Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
porcupine-om icon

MCP-SERVER

by porcupine-om

Sec9

Provides a backend API for managing a product database (SQLite) and performing safe mathematical calculations, designed for integration with client applications like AI-powered chatbots.

Setup Requirements

  • ⚠️Requires Python 3.7+ (though the associated Telegram bot prefers 3.13).
  • ⚠️The HTTP server (`http_server.py`) requires `fastapi` and `uvicorn` (specified in `mcp_server/requirements.txt`).
  • ⚠️While the MCP server itself has no token costs, its intended use within the broader project (with a Telegram bot) involves calls to an external LLM, incurring token costs there.
Verified SafeView Analysis
The 'calculate' tool uses `ast.parse` and a custom `safe_eval` function with a whitelist of operators and node types, effectively preventing arbitrary code execution and mitigating the risk typically associated with `eval()`. Database interactions use parameterized queries (`?`) to prevent SQL injection vulnerabilities. Secrets (like API keys for external services) are correctly handled through environment variables (in the client bot code), not hardcoded. The HTTP server defaults to binding on `0.0.0.0`, which is common for local development but should be reconfigured for production environments to a specific interface or secured behind a proxy.
Updated: 2025-11-28GitHub
0
0
Medium Cost
eesb99 icon
Sec9

Performs Monte Carlo simulations for business decisions, financial analysis, and confidence validation, integrated with Claude.

Setup Requirements

  • ⚠️Requires Python 3.11 or higher.
  • ⚠️Initial internet connection is required for dependency installation.
  • ⚠️Conda or Python venv environment setup knowledge is useful, though setup script handles venv automatically.
Verified SafeView Analysis
The project includes explicit checks for code injection vulnerabilities ('no eval/exec usage'). It features robust input validation for string lengths (e.g., max 500 chars), number of assumptions (max 20), number of simulations (max 100,000), and numeric ranges (e.g., positive time horizon). Correlation matrices are validated for symmetry and positive definiteness to prevent runtime errors. No hardcoded secrets or direct network exposure (uses stdio_server).
Updated: 2025-12-07GitHub
0
0
High Cost
doctordisrespect icon

narsil-mcp

by doctordisrespect

Sec9

A code intelligence server that provides comprehensive static analysis, semantic search, and security auditing for software repositories, designed to be integrated with coding agents and IDEs.

Setup Requirements

  • ⚠️Requires `GITHUB_TOKEN` environment variable for remote repository features to avoid GitHub API rate limits.
  • ⚠️Requires `EMBEDDING_API_KEY` (or `VOYAGE_API_KEY`, `OPENAI_API_KEY` depending on backend) environment variable for neural embedding features, which typically involves a paid API service.
  • ⚠️Relies on `tree-sitter` grammars for various languages, which may require additional setup or installation beyond a simple binary execution.
Verified SafeView Analysis
The server demonstrates strong security practices including rigorous input validation (e.g., path traversal prevention in file access, Git command injection prevention, ReDoS protection for regex, SSRF prevention in API calls). It also implements comprehensive output sanitization with secret redaction and natively provides advanced security analysis tools like taint analysis and a configurable security rules engine.
Updated: 2026-01-19GitHub
0
0
Medium Cost
grokify icon

chathub

by grokify

Sec9

ChatHub provides a Model Context Protocol (MCP) server for cross-platform sharing and archiving of AI assistant conversations, enabling users to save and retrieve chats from various AI clients in a unified, version-controlled storage.

Setup Requirements

  • ⚠️Requires a GitHub Personal Access Token (PAT) with specific 'Contents: Read and write' and 'Metadata: Read' permissions for a private repository.
  • ⚠️For cross-platform sharing to function correctly, all connected MCP clients must use the exact same GitHub token, repository owner, repository name, and conversation folder in their respective configurations.
  • ⚠️Building from source requires Go 1.23+.
Verified SafeView Analysis
The project demonstrates strong security awareness: secrets are loaded via environment variables, not hardcoded. The `README` explicitly advises using fine-grained GitHub Personal Access Tokens (PATs) with minimal permissions and rotating them. Input paths are generated or sanitized to prevent directory traversal. The `mcpruntime` library handles secure HTTP transport with OAuth2.1 (PKCE) for authentication, mitigating risks when exposing the server publicly via HTTP or ngrok. No instances of 'eval', code obfuscation, or overtly malicious patterns were found in the provided source.
Updated: 2026-01-19GitHub
0
0
Low Cost
loominal icon

