Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
Ektagautammaru icon

MCP-Server

by Ektagautammaru

Sec9

Provides a calculator tool via the Model Context Protocol (MCP) for inter-process communication, typically serving AI agents or other applications requiring specialized tooling.

Setup Requirements

  • ⚠️Requires Java Development Kit (JDK) installed.
  • ⚠️Designed for inter-process communication via standard input/output (stdin/stdout), not direct network access.
  • ⚠️Requires a build tool (e.g., Maven or Gradle) to compile and package the application into a runnable JAR.
Verified SafeView Analysis
The server implements a simple calculator tool, communicating over standard input/output. It avoids common web vulnerabilities by not exposing network ports directly. Input validation relies on basic type casting and the underlying JSON parser of the MCP framework. There are no 'eval'-like functions, hardcoded secrets, or external dependencies that pose immediate security risks. The scope of functionality is minimal, limiting the attack surface. Results are returned as JSON strings, not executed.
Updated: 2025-12-15GitHub
0
0
Low Cost
xstraven icon
Sec8

This project defines a Python package intended to provide a custom Jupyter kernel named `ipymcp`, enabling interactive execution within Jupyter notebooks for a specific 'mcp' environment.

Setup Requirements

  • ⚠️Requires Python 3.12 or higher.
Verified SafeView Analysis
The provided source code is limited to `pyproject.toml` and an empty `__init__.py`. No executable code, 'eval' usage, obfuscation, network operations, or hardcoded secrets are present to evaluate for security risks. The dependency on `ipykernel` is standard and widely used. A full security audit would require the complete kernel implementation, as the core logic is not provided.
Updated: 2025-11-19GitHub
0
0
Low Cost
SudhakarC-hub icon
Sec6

Develops an IT Asset Management AI agent that interacts with a backend via Google ADK and Model Context Protocol (MCP) using Streamable HTTP.

Setup Requirements

  • ⚠️Requires Python 3.11+
  • ⚠️Requires Ollama with Mistral model to be installed and running locally
  • ⚠️Requires running three separate components (FastAPI, MCP Server, ADK Agent) in different terminals for full functionality.
Verified SafeView Analysis
The system lacks authentication and authorization for its FastAPI backend (port 8005) and MCP server (port 8002). While suitable for a local Proof-of-Concept, exposing these services to a public network without proper security measures would pose a critical risk, allowing unauthorized access and manipulation of IT asset data. No obvious code injection vulnerabilities like 'eval' or hardcoded secrets were found. All services run on localhost by default.
Updated: 2025-11-22GitHub
0
0
Medium Cost
kratos06 icon

lofty-skills

by kratos06

Sec9

This repository serves as a collection of Claude Code Skill definitions and MCP server configurations, enabling a Claude agent to integrate with a wide array of external services and perform various development, communication, and operational tasks.

Setup Requirements

  • ⚠️Requires numerous API keys/tokens from various external services (many potentially paid).
  • ⚠️Dependent on external MCP servers or local tools (e.g., `@anthropic/mcp-atlassian`, `docker`, `git`, `python3`, `mongosh`, `psql`, `sqlite3`) which need to be installed and configured separately.
  • ⚠️Many skill examples rely on `python3 -m json.tool` for convenient JSON output parsing in shell scripts.
Verified SafeView Analysis
The repository primarily contains declarative Markdown files defining skills and their API interactions. It does not contain executable server-side code for direct execution within the repository itself. Credentials are consistently advised to be managed via environment variables (e.g., `export API_KEY=...`), which is a secure practice. Examples provided use standard `curl` commands and `python3 -m json.tool` for parsing, without invoking dangerous functions like `eval`. The security risk mainly stems from the configuration of the *external* MCP servers these skills interact with, or potential user misconfiguration of environment variables, rather than direct vulnerabilities within this repository's source code.
Updated: 2026-01-19GitHub
0
0
Medium Cost
luminpdf icon

lumin-mcp-server

by luminpdf

Sec4

Enables AI assistants to manage documents, send signature requests, retrieve workspace details, and generate PDFs using Lumin's API services.

Setup Requirements

  • ⚠️Requires a Lumin PDF API Key for authentication (must be obtained from Lumin PDF, sensitive, required).
  • ⚠️Requires a Node.js environment (v22.19.2+ is recommended based on package.json) for local execution.
  • ⚠️Local execution (`runOnLocal: true`) grants the AI direct read access to the local file system, which is a significant security risk if the AI's input paths are not carefully controlled.
Review RequiredView Analysis
When run locally (via `node build/stdio.js`), the `upload_file_to_lumin` and `send_signature_request_on_lumin` tools expose a `path` parameter that is directly used with `node:fs.readFileSync` without validation. This allows the server to read arbitrary local files if the AI assistant is prompted to provide a malicious path (e.g., directory traversal `../../../etc/passwd`), leading to critical local file exfiltration vulnerabilities. API keys are handled securely via environment variables or user configuration, not hardcoded.
Updated: 2025-12-09GitHub
0
0
Low Cost
muchandional icon

tomcp

by muchandional

Sec10

This repository serves as a personal compilation and study guide for data science exercises completed through edX courses.

Verified SafeView Analysis
The provided content is solely a README file and does not contain any executable code that could pose a security risk. There are no 'eval' statements, obfuscation, network risks, hardcoded secrets, or malicious patterns detected.
Updated: 2026-01-19GitHub
0
0
Medium Cost
ombhalodiya45 icon

mcp_server

by ombhalodiya45

Sec8

An AI assistant backend built with Node.js that processes user chat messages, utilizes Groq's LLM for tool calling, and integrates with custom Model Context Protocol (MCP) endpoints for external tools like weather, time, currency exchange, and Wikipedia summaries.

