Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
PeeyooshLimkar icon
Sec9

The server provides an API for users to track, add, list, and summarize their personal expenses, storing the data in a local SQLite database.

Setup Requirements

  • ⚠️Python 3.12+ required
  • ⚠️Requires write access to the temporary directory for database storage (expenses.db)
Verified SafeView Analysis
The server uses parameterized queries for all database interactions, effectively mitigating SQL injection risks. There are no indications of 'eval', obfuscation, or hardcoded sensitive credentials. The database is stored in a temporary directory, which is a design choice impacting data persistence and local system security rather than a direct code vulnerability. The server binds to 0.0.0.0, making it accessible externally if not behind a firewall.
Updated: 2026-01-17GitHub
0
0
Low Cost
securesubmit-buildmaster icon

mcp-server

by securesubmit-buildmaster

Sec1

Unable to determine a specific use case due to the absence of source code for analysis. Implies a server component for an unspecified application.

Review RequiredView Analysis
CRITICAL: Source code was not provided for analysis. Therefore, a comprehensive security audit is impossible. Without reviewing the code, it's impossible to check for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns. A score of 1 is assigned as a default due to the inability to verify any security posture.
Updated: 2025-12-12GitHub
0
0
Medium Cost
xargs-P icon

hcp_mcp_server

by xargs-P

Sec7

Provides a natural language interface to the HashiCorp Cloud Platform (HCP) by implementing the Model Context Protocol (MCP) for LLM interaction, allowing management of cloud resources.

Setup Requirements

  • ⚠️Requires an active HashiCorp Cloud Platform (HCP) account and OAuth2 Client Credentials for authentication.
  • ⚠️Requires Python dependencies to be installed from `requirements.txt` (e.g., `pip install -r requirements.txt`).
  • ⚠️Requires specific configuration within the Gemini CLI's `settings.json` to enable and specify the server's path.
Verified SafeView Analysis
Credentials (HCP_CLIENT_ID, HCP_CLIENT_SECRET) are correctly loaded from environment variables. The server operates as a stdio-based transport, not directly exposing network ports, which reduces its attack surface. API calls are authenticated using bearer tokens. However, a significant security consideration is the potential for sensitive data logging: if 'HCP_API_LOGGING_ENABLED' is set to 'true', detailed API responses (which may contain sensitive data such as secrets or user emails) are written to local log files. Additionally, the 'main.py' logs all incoming MCP requests and outgoing responses, including tool arguments and results, which could also contain sensitive information. Proper securing of log files is critical to prevent data leakage. The `update_service_principal` function is explicitly marked as unimplemented, preventing potential issues with an unbaked feature.
Updated: 2025-12-24GitHub
0
0
Low Cost
menorhge3556 icon

Crypto_MCP_Server

by menorhge3556

Sec8

Provides real-time and historical cryptocurrency market data via a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️The README provides incorrect Linux installation commands (`dpkg -i`, `dnf install`) for a `.zip` file, suggesting it's designed for pre-packaged binaries rather than source-code installation.
  • ⚠️The 'Download Latest Release' link in the README points to a `.zip` file within the `tests` directory, which is an unusual and potentially confusing location for official releases.
  • ⚠️Requires a Python 3 environment and the `ccxt` library to be installed if running from source. No specific Python version is declared, but `asyncio` implies Python 3.7+.
Verified SafeView Analysis
The server uses stdin/stdout for inter-process communication, which is common for MCP servers. It dynamically calls registered Python functions based on incoming JSON requests. Input validation is performed within each tool handler (e.g., `get_ticker`, `get_ohclv`, `stream_ticker`), mitigating common injection risks for parameters. The `ccxt` library is used for external API calls. There are no explicit uses of `eval`, `exec`, or `subprocess` on arbitrary user input within the provided source code, nor any hardcoded API keys. The primary risk would be if the application consuming the server's output or providing its input via stdin is compromised or poorly secured.
Updated: 2026-01-19GitHub
0
0
Low Cost
Abhishek3689 icon

Weather_MCP_Server

by Abhishek3689

Sec9

Provides real-time weather data, forecasts, and weather comparison between cities to AI assistants via an MCP server.