pattern

by loominal

Sec9

Provides hierarchical memory capabilities for AI agents to remember, share, recall, and isolate information across sessions and projects.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0.0
  • ⚠️Requires NATS server with JetStream enabled
  • ⚠️Relies on the Loominal Warp service to initialize agent identity in NATS KV, which needs to be running and configured to populate `loom-identity-{projectId}` bucket.
Verified SafeView Analysis
The codebase appears well-structured and follows good practices. No direct 'eval' or dangerous runtime code generation patterns were found. Input validation is implemented for memory content and metadata fields. Access control for shared and core memories is present (e.g., core memories require `force=true` to delete, shared memories can only be deleted by their creator within the project). The system relies on NATS JetStream for storage, which inherently provides isolation via KV buckets per project/agent. Content scanning is implemented as a non-blocking warning for sensitive data patterns (e.g., API keys, passwords), which is a good mitigation but not a full encryption solution. The provided source does not implement encryption for data at rest in NATS KV, but `docs/SECURITY.md` details how an external encryption layer could be added. The reliance on Warp for identity management is a key security aspect, as it centralizes identity initialization.
Updated: 2025-12-24GitHub
0
0
Medium Cost
arpoma16 icon

muav_gui_mcp

by arpoma16

Sec4

Provides an MCP (Model Context Protocol) server to enable AI agents to control and monitor Multi-UAV GCS for managing UAVs and AGVs, including mission planning and ROS communication.

Setup Requirements

  • ⚠️Requires Node.js (>=22.17.0) to be installed.
  • ⚠️Requires a running instance of the Multi-UAV GCS backend API accessible at the configured `BASE_URL` (defaults to http://localhost:4000/api).
  • ⚠️The HTTP transport does not include CORS by default, which may need to be configured for specific client applications if not running on the same origin.
Review RequiredView Analysis
The server offers powerful, low-level control over robotics systems (UAVs, AGVs, ROS) via an AI agent. Tools like `send_command`, `ros_service_call`, and `pub_ros_topic` accept `z.any()` or `z.object({}).passthrough()` for their payload schemas. This lack of strict input validation for critical commands, particularly for ROS messages, means that if the AI agent or the MCP server is compromised, an attacker could send arbitrary, unvalidated commands to physical robots or the backend system, leading to unintended behavior, data corruption, or system disruption. The security of this MCP server is highly dependent on the security of the external Multi-UAV GCS API it connects to. Raw JSON responses from the backend are exposed, which could reveal sensitive data if not properly access-controlled by the GCS itself.
Updated: 2026-01-05GitHub
0
0
Low Cost
caoshuo594 icon

mql5-help-mcp

by caoshuo594

Sec8

Provides AI programming assistants with local MQL5 documentation, e-books, and an intelligent error diagnosis system for efficient EA/indicator/script development.

Setup Requirements

  • ⚠️Requires Node.js 18.0 or higher
  • ⚠️First run might be slow as it downloads from GitHub via npx
  • ⚠️Windows users might need to specify the full path to npx if command fails
Verified SafeView Analysis
The `jquery.js` dependency contains `eval` (standard for jQuery's internal script execution, not arbitrary user input eval). The server itself operates locally via stdio, reducing external network attack surface. Data is stored locally in an SQLite database. Installation via `npx` relies on trusting the GitHub repository.
Updated: 2025-12-01GitHub
0
0
Medium Cost
tomohirof icon

verge-mcp-server

by tomohirof

Sec8

Manages blog content (create, edit, publish, delete articles and blogs) on VergeCMS directly through AI assistants like ChatGPT or Claude, using natural language.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0.0 to run.
  • ⚠️Requires an existing VergeCMS account.
  • ⚠️A local HTTP server will be started on port 34521 for browser-based authentication, which might conflict with other applications if the port is in use.
Verified SafeView Analysis
The server implements a robust OAuth 2.0 Authorization Code Flow for authentication, including CSRF protection via state parameters and secure local token storage (`~/.verge-mcp/token.json` with `0o600` permissions). Input and output data are validated using Zod schemas, mitigating common injection risks. The server uses a local HTTP server on `localhost:34521` solely for the OAuth callback, limiting network exposure. No 'eval' or obvious obfuscation is present. The primary security considerations are the inherent risks of storing an authentication token locally (though protected by file permissions) and the security of the connected VergeCMS API itself.
Updated: 2025-12-15GitHub
0
0
High Cost
MichaelTroelsen icon

tdz-c64-knowledge

by MichaelTroelsen

Sec8

An MCP server for managing, searching, and extracting knowledge from Commodore 64 documentation, offering AI-powered summarization, entity extraction, RAG-based question answering, and a web-based wiki export.

