Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
alelunardi98 icon

mcp-server

by alelunardi98

Sec7

An AI tool server exposing domain-specific functionalities in health and insurance to be consumed by Large Language Models.

Setup Requirements

  • ⚠️Requires JDK 17+
  • ⚠️Requires Maven or Gradle to build and run
  • ⚠️Intended for use with an external AI model orchestrator to leverage its tool-calling capabilities
Verified SafeView Analysis
Default H2 in-memory database credentials (sa / "") and an enabled H2 console are present and insecure for production environments. Input validation for tool parameters, especially in methods exposed to AI, should be robust.
Updated: 2025-11-20GitHub
0
0
Low Cost
MohamedSherifAbdelsamiea icon

prometheus-remote-mcp-CDK

by MohamedSherifAbdelsamiea

Sec7

Serves Prometheus Model Context Protocol (MCP) data via AWS Lambda and API Gateway with Cognito authentication for querying Amazon Managed Prometheus.

Setup Requirements

  • ⚠️Requires an AWS Account and AWS CDK for deployment.
  • ⚠️Requires pre-configured Amazon Managed Prometheus (AMP) workspace, as indicated by '⚠️ NOT PART OF CDK 👤 USER MUST CONFIGURE' and 'Workspace ARN Required' in the architecture diagram. The `AMP_WORKSPACE_ARN` environment variable is critical.
  • ⚠️Cognito User Pool and OAuth Client setup is managed by CDK, but client-side configuration (`mcp-server-config.json` generation) needs to be handled post-deployment using the provided script or manual steps.
Verified SafeView Analysis
The architecture utilizes AWS Lambda, API Gateway, and Cognito, which are robust AWS services for security. JWT validation is handled by a dedicated Lambda authorizer. The core MCP Lambda processes requests using pydantic models, reducing common injection vulnerabilities. The primary security concern is the `update-mcp-config-cloudshell.sh` script, which retrieves and writes `CLIENT_SECRET` to a local `mcp-server-config.json` file. While intended for secure setup in CloudShell, this file needs to be securely managed and ideally deleted post-configuration to prevent exposure of credentials if the deployment environment is compromised. No direct 'eval' or obvious malicious patterns were found in the application logic; `jq` is used for safe JSON manipulation in scripts. IAM roles for Lambda accessing AMP are assumed to be properly configured by the CDK.
Updated: 2025-12-05GitHub
0
0
Low Cost
NaokiTest icon
Sec5

A backend service providing basic arithmetic calculations through an API interface.

Review RequiredView Analysis
A thorough security audit is impossible without the source code. Based solely on the project name 'simple-calculator-mcp-server', common risks for a server of this type include improper input validation, which could lead to denial-of-service or unexpected behavior. No indicators for 'eval', obfuscation, hardcoded secrets, or malicious patterns can be identified without the actual code.
Updated: 2025-11-27GitHub
0
0
Medium Cost
twanlass icon

granola-mcp

by twanlass

Sec8

Provides tools for AI agents (like Claude) to access Granola meeting transcripts and AI-generated notes.

Setup Requirements

  • ⚠️Requires Node.js 20+
  • ⚠️Granola desktop app must be installed and logged in for credentials
  • ⚠️Requires manual configuration in Claude Desktop or Claude Code applications
Verified SafeView Analysis
The server loads credentials (WorkOS access token) from the local Granola desktop app's configuration file (~/Library/Application Support/Granola/supabase.json), rather than requiring them as environment variables or hardcoding them. This approach relies on the Granola app's security for credential storage. Input validation for tools is performed using Zod. API calls are made over HTTPS, and errors are handled. There are no indications of 'eval', code obfuscation, or other overtly malicious patterns. The User-Agent is hardcoded but not a secret.
Updated: 2026-01-16GitHub
0
0
Medium Cost

vst-mcp-server

by thomasbunch

Sec8

An AI-assisted server for VST plugin development, offering DSP algorithms, audio formulas, JUCE templates, UI components, and code validation tools.

Setup Requirements

  • ⚠️Requires Node.js and npm installed.
  • ⚠️Running locally via `npm start` requires a build step (`npm run build`).
Verified SafeView Analysis
The server uses standard Node.js/Express practices and the MCP SDK. It explicitly enables `Access-Control-Allow-Origin: *`, which is common for open APIs but implies broad access from any web domain. The `security-licensing.ts` file defines `EncryptedString` and `ObfuscatedValidator` as examples for plugin developers, not as part of the server's own internal security mechanisms. No obvious malicious patterns or direct use of `eval` or similar dangerous functions were found in the provided server-side code.
Updated: 2025-11-27GitHub
0
0
Medium Cost
techslaves icon
Sec2

Integrates Spring AI with a PostgreSQL database to expose read-only database operations as tools for AI agents.

Setup Requirements

  • ⚠️Requires Java 17+ and Maven.
  • ⚠️Requires a running PostgreSQL database.
  • ⚠️Database connection environment variables (DB_URL, DB_USER, DB_PASSWORD) must be configured.
Review RequiredView Analysis
CRITICAL: The `DatabaseService.executeQuery` method directly executes user-provided SQL strings without proper parameterization, making it highly vulnerable to SQL injection, even with the `SELECT` prefix check. An attacker could craft a `SELECT` statement to exfiltrate sensitive data, perform denial-of-service, or execute other malicious queries depending on database permissions. The example `claude_desktop_config.json` also hardcodes database credentials, which is a security risk if not managed properly.
Updated: 2025-11-29GitHub
0
0
Low Cost
NaokiTest icon
Sec1

Provides a server-side implementation for basic calculator operations, potentially over a custom message communication protocol.

