powered agent that fetches current and historical currency exchange rates by calling external API tools.

Setup Requirements

  • ⚠️Requires a Google Gemini API Key (GEMINI_API_KEY) configured as an environment variable (paid service).
  • ⚠️Requires Python 3.13 or higher.
  • ⚠️The 'uv' package manager is used in the setup instructions.
Verified SafeView Analysis
The server and client use standard libraries and patterns. The client loads the Google Gemini API key from environment variables. There is no usage of 'eval' or other dynamic code execution functions. Network requests are made to a known public currency exchange API (api.frankfurter.dev) using `httpx`. The server itself does not expose a network interface directly, but communicates with the client via standard I/O (stdio), which the client launches as a subprocess.
Updated: 2025-12-10GitHub
0
0
Low Cost
tomherbron icon

mcp-demo

by tomherbron

Sec6

Provides a Model Context Protocol (MCP) server for Claude Desktop to manage a shopping cart system, including product and cart operations.

Setup Requirements

  • ⚠️Requires Java Development Kit (JDK) 21 or higher.
  • ⚠️Requires Docker and Docker Compose to run the PostgreSQL database.
  • ⚠️Primarily designed for integration with Claude Desktop via Model Context Protocol (MCP) STDIO mode.
Verified SafeView Analysis
Hardcoded PostgreSQL database credentials (username: postgres, password: postgres) in `application.yaml` pose a security risk if deployed in production environments. The application communicates via STDIO, mitigating direct network exposure of the application logic itself, but the database is exposed locally.
Updated: 2025-11-20GitHub
0
0
Low Cost
tianhuil icon

agent-state

by tianhuil

Sec8

A Model Context Protocol (MCP) server for managing agent state and logs, facilitating interruption and resumption of long-lived agents.

Setup Requirements

  • ⚠️Requires Python 3.14+
  • ⚠️Requires the `uv` package manager for dependency management and execution
  • ⚠️Manual configuration of absolute paths in Claude Desktop or Cursor settings JSON is required
Verified SafeView Analysis
The server reads and writes to local files (`.agent-state.txt`, `.agent-log.txt`) within a user-provided `directory`. While the `directory` parameter is validated to be an absolute and existing directory, an upstream agent could potentially provide a valid but undesirable directory (e.g., a system directory) if not properly controlled by the calling environment. No direct malicious patterns like `eval`, hardcoded secrets, or network risks are apparent in the provided source.
Updated: 2025-12-12GitHub
0
0
Medium Cost
Sunalamye icon

RedmineMCP

by Sunalamye

Sec9

Integrate and manage Redmine projects, issues, time entries, and other data programmatically through a high-performance Rust-based MCP server.

Setup Requirements

  • ⚠️Requires a running Redmine instance with REST API enabled (Administration → Settings → API).
  • ⚠️Mandatory environment variables: REDMINE_URL (Redmine instance URL) and REDMINE_TOKEN (Redmine API access key).
  • ⚠️For building from source, Rust 1.75+ toolchain is required.
Verified SafeView Analysis
The server is implemented in Rust, contributing to memory safety. It explicitly handles Redmine API tokens via environment variables, with warnings against committing them to version control. A built-in log viewer redacts sensitive data (like API tokens) and listens only on localhost by default, limiting network exposure. The `redmine_request` tool allows generic API calls, which grants broad access to the Redmine API and should be used carefully by the calling agent to avoid unintended actions or data exposure if misused.
Updated: 2026-01-19GitHub
0
0
Medium Cost
RhombusSystems icon

rhombus-node-mcp

by RhombusSystems

Sec8

Integrate Rhombus security and surveillance system capabilities with AI chatbots, allowing AI agents to query and manage security devices and events.

Setup Requirements

  • ⚠️Requires a Rhombus API Key (`RHOMBUS_API_KEY`) configured in the environment.
  • ⚠️Requires Docker or a Node.js runtime environment.
  • ⚠️Primarily designed for integration with Claude Desktop, requiring specific configuration within the Claude Desktop application.
Verified SafeView Analysis
The server correctly retrieves API keys from environment variables. CORS is set to `origin: ['*']` which is generally permissive, but noted as a 'TODO: domain' and likely intended for controlled client integrations (e.g., Claude Desktop). No direct use of `eval` or unhandled shell commands identified. Authentication mechanisms are robust, handling OAuth tokens, API keys, and session-based authentication with explicit error handling for invalid credentials. Overall, it appears safe to run, assuming the `RHOMBUS_API_KEY` is managed securely by the user.
Updated: 2025-12-03GitHub
PreviousPage 601 of 713Next