Setup Requirements

  • ⚠️LLM API Key (Anthropic or OpenAI) is required for most AI features (summarization, entity extraction, RAG-based Q&A), incurring paid service costs.
  • ⚠️External tools (Poppler and Tesseract OCR) may need to be installed manually on the host OS for OCR functionality on scanned PDFs.
  • ⚠️Initial setup may involve downloading several hundred MBs for sentence-transformers embeddings models and NLTK data.
Verified SafeView Analysis
The server implements robust path traversal protection via `ALLOWED_DOCS_DIRS` and uses environment variables for sensitive API keys. The REST API is secured with configurable API key authentication and CORS. `subprocess.Popen` with `shell=True` is used for `mdscrape`, which presents a potential, though managed, risk if external input could manipulate the command string.
Updated: 2026-01-10GitHub
0
0
High Cost
aqilmarwan icon

auralink

by aqilmarwan

Sec6

A local AI desktop assistant for interacting with video files (MP4) through chat, enabling transcription, visual analysis, and document generation (PDF/PPT).

Setup Requirements

  • ⚠️Development has stopped indefinitely, and the project is not ready for daily use.
  • ⚠️Requires Node.js 18+, Python 3.11+, Rust toolchain, Tauri prerequisites (OS-specific), and `ffmpeg` installed and accessible on PATH.
  • ⚠️Initial startup may take 10-30 seconds due to local AI model loading, and inference performance may be slower on CPU-only systems.
  • ⚠️Potential for port conflicts (50051-50053) used by local gRPC agents.
Review RequiredView Analysis
The `transcription_server.py` temporarily disables HTTPS certificate verification (`ssl._create_unverified_context`) for model downloads, explicitly noted as 'dev only'. While intended for development, this pattern is a significant security risk if not removed or properly secured in production, opening up to Man-in-the-Middle attacks. The application involves direct file system interactions (save, read, delete files, generate thumbnails) which, while necessary for a desktop app, require full user trust in the executable. gRPC communication between the Rust backend and Python agents is restricted to the local loopback interface (127.0.0.1), mitigating external network exposure for inter-process communication.
Updated: 2025-12-02GitHub
0
0
High Cost
UrbanDiver icon

local-deepwiki-mcp

by UrbanDiver

Sec8

The server generates DeepWiki-style documentation for private repositories, offers RAG-based Q&A, and deep research capabilities, all while prioritizing local execution for privacy.

Setup Requirements

  • ⚠️Requires Ollama running locally, OR a paid Anthropic/OpenAI API Key for LLM operations.
  • ⚠️Requires `uv` or `pip` for Python environment setup.
  • ⚠️Requires `mermaid-cli (mmdc)` to be installed for PDF export with diagrams.
  • ⚠️Requires the target repository to be a Git repository for changelog and staleness detection.
Verified SafeView Analysis
The server makes justified use of `subprocess.run` for Git operations and Mermaid CLI (mmdc) for diagram rendering, which are necessary for its core documentation generation features. Input paths for reading wiki pages are validated using `Path.resolve()` and `is_relative_to()` to prevent path traversal attacks. LLM interactions involve sending code context and user queries to external or local LLM providers, carrying inherent prompt injection risks common to RAG systems, but the system's prompts are designed to ground the LLM and API keys are expected as environment variables. No direct arbitrary `eval` or `os.system` calls on user input were identified.
Updated: 2026-01-17GitHub
0
0
Low Cost
Rajeswari525 icon

mcp-todo-server

by Rajeswari525

Sec7

Provides a backend API for managing todo items.

Setup Requirements

  • ⚠️Requires Java Development Kit (JDK).
  • ⚠️Requires Apache Maven for build and dependency management.
Verified SafeView Analysis
The provided source code is heavily truncated, consisting only of documentation files. A comprehensive security audit is not possible without access to the application's Java source files. No obvious malicious patterns, 'eval' usage, or hardcoded secrets were found in the available documentation.
Updated: 2025-12-14GitHub
PreviousPage 640 of 713Next