Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
sankethsura icon

mcp-server-test

by sankethsura

Sec9

This server provides a set of predefined functions (like mathematical calculations and greetings) exposed via the Model Context Protocol (MCP) over standard I/O for integration with AI agents like Claude Desktop.

Setup Requirements

  • ⚠️Requires manual JSON configuration file editing for Claude Desktop integration.
  • ⚠️The server is designed for `stdio` transport (e.g., Claude Desktop) and requires code modification to use HTTP for cloud deployments.
  • ⚠️The provided `mcp_server.py` implements only 'calculator' and 'greeting' tools, which is a significant reduction in scope compared to the 'Available Usecases' and 'Available Tools' described in the README (e.g., data analysis, file operations, web requests, `trigger_function_by_usecase`).
Verified SafeView Analysis
The `mcp_server.py` implements only `calculator` and `greeting` tools, which perform basic arithmetic and string operations and are low risk. There is no use of `eval`, hardcoded secrets, or direct network/filesystem access within the implemented code. The `stdio` transport limits the attack surface. The README describes more complex use cases (data analysis, file operation, web request) and a `trigger_function_by_usecase` tool, which are not present in the provided `mcp_server.py` source code. If these were implemented, they would require careful security considerations.
Updated: 2025-12-13GitHub
0
0
High Cost
andrewvu270 icon

AgentDeck

by andrewvu270

Sec7

A platform for deploying and managing specialized AI agent teams, integrating them with applications via automated Model Context Protocol (MCP) servers, and facilitating multi-agent collaboration and conversations.

Setup Requirements

  • ⚠️Requires API keys for LLM providers (OpenAI, Anthropic, Google), which incur costs.
  • ⚠️Requires Docker and Docker Compose for local development and deployment.
  • ⚠️Relies on PostgreSQL as the primary database and Redis for caching and job processing.
Verified SafeView Analysis
The system implements good security practices including JWT authentication with refresh tokens, AES-256-GCM encryption for API keys, rate limiting, and parameterized SQL queries. However, the `docker-compose.yml` file contains hardcoded default values for `JWT_SECRET` and `ENCRYPTION_KEY` (`dev-secret-change-in-production` and `12345678901234567890123456789012` respectively). These are critical secrets that are explicitly marked for development, but their presence as defaults poses a significant risk if the system is deployed to production without these values being properly overridden with strong, unique secrets.
Updated: 2025-12-01GitHub
0
0
Medium Cost
seher873 icon

GEMINI_CLI

by seher873

Sec1

Provides a command-line interface for interacting with the Google Gemini AI models.

Setup Requirements

  • ⚠️Requires Google Gemini API Key (Paid)
  • ⚠️SOURCE CODE WAS NOT PROVIDED, additional setup requirements or friction points are unknown and cannot be identified.
Review RequiredView Analysis
SOURCE CODE WAS NOT PROVIDED for analysis. A security audit cannot be performed without the source code. Therefore, it is impossible to assess the presence of 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns. Running this without prior source code review is highly risky, as its behavior is unknown.
Updated: 2025-11-23GitHub
0
0
High Cost
williamIIliu icon
Sec8

This server provides an intelligent document processing toolkit based on PaddleOCR 3.3 and PP-StructureV3, offering comprehensive functionalities like OCR, layout detection, table processing, formula recognition, and seal detection for various document types including PDFs.

Setup Requirements

  • ⚠️Requires PaddlePaddle GPU version 3.0.0 (specific older version) for optimal performance and high-performance inference (HPI).
  • ⚠️Requires CUDA 11.8+ and TensorRT 8.x series (e.g., 8.6.1.6) for GPU acceleration. Setup involves manual downloading and environment variable configuration for TensorRT.
  • ⚠️A known `ImportError` for `fused_rms_norm_ext` when using HPI requires a manual code modification (commenting out the import in PaddlePaddle's source), which can be fragile and might break with future PaddlePaddle updates.
Verified SafeView Analysis
The server deploys an HTTP endpoint on `0.0.0.0`, which makes it accessible from all network interfaces. While this is common for services, it requires external security measures (e.g., firewalls, API gateways, authentication) to prevent unauthorized access. The project relies on specific versions of PaddlePaddle and CUDA/TensorRT, and mentions a manual workaround for an `ImportError` (`fused_rms_norm_ext`), which could introduce stability issues if not meticulously managed, but does not appear to be a direct security vulnerability. No hardcoded secrets or malicious patterns are evident in the provided code snippets.
Updated: 2025-11-23GitHub
0
0
Medium Cost
Ptalati015 icon

