Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
richardichogan icon

azure-schema-mcp

by richardichogan

Sec9

Provides AI assistants with schema discovery for Azure Log Analytics tables and Microsoft Graph API endpoints, enabling accurate KQL query and SDK code generation to eliminate guesswork.

Setup Requirements

  • ⚠️Azure CLI authenticated: `az login`
  • ⚠️Valid `.env` file with AZURE_TENANT_ID and AZURE_WORKSPACE_ID
  • ⚠️Built server: `npm run build`
Verified SafeView Analysis
The server uses DefaultAzureCredential for authentication, a secure and recommended method for Azure services. It explicitly avoids filesystem access for the 'find_working_query_examples' tool due to potential risks, demonstrating responsible design. Local caching of schemas and tokens to specified directories is standard practice. Input validation (Zod) is used for tool arguments. No 'eval' or obvious hardcoded secrets were found.
Updated: 2025-11-26GitHub
0
0
Low Cost
consigcody94 icon

dev-mirror

by consigcody94

Sec8

Track developer productivity metrics for AI-assisted versus manual coding sessions, providing data-driven insights and comparative reports.

Setup Requirements

  • ⚠️Requires Node.js 18+ to run.
  • ⚠️Requires Claude Desktop to be installed for interaction.
  • ⚠️Manual configuration in Claude Desktop's 'claude_desktop_config.json' file, specifying an absolute path to the server's 'build/index.js' file.
  • ⚠️A full restart of Claude Desktop is necessary after initial configuration.
Verified SafeView Analysis
The server primarily operates on local files within a user's home directory and communicates via stdio. There are no obvious external network calls initiated by the server, nor any direct use of 'eval' or clear command injection vulnerabilities. Data storage is local and user-controlled. The use of fs/promises for file operations in a user's specified data directory is a standard pattern for local applications.
Updated: 2025-11-25GitHub
0
0
Medium Cost
Ujjwal5200 icon
Sec9

An AI assistant providing specialized tools for math operations and code generation via a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires Google Gemini API key (paid or quota-limited)
  • ⚠️Python 3.8+ required
Verified SafeView Analysis
The MCP server code does not contain explicit 'eval', 'exec', or direct system calls. Input validation is present for user queries before passing them to the LLM. Google API keys are loaded securely via environment variables using python-dotenv, preventing hardcoded secrets. The MCP server uses 'stdio' transport for communication, limiting direct network exposure. The main potential risk is the generation of malicious code by the LLM, which the server returns but does not execute. It is the responsibility of the client or end-user to handle generated code securely.
Updated: 2025-12-16GitHub
0
0
Medium Cost
hiiamhacker23213 icon

french-tax-mcp

by hiiamhacker23213

Sec8

Provides a robust server for French tax calculations and information, designed to assist AI systems with accurate guidance.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️Requires internet access for web scraping official tax authority websites.
  • ⚠️Requires installing Python dependencies including fastmcp, beautifulsoup4, httpx, pydantic, lxml, and markitdown.
Verified SafeView Analysis
The project uses web scraping from official French government websites (impots.gouv.fr, service-public.fr, legifrance.gouv.fr). While the `BaseScraper` implements good practices like rate limiting, caching, and retries with `httpx`, any interaction with external, untrusted content carries inherent risks (e.g., unexpected HTML structure leading to parsing errors, or serving stale data from cache if official sources update). The server does not appear to use `eval` or contain hardcoded secrets. Output is typically structured (JSON, Markdown), reducing the risk of direct script injection if consumed by an AI.
Updated: 2026-01-19GitHub
0
0
Low Cost
HosamUsf icon

nexus-mcp

by HosamUsf

Sec6

Provides an integration layer to an ERP system, exposing core business functionalities as callable tools via a custom 'MCP Protocol' to enable automation or agent interaction.

Setup Requirements

  • ⚠️Requires a running ERP system reachable at 'erp.api.base-url'.
  • ⚠️Requires an authentication token (configured as 'erp.api.auth-token') for the ERP system.
  • ⚠️Requires Java Development Kit (JDK) and Maven or Gradle to build/run.
Verified SafeView Analysis
The 'CrossOrigin(origins = "*")' annotation in MCPController is a significant security risk for production environments, allowing requests from any domain; the code notes it's 'For demo purposes - restrict in production'. Error handling in MCPToolService directly exposes 'error.getMessage()' from downstream ERP API calls, which could leak sensitive internal details. Relies on external configuration (erp.api.base-url, erp.api.auth-token, erp.api.timeout) for connecting to the ERP, ensuring the auth-token is securely managed (e.g., via environment variables or a secret management system) is critical. No 'eval' or dynamic code execution found.
Updated: 2026-01-18GitHub
0
0
Low Cost
ziutus icon

mcp-server

by ziutus

Sec9

A minimal FastMCP 2.x server exposing markdown resources for MCP-aware clients like Claude Desktop.

Setup Requirements

  • ⚠️Docker Desktop required for containerized setup.
  • ⚠️Python 3.13+ required for local execution.
  • ⚠️Requires 'fastmcp' library (version >=2.0,<3.0).
  • ⚠️An MCP-aware client (e.g., Claude Desktop, MCP Inspector) is necessary to interact with the server, as it is not a generic REST API.
Verified SafeView Analysis
The server's code is minimal, simple, and primarily involves reading local files (`project_info.md`, `prompts/prompt1.txt`). There are no signs of 'eval', code obfuscation, or hardcoded secrets. It listens on `0.0.0.0`, which is standard for containerized applications but implies a need for proper network isolation in production environments. Error handling for missing files is present, returning a safe default message.
Updated: 2025-11-26GitHub
0
0
Medium Cost
sabikahamna icon
Sec6

Provides an API server and a command-line interface for interacting with the Google Gemini AI model.