Setup Requirements

  • ⚠️Requires a WeatherAPI.com API key (free tier available)
  • ⚠️Requires Python 3.8 or higher
  • ⚠️For Claude Desktop integration, the absolute path to the Python executable might be needed.
Verified SafeView Analysis
The server uses `os.getenv` for the API key, preventing hardcoding. It uses `httpx` for secure HTTP requests and includes basic error handling for API calls. No dangerous functions like `eval` or obfuscation are present. The primary external interaction is with WeatherAPI.com, which is the intended function.
Updated: 2025-11-25GitHub
0
0
Low Cost
weiqing20 icon
Sec1

This server provides a Multi-Component Protocol (MCP) service built on the fastmcp framework, integrating various development and AI implementation tools.

Review RequiredView Analysis
A comprehensive security audit is impossible due to the extremely truncated source code, which only includes a README.md file. Critical analysis for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns cannot be performed.
Updated: 2025-11-30GitHub
0
0
Medium Cost
shopanaio icon

carrier-api

by shopanaio

Sec9

Integrates Nova Poshta shipping and logistics data with AI assistants via Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires a Nova Poshta API Key for full functionality (especially waybill operations and some authenticated reference/counterparty methods).
  • ⚠️Requires an MCP-compatible AI client (e.g., Claude, Cursor, OpenAI) to be configured to interact with this server.
  • ⚠️Relies on 'npx' for quick execution, which requires Node.js and npm to be installed on the host system.
Verified SafeView Analysis
The project follows good practices for handling API keys by using environment variables. No 'eval' or explicit obfuscation is found. Usage of 'child_process.exec' is confined to build scripts, not runtime. Standard HTTP transport is used, and input validation is implemented in the MCP server tools. The main risk would be potential vulnerabilities in the underlying Nova Poshta API itself or unintended data exposure through verbose AI responses.
Updated: 2025-11-23GitHub
0
0
High Cost
Conversionblanketstitch672 icon

n8n-automations

by Conversionblanketstitch672

Sec3

Automates sales and marketing lead generation by scraping LinkedIn job postings, identifying decision-makers through Apollo.io, enriching their profiles, and performing AI-driven psychographic research for tailored outreach messages, storing data in Notion.

Setup Requirements

  • ⚠️Requires an n8n instance to host and run the workflow.
  • ⚠️Requires API keys and specific API endpoint URLs for Apify (LinkedIn scraping) and Apollo.io (organization/people search and enrichment).
  • ⚠️Requires an OpenAI API Key, and specifies a 'gpt-5' model which is not a publicly available model, likely meaning it won't run as written and will require changing to 'gpt-4' or 'gpt-3.5-turbo'.
  • ⚠️Requires Notion API integration and pre-configured Notion databases (e.g., 'Lucid Lead Database', 'Lucid Group Sales Database', 'Lucid Jobs Database').
Review RequiredView Analysis
The workflow exposes a significant security risk by explicitly showing placeholders like '[add your apollo api key here]' and '[go to api -> api endpoints in apify]' directly within HTTP Request node configurations (body/headers/URL). This implies that sensitive API keys are intended to be hardcoded into the workflow's JSON definition rather than leveraging n8n's secure credential management system for these specific integrations. While Notion and OpenAI connections use n8n's credential storage, this inconsistency creates a vulnerability where API keys could be exposed in plain text if the workflow file is shared or stored insecurely.
Updated: 2026-01-19GitHub
0
0
Low Cost
rayyanhere1 icon

mcp-server

by rayyanhere1

Sec10

Provides a server environment potentially related to Minecraft modding or a game server based on the Minecraft Coder Pack.

Verified SafeView Analysis
No executable source code was provided for analysis. Only markdown files (README.md, mcp.md) were present, which inherently pose no security risk.
Updated: 2025-11-20GitHub
0
0
Low Cost
Sergey-Bondarev icon
Sec7

Deploys an authentication-less Model Context Protocol (MCP) server on Cloudflare Workers, providing simple mathematical tools for AI clients like Cloudflare AI Playground or Claude Desktop.