Setup Requirements

  • ⚠️Requires a compatible runtime environment (e.g., Node.js, Python, Java - specific version unknown).
  • ⚠️Requires a client application that understands the specific 'MCP' protocol for interaction.
  • ⚠️May require specific network port configuration to avoid conflicts.
Review RequiredView Analysis
Without access to the source code, a comprehensive security audit is impossible. Cannot check for specific vulnerabilities like 'eval' usage, obfuscation, hardcoded secrets, or malicious patterns. Any network risks associated with running a server cannot be assessed.
Updated: 2025-11-27GitHub
0
0
Low Cost

gamma-mcp-server

by KSAklfszf921

Sec9

Acts as a Model Context Protocol (MCP) server to enable AI assistants to generate presentations and documents via the Gamma.app API.

Setup Requirements

  • ⚠️Requires a valid GAMMA_API_KEY from Gamma.app, which may be a paid service.
  • ⚠️The server runs on port 3000 by default and might require firewall configuration for external access.
  • ⚠️The stdio mode is intentionally limited; for full functionality, the HTTP mode is required and recommended.
Verified SafeView Analysis
The code is generally secure. It properly loads environment variables for sensitive API keys and doesn't appear to use dangerous functions like 'eval'. The HTTP server is configured to listen on all interfaces (`0.0.0.0`), which is standard for deployment but might require firewalling in production environments. The use of express and standard Node.js practices suggests a low risk of malicious code injection.
Updated: 2025-11-19GitHub
0
0
Medium Cost
afshan-ahmar icon

Gemini_mcp_server

by afshan-ahmar

Sec1

A server application designed to host or manage instances of Minecraft Pocket Edition (MCP) games, potentially offering a web interface or API for administration.

Setup Requirements

  • ⚠️Source code was not provided, preventing identification of specific setup requirements or friction points.
Review RequiredView Analysis
No source code was provided for analysis. Therefore, a security audit cannot be performed, and the safety of running this server cannot be assessed. The security score of 1 reflects this critical lack of information, making it impossible to guarantee safety.
Updated: 2025-12-03GitHub
0
0
High Cost
aar0nsky icon
Sec7

Sets up a local AI pair-programming environment with Ollama, Continue.dev, and various Model Context Protocol (MCP) servers to extend AI capabilities for development tasks without cloud dependencies.

Setup Requirements

  • ⚠️Docker Desktop/Engine is required for containerized MCP servers.
  • ⚠️Node.js (with npm) is required for installing many MCP servers globally.
  • ⚠️Ollama must be installed, and a large language model (e.g., Nemotron-9B) must be pulled locally.
  • ⚠️Users must manually configure '~/.continue/config.json' and set specific environment variables for certain MCP servers (e.g., GITHUB_TOKEN, SNYK_TOKEN).
Verified SafeView Analysis
The system involves running multiple local services (Ollama, Docker containers, global npm packages) that grant broad permissions (e.g., Docker containers mount the entire project directory for read/write access via Filesystem and Git MCPs). While intended for functionality (AI agent interacting with the local codebase), this requires strong trust in all installed components and the AI itself. Environment variables for credentials (GitHub, Snyk, Sentry, Oxylabs) are required but not hardcoded in the provided source.
Updated: 2025-11-24GitHub
0
0
Low Cost
meghnakartha icon

MyFastMCPServer

by meghnakartha

Sec10

A basic HTTP server exposing 'add' and 'get_weather' tools using the FastMCP framework for demonstrating API capabilities.

Setup Requirements

  • ⚠️Requires the 'fastmcp' Python library to be installed.
  • ⚠️Requires Python environment (e.g., Python 3.6+).
Verified SafeView Analysis
The provided source code is simple and contains no explicit security vulnerabilities like 'eval', obfuscation, or hardcoded secrets. It binds to '0.0.0.0', which is standard for a server but requires network-level security (firewall) if exposed to the public internet.
Updated: 2026-01-17GitHub
0
0
Low Cost
SimonTarara62 icon

capitalcom-mcp-server

by SimonTarara62

Sec9

Provides a Model Context Protocol (MCP) server for the Capital.com Open API, enabling safe, LLM-driven trading operations.

Setup Requirements

  • ⚠️Requires a Capital.com trading account with 2FA enabled and a generated API key (API keys have full trading access; no read-only option available).
  • ⚠️Requires Python 3.10 or higher.
  • ⚠️The generated API key is displayed only once and must be saved immediately.
Verified SafeView Analysis
The project exhibits a strong focus on security, implementing multiple layers of safeguards. Key features include trading disabled by default, epic allowlists, size/position/daily order limits, two-phase execution (preview then explicit confirmation), and a dry-run mode. Sensitive data like API keys and passwords are explicitly handled to prevent logging via a `redact_secrets` utility. There is no visible use of `eval` or similar dangerous functions. The `install.sh` script does not execute arbitrary external code directly. While robust, the inherent risk of live trading with an LLM-driven system means a perfect 10 is reserved for read-only or highly isolated systems, but this is an exceptionally well-secured trading agent.
Updated: 2026-01-17GitHub
PreviousPage 609 of 713Next