Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
danielrosehill icon

MCP-Manager-Research

by danielrosehill

Sec10

A personal research notebook documenting the exploration of Model Context Protocol (MCP) management tools, proxies, and related projects, outlining current challenges and proposing an intelligent MCP orchestrator.

Verified SafeView Analysis
The repository consists entirely of Markdown documentation files, including a list of related projects and transcribed voice notes. There is no executable code, 'eval' statements, obfuscation, network activity, hardcoded secrets, or malicious patterns within the provided source. It is purely informational.
Updated: 2025-11-30GitHub
0
0
Medium Cost
Eskiii icon

baostock_mcp

by Eskiii

Sec8

This server provides an MCP interface for accessing A-share stock, financial, and market data via the Baostock platform.

Setup Requirements

  • ⚠️Requires installation of Python dependencies: fastmcp, baostock, pandas.
  • ⚠️All data provided by Baostock is historical; 'real-time' data is an approximation based on the latest daily data and may have delays.
  • ⚠️Some tools, like `get_all_stocks_daily_price`, have default limits (e.g., 100 stocks) to prevent excessively large data returns.
Verified SafeView Analysis
The code primarily acts as a wrapper for the `baostock` library and `fastmcp` server. It does not contain direct `eval` or `exec` calls, shell command injections, or hardcoded secrets. Input parameters are handled within the context of the Baostock API. The main security considerations would stem from the trustworthiness and reliability of the Baostock data source itself and the network security of running a local server.
Updated: 2025-12-12GitHub
0
0
Low Cost
smslavin icon

mcp-servers

by smslavin

Sec9

An MCP server that interfaces with an MQTT broker, allowing AI agents to explore MQTT topics, subtopics, and inspect their values.

Setup Requirements

  • ⚠️Requires Python 3.13+
  • ⚠️Conda recommended for environment setup
  • ⚠️Requires access to an MQTT broker (can be a public test broker or a self-hosted one)
Verified SafeView Analysis
The server connects to an MQTT broker defined by environment variables or public defaults. No 'eval' or similar dangerous functions are used. Interaction is via Stdio, limiting network attack surface from the MCP side. The primary risk would be connecting to a malicious MQTT broker with untrusted data, which is outside the scope of this server's code vulnerabilities.
Updated: 2025-12-10GitHub
0
0
High Cost
alperenkocyigit icon

html-to-image-mcp

by alperenkocyigit

Sec8

Captures high-quality screenshots of web pages and uploads them to Cloudinary.

Setup Requirements

  • ⚠️Requires Python 3.8 or higher.
  • ⚠️Requires a Cloudinary account and API credentials (Cloudinary can be a paid service depending on usage).
  • ⚠️Chromium browser needs to be downloaded (handled by `setup.py`, but may require specific system dependencies).
Verified SafeView Analysis
The server fetches arbitrary URLs, which introduces a potential for Server-Side Request Forgery (SSRF) if deployed in an environment with access to internal networks. While the URL validation is basic, it does not prevent all forms of SSRF. However, fetching external URLs is fundamental to its functionality. Cloudinary credentials are correctly handled via environment variables. Pyppeteer's browser arguments for `--no-sandbox` are standard for headless container deployments.
Updated: 2025-11-19GitHub
0
0
High Cost
MesuterPikin icon

mcp-server-browserbase

by MesuterPikin

Sec8

Provides cloud browser automation capabilities, enabling LLMs to interact with web pages, extract data, take screenshots, and perform automated actions with atomic precision.

Setup Requirements

  • ⚠️Requires Browserbase API Key and Project ID (paid cloud service).
  • ⚠️Requires an API key for the chosen LLM (e.g., GEMINI_API_KEY for default, ANTHROPIC_API_KEY, OPENAI_API_KEY for others), implying usage of paid LLM services.
  • ⚠️Careful network configuration is needed if binding to all interfaces (`--host 0.0.0.0`) to avoid unintentional public exposure.
Verified SafeView Analysis
The server correctly handles API keys by requiring them via environment variables (e.g., BROWSERBASE_API_KEY, BROWSERBASE_PROJECT_ID, GEMINI_API_KEY). It explicitly warns and uses dummy values if these are not set, preventing accidental exposure of real keys. The `--host 0.0.0.0` option allows binding to all network interfaces, which is noted as a potential security risk if exposed to the internet without proper firewalling. The server connects to external cloud browser services (Browserbase) and various LLM APIs, which introduces reliance on external service security.
Updated: 2025-11-29GitHub
0
0
Medium Cost
ArthurTcs icon

mcp-server-secops

by ArthurTcs

Sec8

The MCP server provides a programmatic interface for Google Security Operations (Chronicle SIEM), enabling automated threat detection, incident investigation, data ingestion, rule management, and threat intelligence lookups.