Setup Requirements

  • ⚠️Requires GROQ_API_KEY (paid service, specific model 'llama-3.3-70b-versatile' used)
  • ⚠️Requires WEATHER_API_KEY (external service, potential costs/rate limits)
  • ⚠️Requires EXCHANGE_API_KEY (external service, potential costs/rate limits)
  • ⚠️The MCP Server (mcp-server.mjs) must be running separately on port 4000 for tool functionality (e.g., via `node mcp-server.mjs`)
Verified SafeView Analysis
The project uses environment variables for API keys (dotenv), which is good practice. Input validation for user messages is present. Tool arguments parsed from LLM output are handled with a try-catch block for JSON parsing. Child process spawning (mcp-http-wrapper.mjs) uses `spawn` with explicit arguments, which is safer than `exec`. No obvious direct 'eval' or malicious code patterns were found. However, like all LLM-powered applications, there's an inherent risk of the LLM generating undesirable outputs if not properly contained, and reliance on external APIs always introduces third-party security considerations.
Updated: 2025-12-02GitHub
0
0
Medium Cost
Adityagupta89 icon

MCP-Server

by Adityagupta89

Sec9

Provides two callable tools, 'add-number' and 'get_github_repo', as a server implementing the Model Context Protocol, allowing external models or agents to consume these functionalities.

Setup Requirements

  • ⚠️Requires Node.js version 18 or higher.
  • ⚠️Requires `npm install` to resolve dependencies before building and running.
  • ⚠️Requires the TypeScript compiler (`tsc`) to build the source code into JavaScript.
Verified SafeView Analysis
The server includes a tool ('get_github_repo') that makes an external HTTP request to the GitHub API, incorporating user-provided input ('username') into the URL. While GitHub's API generally handles input sanitization, explicit validation/sanitization of user input before constructing external URLs is a general best practice. No 'eval', obfuscation, or hardcoded secrets were identified.
Updated: 2026-01-19GitHub
0
0
Medium Cost
eagleisbatman icon

ag-mcp-chat-app

by eagleisbatman

Sec3

AI-powered mobile farming assistant application with region-specific MCP server integration for providing advice, weather, and diagnosis.

Setup Requirements

  • ⚠️Requires `EXPO_PUBLIC_API_KEY` to be set in a `.env` file for API Gateway communication. This key is embedded in the client bundle and is not secure.
  • ⚠️Requires `GEMINI_API_KEY` to be set in a `.env` file for running translation scripts (developer tools).
  • ⚠️Requires `EXPO_PUBLIC_ONESIGNAL_APP_ID` to be set in a `.env` file for push notification functionality.
Review RequiredView Analysis
The `EXPO_PUBLIC_API_KEY` is publicly exposed in the mobile app's client bundle (due to `EXPO_PUBLIC_` prefix) and is used for authenticating requests to the API Gateway. This means an attacker can extract and reuse this key to access or abuse the API Gateway and potentially the underlying AI Services/MCPs. This is a critical vulnerability. Additionally, the `Function` constructor is used in `mobile/scripts/utils/englishStrings.js` to parse local TS content, which can be a risk if the source is compromised.
Updated: 2026-01-19GitHub
0
0
Low Cost
ross-stockman icon

mcp-server-sse-spring

by ross-stockman

Sec9

This project serves as a template Model Context Protocol (MCP) server, exposing an in-memory service catalog via Server-Sent Events (SSE) for AI agent interaction.

Setup Requirements

  • ⚠️Requires Java Development Kit (JDK)
  • ⚠️Requires Maven
Verified SafeView Analysis
The server primarily exposes an in-memory service catalog through Spring AI's @Tool annotations. The exposed tools perform basic CRUD operations on a static ConcurrentHashMap. No direct 'eval' or dangerous dynamic code execution patterns were found. No hardcoded secrets or direct external system interactions are evident. The primary 'risk' is an AI agent potentially manipulating the in-memory catalog as designed, not a code vulnerability.
Updated: 2025-11-30GitHub
0
0
Low Cost
umairakrm007 icon

awesome-mcp-servers

by umairakrm007

Sec10

To curate and list Model Context Protocol (MCP) servers, and provide a framework for community contributions to this list.

Verified SafeView Analysis
The provided source code for 'awesome-mcp-servers' is a static content repository, primarily containing Markdown and JSON files for an 'awesome list' of MCP servers. It does not include executable code for an MCP server application, thus it inherently presents no direct security risks like 'eval', obfuscation, network vulnerabilities, or hardcoded secrets. The security score reflects this static nature. However, users must independently verify the security and integrity of any third-party MCP servers *referenced* or *listed* within this repository before execution, as this repository serves as a directory.
Updated: 2026-01-19GitHub
0
0
Medium Cost
stayce icon
Sec9

Provides programmatic access to the WHO International Classification of Functioning, Disability and Health (ICF) via a Model Context Protocol (MCP) server, primarily for AI agents.

Setup Requirements

  • ⚠️Requires WHO ICD-API credentials (free registration at https://icd.who.int/icdapi)
  • ⚠️Requires a Cloudflare account with Workers enabled
  • ⚠️Node.js 18+ and npm are required for local development and deployment
Verified SafeView Analysis
The server follows good security practices: sensitive WHO API credentials are managed via environment variables and Cloudflare secrets (not hardcoded). Input validation is performed using Zod schemas for all tool calls. It operates within the sandboxed environment of Cloudflare Workers, limiting system-level risks. API interactions use OAuth2 with token refresh logic. No 'eval' or similar dangerous patterns were found. Error handling for API calls is in place. The main dependency for external API calls is the official WHO ICD-API, which is a trusted source.
Updated: 2026-01-16GitHub
PreviousPage 622 of 713Next