No2SQL

by Ptalati015

Sec4

Transforms MongoDB/non-relational schemas into relational database models, generating ER diagrams and SQL scripts for data migration or visualization.

Setup Requirements

  • ⚠️Requires .NET SDK for local development and running from source.
  • ⚠️The project template is in an 'early preview stage', which may imply instability or breaking changes.
  • ⚠️Requires specific IDE configuration files (.vscode/mcp.json or .mcp.json) for integration with Copilot Chat.
Review RequiredView Analysis
The provided source code only includes README files and not the actual C# application code for the MCP server. Therefore, a comprehensive security audit for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns in the application logic could not be performed. The instructions provided in the READMEs for setting up and publishing seem standard for a .NET NuGet package, but the actual implementation of the schema transformation logic is unknown.
Updated: 2025-12-15GitHub
0
0
High Cost
ys319 icon

read-docs

by ys319

Sec6

Extracts the main readable content from web pages, including those rendered client-side (CSR), and converts it into Markdown format for saving or display.

Setup Requirements

  • ⚠️Requires Go 1.21 or higher for building the application.
  • ⚠️The first execution will automatically download Chromium, which requires an internet connection and sufficient disk space.
Review RequiredView Analysis
The tool utilizes `go-rod` to launch Headless Chrome with the `NoSandbox(true)` flag. While this is often a necessary workaround in containerized environments, running Chrome without its sandbox on a host system can significantly increase the risk of host compromise if processing malicious or untrusted web content that exploits a browser vulnerability. Given the tool's primary function is to fetch arbitrary URLs, this presents a notable security concern if not executed within an isolated environment or with carefully vetted input URLs.
Updated: 2025-12-18GitHub
0
0
Medium Cost
juno icon
Sec9

This MCP server provides tools to interact with the Cloud Automator REST API, allowing users to manage jobs, job workflows, logs, post-processes, and group-specific AWS and Google Cloud accounts.

Setup Requirements

  • ⚠️Requires Node.js to be installed on the host machine.
  • ⚠️Requires a Cloud Automator API key, which must be obtained and configured as an environment variable (`CLOUDAUTOMATOR_API_KEY`).
  • ⚠️The full API responses are returned as strings, meaning the consuming client (e.g., LLM) will need to parse the JSON content for interpretation.
Verified SafeView Analysis
The server uses environment variables for the API key (`CLOUDAUTOMATOR_API_KEY`) and API URL (`CLOUDAUTOMATOR_API_URL`), which is good practice for handling sensitive information. Input validation for tool arguments is performed using `zod`. API responses are returned as raw text, preventing potential parsing issues on the server side, but shifting the responsibility for JSON parsing to the client. No obvious use of `eval`, obfuscation, or direct shell command injection points were found. The use of `ky` for HTTP requests is a standard and robust library. The overall code structure is clean and direct.
Updated: 2026-01-19GitHub
0
0
Medium Cost
leonardokasat-cientistavenda icon

mcp-playbooks

by leonardokasat-cientistavenda

Sec8

Manages structured processes and workflows (playbooks) within Mattermost, enabling creation, execution, and task management for various team operations.