Setup Requirements

  • ⚠️Requires a Google Cloud Project and a configured Chronicle SIEM instance.
  • ⚠️Requires `CHRONICLE_PROJECT_ID` and `CHRONICLE_CUSTOMER_ID` environment variables (or passed as arguments). `CHRONICLE_REGION` is also configurable.
  • ⚠️For service account authentication, `CHRONICLE_SERVICE_ACCOUNT_PATH` environment variable needs to point to a valid service account key file. Ensure the service account has necessary permissions for Chronicle API access.
Verified SafeView Analysis
The server itself acts as an API wrapper, passing user inputs (like parser code or YARA-L rules) to the Chronicle API. While the server doesn't directly execute arbitrary code, the potential risk lies in a malicious actor using this interface to deploy harmful configurations or rules within the Chronicle environment. No direct `eval` or `exec` found. Authentication relies on standard Google Cloud mechanisms (service accounts via `GOOGLE_APPLICATION_CREDENTIALS` or implicit Cloud Run identity). Error handling might expose stack traces in logs, which should be secured. Deployment instructions advise securing endpoints in production.
Updated: 2025-11-29GitHub
0
0
Medium Cost

mkd-mcp

by lucashzhang

Sec9

Manages and searches a knowledge base of Markdown documents, serving them via a FastMCP server for programmatic access.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Expects a local filesystem directory as its knowledge base (`--root-dir`).
  • ⚠️Initial indexing of large knowledge bases can be resource-intensive.
Verified SafeView Analysis
The server design generally follows good security practices. It primarily operates on local files within a user-defined root directory, limiting the scope of potential impact. SQLite FTS5 queries use parameterized input, mitigating SQL injection risks. Dangerous operations like database regeneration require explicit user confirmation. No obvious `eval` or arbitrary code execution vectors were found. File system interactions are constrained to the provided `--root-dir` and its `.mkd-mcp` subdirectory.
Updated: 2025-11-26GitHub
0
0
High Cost
ByteBard97 icon

altium-mcp-server

by ByteBard97

Sec4

AI-assisted PCB design, analysis, and automation in Altium Designer via an MCP server.

Setup Requirements

  • ⚠️Requires Altium Designer to be running (Windows-only software).
  • ⚠️Requires Nexar API keys (NEXAR_CLIENT_ID, NEXAR_CLIENT_SECRET) for distributor integration features.
  • ⚠️Potential Python dependency conflicts, specifically ChromaDB's numpy requirement (`numpy<2.0`) clashing with newer Python versions (e.g., Python 3.14 supports `numpy>=2.3`).
Review RequiredView Analysis
The Altium bridge uses `subprocess.Popen(command, shell=True)` which is a significant security risk if the `command` string can be influenced by unvalidated user input, potentially leading to arbitrary code execution. The `http_bridge_fixed.py` (if deployed) uses `CORSMiddleware(allow_origins=['*'])` exposing the API to any origin, which is highly insecure for production environments. Configuration files (`config.json`) are managed in the working directory, which could be a risk if not properly secured.
Updated: 2025-11-22GitHub
0
0
Medium Cost
ashen-dusk icon

mcp-assistant

by ashen-dusk

Sec8

A web-based client for managing and interacting with remote Model Context Protocol (MCP) servers, enabling tool discovery, execution, and AI agent integration.