Setup Requirements

  • ⚠️The server is explicitly 'authless'. Deploying to a public URL without additional Cloudflare Worker authentication/authorization will make all tools publicly accessible.
  • ⚠️Requires a Cloudflare Workers account for deployment.
  • ⚠️Requires `npm` and `wrangler` CLI tools for local setup and deployment.
Verified SafeView Analysis
The server is explicitly designed to be 'authless' as stated in the README. This means that, by default, any deployed instance will be publicly accessible. While the implemented tools (calculator functions) are simple and do not inherently pose high-risk vulnerabilities like code injection, deploying without additional Cloudflare Worker authentication/authorization mechanisms could lead to unintended public access and potential resource abuse if not properly rate-limited or secured at the edge. Input validation for tools is handled via `zod`, which is a good practice.
Updated: 2025-12-06GitHub
0
0
Low Cost
AlejandroVelezGuillermo icon

registry

by AlejandroVelezGuillermo

Sec8

Provides a centralized registry service for discovering, managing, and sharing Model Context Protocol (MCP) server metadata.

Setup Requirements

  • ⚠️Requires Docker and Docker Compose for easy deployment of the server and its MongoDB database.
  • ⚠️Publishing server metadata requires a GitHub OAuth App (Client ID and Secret) to be configured and exposed as environment variables (MCP_REGISTRY_GITHUB_CLIENT_ID, MCP_REGISTRY_GITHUB_CLIENT_SECRET) for server-side token validation.
  • ⚠️The publisher tool (written in Go) also requires the MCP_REGISTRY_GITHUB_CLIENT_ID environment variable for GitHub authentication via device flow.
Verified SafeView Analysis
The service implements GitHub OAuth device flow for publishing server metadata, which correctly uses environment variables (MCP_REGISTRY_GITHUB_CLIENT_ID, MCP_REGISTRY_GITHUB_CLIENT_SECRET) for credentials. Token validation is performed against the GitHub API, checking application association and repository access (owner or organization member). No 'eval' or obvious obfuscation is present. The 'docker-compose.yml' exposes MongoDB on port 27017, which, while standard for development, would require securing (e.g., firewall, network segmentation) in a production environment to prevent unauthorized database access.
Updated: 2026-01-19GitHub
0
0
High Cost
warusakudeveroper icon

Arduino-MCP

by warusakudeveroper

Sec4

Automates ESP32 development workflows including compiling, uploading, serial monitoring, pin analysis, and SPIFFS file management via an MCP stdio server.

Setup Requirements

  • ⚠️Requires `arduino-cli` executable to be installed and discoverable (can be auto-installed via `ensure_dependencies`).
  • ⚠️Requires Python 3.x with `pyserial` installed (can be auto-setup in a virtual environment via `ensure_dependencies`).
  • ⚠️Requires `mkspiffs` for SPIFFS upload functionality (needs manual installation, e.g., `brew install mkspiffs` on macOS).
Review RequiredView Analysis
The primary Node.js server uses input validation (Zod) and path sanitization (`resolveSafePath`) which mitigate common server-side risks. However, critical vulnerabilities exist within the associated `ArduinoMCP` ESP32 firmware library and its usage examples: 1. **ESP32 Firmware Path Traversal**: The `ArduinoMCP` library's SPIFFS API endpoints (`/api/spiffs/list`, `/api/spiffs/read`, `/api/spiffs/write`, `/api/spiffs/delete`) directly use user-provided `path` arguments in `SPIFFS.open`, `SPIFFS.remove`, and `file.print` operations without apparent sanitization against path traversal (e.g., `../`). This creates a critical vulnerability on the ESP32 device itself, allowing an attacker to read, write, or delete arbitrary files on the SPIFFS partition. 2. **Hardcoded Credentials in Example Sketch**: The `mercury_net_diag/settingManager.cpp` file, part of an example sketch, contains multiple hardcoded WiFi SSIDs and passwords (`mainSSID`, `mainPass`, `altSSID`, `altPass`, `devSSID`, `devPass`). Deploying this sketch or similar code with sensitive information hardcoded poses a significant security risk. 3. **Default Lax CORS Policy**: The Console Server's API defaults `MCP_CORS_ORIGIN` to `*`, making it accessible from any origin. This is a security concern if the console server is exposed to an untrusted network. 4. **Unrobust JSON Parsing (ESP32 Sketch)**: The `settingManager.cpp` uses a simplistic string-based JSON parser (`fromJson`) which is prone to errors with malformed JSON and could lead to unexpected behavior or data corruption on the device, though not directly to code execution.
Updated: 2025-12-13GitHub
PreviousPage 628 of 713Next