Setup Requirements

  • ⚠️Requires Google Gemini API Key (usage-based costs apply)
  • ⚠️Requires Node.js runtime environment
  • ⚠️CLI client expects the server to be running locally (default port 3000)
Verified SafeView Analysis
The server correctly loads the GEMINI_API_KEY from environment variables and avoids dangerous patterns like 'eval'. However, the '/chat' endpoint lacks any authentication or authorization, meaning anyone with network access to the server can utilize the Gemini API, potentially leading to unauthorized usage and API billing costs if exposed publicly.
Updated: 2025-12-05GitHub
0
0
Low Cost
krzako icon
Sec8

Sets up a PostgreSQL database with SSL enabled for local development and testing purposes.

Setup Requirements

  • ⚠️Requires Docker installed and running on the host machine.
  • ⚠️Requires 'server.crt' and 'server.key' SSL certificates to be present in a 'ssl_certs' directory in the project root, which will be mounted into the container.
Verified SafeView Analysis
Uses default/hardcoded 'postgres:postgres' credentials within the Docker Compose file, which is a significant security risk if this setup is exposed publicly or used in production without modification. However, for a local development/test environment, it is a common practice. SSL is enabled for database connections, which is a good security measure.
Updated: 2026-01-19GitHub
0
0
Low Cost
guangxiangdebizi icon

youtube-subtitle-mcp

by guangxiangdebizi

Sec9

Fetches YouTube video subtitles/transcripts in multiple formats (SRT, VTT, TXT, JSON) to be consumed by Model Context Protocol (MCP) clients or other applications.

Setup Requirements

  • ⚠️Requires Node.js (or Docker)
  • ⚠️Requires an MCP client (e.g., Claude Desktop, Cursor) with specific JSON configuration for integration
  • ⚠️Requires network access to YouTube for subtitle fetching
Verified SafeView Analysis
The server uses standard Node.js and Express practices. No 'eval' or obfuscation is present. CORS is explicitly configured. While DNS rebinding protection is disabled by default for local development, the code explicitly mentions and provides guidance for enabling and configuring it in production, demonstrating security awareness. No hardcoded secrets were found; it relies on `dotenv` for environment variables like PORT. The core functionality involves making external network requests to YouTube, which is expected and handled by `youtubei.js`.
Updated: 2025-11-26GitHub
0
0
Medium Cost
nullure icon
Sec8

This server exposes OpenMemory functionalities (query and add memory) via the Model Context Protocol (MCP), primarily for integration with AI agents like Claude Desktop to provide long-term memory capabilities.

Setup Requirements

  • ⚠️Requires Node.js installed in the environment.
  • ⚠️OpenMemory operates in 'local' mode by default, storing memory data on the local file system.
  • ⚠️Requires manual configuration within Claude Desktop to connect to this running server.
Verified SafeView Analysis
The server's direct code does not contain 'eval', hardcoded secrets, or obvious malicious patterns. Inputs for tools ('query', 'content') are passed as strings to the 'openmemory-js' library. The primary security consideration depends on the robustness of the 'openmemory-js' dependency in handling arbitrary string inputs, especially since it operates in 'local' mode, implying local file system interaction. The server uses a fixed 'user_id: "default"', meaning all memories are shared, which is acceptable for a starter but not for a multi-user production environment.
Updated: 2025-12-06GitHub
0
0
Low Cost
fonkychen icon

nature-vision-mcp

by fonkychen

Sec8

Identifies biological species from images using an external API, returning Latin names with confidence scores, designed for LLM tool integration.

Setup Requirements

  • ⚠️Requires a NATURE_VISION_API_KEY, which must be obtained from nature-vision.top.
  • ⚠️Requires Node.js and npm/npx to be installed.
Verified SafeView Analysis
The server primarily acts as a proxy to an external Nature Vision API. It properly handles the API key via environment variables and does not contain hardcoded secrets or arbitrary code execution vulnerabilities like 'eval'. The main security consideration is the trust in the external 'nature-vision.top' API itself. Error handling for missing API key is present.
Updated: 2026-01-17GitHub
0
0
High Cost
bivex icon
Sec9

Analyzes Windows ETL trace files from .diagsession archives to generate call trees and performance metrics for debugging and optimization.

Setup Requirements

  • ⚠️Requires .NET 8.0 SDK or later.
  • ⚠️Requires Windows OS (due to Microsoft.Diagnostics.Tracing.TraceEvent library).
  • ⚠️Requires an MCP client (e.g., mcp-inspector) or custom JSON-RPC interaction via stdin/stdout.
Verified SafeView Analysis
The server appears robust, adhering to clean architecture principles and best practices. It processes local files and interacts via stdio, limiting direct network exposure for the server itself. File access can be restricted via 'AllowedDirectories' configuration. No obvious 'eval' or malicious patterns are present. External dependencies like Microsoft symbol servers are standard for this type of analysis.
Updated: 2025-11-26GitHub
PreviousPage 633 of 713Next