Setup Requirements

  • ⚠️Requires Supabase Account & Configuration (NEXT_PUBLIC_SUPABASE_URL, NEXT_PUBLIC_SUPABASE_ANON_KEY).
  • ⚠️Requires LangGraph Backend for AI assistant functionality (NEXT_PUBLIC_LANGGRAPH_API_URL, NEXT_PUBLIC_LANGGRAPH_ASSISTANT_ID).
  • ⚠️Requires an external Backend GraphQL API for server and assistant management (NEXT_PUBLIC_DJANGO_API_URL or NEXT_PUBLIC_BACKEND_URL).
  • ⚠️OpenAI API Key (Paid) is required for embedding functionalities and using OpenAI models.
Verified SafeView Analysis
Generally follows good security practices, utilizing environment variables for sensitive configurations and implementing explicit authentication checks for API routes. The OAuth 2.0 flow includes a `state` parameter to carry session information, and PKCE is used. `localStorage` is used for client-side non-sensitive caching. Potential minor concerns include a broad `hostname: '**'` for remote images in `next.config.ts`, which is standard for images but could hypothetically be a vector for XSS if combined with other vulnerabilities (mitigated by browser policies). Redis security depends on its external configuration.
Updated: 2026-01-19GitHub
0
0
Low Cost
Zahaawii icon
Sec6

An MCP server providing AI assistant capabilities, dynamic tool execution, and data management for ChromaDB and an external blog platform.

Setup Requirements

  • ⚠️Requires `CHROMADB_API_KEY` environment variable (for ChromaDB cloud access)
  • ⚠️Requires `GOOGLE_API_KEY` environment variable (for embedding model, as per `compose.yaml`)
  • ⚠️Requires Docker and Docker Compose to run with the provided `compose.yaml`
Verified SafeView Analysis
The server correctly uses environment variables for API keys, avoiding hardcoded secrets. There's no use of 'eval' or other directly exploitable patterns. However, the 'Next Steps' section identifies current weaknesses in backend robustness, specifically 'Input validation' and 'Strong typed error responses'. For an AI-driven tool execution platform, a lack of explicit input validation in service methods for parameters passed to external APIs or the vector store (e.g., blog post content, ChromaDB document fields) poses a potential risk if the AI generates malformed or malicious input. Generic exception handling also limits clear error reporting.
Updated: 2026-01-10GitHub
0
0
Medium Cost
mathisto icon
Sec9

Provides context-aware web fetching and content extraction tools for Large Language Models to efficiently process web content without exceeding token limits.

Setup Requirements

  • ⚠️Requires Python 3.10 or newer.
  • ⚠️Designed to be run as an MCP (Multi-tool Coordination Protocol) server, typically via `uvx`.
Verified SafeView Analysis
The server uses standard libraries (httpx, BeautifulSoup, lxml, tiktoken) for network requests, HTML parsing, and token counting. It implements basic rate limiting and request timeouts to prevent abuse and ensures timeouts are validated. Caching is in-memory only, reducing file-system related risks. No direct 'eval' or 'exec' calls, nor hardcoded sensitive information were found in the provided source code. The user agent is clearly identified.
Updated: 2025-11-28GitHub
0
0
Medium Cost
5starsunited icon

neonpanel-mcp-server

by 5starsunited

Sec9

Facilitates secure, authenticated access to NeonPanel's business intelligence and operational APIs (inventory, finance, supply chain, import management) for AI models and external integrations via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires a NeonPanel account and an OAuth2 client configured with NeonPanel's authorization server. Dynamic Client Registration (DCR) is supported via a helper script.
  • ⚠️Many tools require AWS Athena configuration with appropriate IAM roles (for querying and writing to Iceberg tables), and S3 buckets for query output, implying AWS account setup and permissions for Athena and S3.
  • ⚠️Requires Node.js and npm (or similar package manager) to run locally.
Verified SafeView Analysis
The server implements robust security practices, including Zod for input validation, explicit SQL string escaping (e.g., `sqlStringLiteral`, `sqlVarcharArrayExpr`) to prevent injection in Athena queries, `jsonwebtoken` for JWT validation using JWKS, `requireBearer` middleware for authentication, and `rateLimit` middleware. The `renderSqlTemplate` function is generic, but its callers (Athena tool registration functions) correctly sanitize inputs. There are no indications of 'eval' or malicious obfuscation. Hardcoded secrets are present only in test scripts, not in the main application logic.
Updated: 2026-01-18GitHub
PreviousPage 643 of 713Next