Setup Requirements

  • ⚠️Requires a running Mattermost instance with the 'Playbooks' plugin enabled.
  • ⚠️Requires Node.js installed on the host system.
  • ⚠️The `MCP_MATTERMOST_TOKEN` must have sufficient permissions to interact with the Mattermost Playbooks plugin and core APIs.
Verified SafeView Analysis
The server relies on environment variables for sensitive Mattermost URL and API token, which is good practice. It uses `node-fetch` for external API calls, which is a standard and well-understood method. There are no apparent `eval` or command injection vulnerabilities in the provided source code. The primary security considerations are the overall security of the Mattermost instance it connects to and the permissions granted to the provided `MCP_MATTERMOST_TOKEN`.
Updated: 2026-01-19GitHub
0
0
High Cost
BachEndDeveloper icon

python-agent-demo

by BachEndDeveloper

Sec4

An AI agent providing pirate-themed jokes and integrating weather information, exposed as an MCP server.

Setup Requirements

  • ⚠️Requires Azure OpenAI API Key and Endpoint URL (Paid Service)
  • ⚠️Requires Python 3.13 or newer
  • ⚠️Requires 'agent-framework' dependency
Review RequiredView Analysis
The 'apiKey' and 'url' variables are hardcoded as empty strings. In a production environment, these sensitive values should be managed securely using environment variables or a secret management system, not directly in the source code. This design pattern poses a significant security risk if filled directly.
Updated: 2025-11-26GitHub
0
0
Medium Cost
2ca3 icon
Sec9

Provides a Model Context Protocol (MCP) server for integrating AI clients like Claude Desktop with Garoon's schedule, user, and meeting management features.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires an active Garoon account with REST API utilization permissions.
  • ⚠️Requires an MCP client like Claude Desktop for full functionality.
  • ⚠️Requires `GAROON_BASE_URL`, `GAROON_USERNAME`, and `GAROON_PASSWORD` to be set as environment variables.
Verified SafeView Analysis
The server uses environment variables (GAROON_BASE_URL, GAROON_USERNAME, GAROON_PASSWORD) for authentication credentials, which is good practice to avoid hardcoding. Authentication is performed via the X-Cybozu-Authorization header using Base64-encoded username:password, which is a standard Garoon API method, though it is Basic Auth (not OAuth). The server utilizes `aiohttp` for secure asynchronous HTTP requests and logs errors to stderr. No direct 'eval' calls or obvious malicious patterns were found. Users are explicitly warned not to commit `.env` files.
Updated: 2025-11-30GitHub
0
0
Low Cost
ATLANTBH icon

mcp-server-demo

by ATLANTBH

Sec9

Exposes simulated company sales and customer data operations via a local MCP server for AI client interaction, facilitating tool-use demonstrations.

Setup Requirements

  • ⚠️Requires Python 3.10 specifically.
  • ⚠️Manual editing of Claude's `claude_desktop_config.json` is required.
  • ⚠️Users need to manually replace `<system python filepath>` and `<project_root>` placeholders in the Claude configuration.
Verified SafeView Analysis
The server uses `stdio` transport, limiting external network attack surface. File write operations in `post_report` create files in a dedicated `reports` directory; filenames are constructed to mitigate basic path traversal, and content is directly written. No `eval` or direct shell execution of user input is present. Data is simulated, reducing real data exposure risks.
Updated: 2025-11-19GitHub
0
0
Low Cost
Zoey-Labs icon

mcpx

by Zoey-Labs

Sec9

Bridges stdio-based Model Context Protocol (MCP) clients to HTTP-based MCP servers, translating between standard input/output and HTTP requests.

Setup Requirements

  • ⚠️Requires a pre-existing HTTP-based MCP server to connect to.
  • ⚠️Requires the `MCP_URL` environment variable to be set, pointing to the target MCP server.
  • ⚠️Requires Node.js 18.0.0 or higher.
Verified SafeView Analysis
The code is minimal and uses standard Node.js features for network communication. Configuration is handled via environment variables, with no hardcoded secrets. The `MCP_INSECURE` flag allows users to disable SSL certificate validation for development, which is an explicit opt-in and not a vulnerability in the bridge itself. The primary security consideration is ensuring the `MCP_URL` points to a trusted MCP server, as the bridge forwards all client requests to it.
Updated: 2025-12-14GitHub
PreviousPage 627 of 713Next