Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
Yazhodha icon

CSE-MCP-Server

by Yazhodha

Sec9

Provides structured, real-time, and historical Colombo Stock Exchange (CSE) market data to AI agents and applications via Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires .NET 10 SDK to build and run.
  • ⚠️Requires Claude Desktop (or any MCP-compatible client) for interaction.
Verified SafeView Analysis
The provided code snippets (standard .NET config files) do not contain malicious patterns, 'eval', or hardcoded secrets. The server is intended for local execution (http://localhost:5248) and integrates with the CSE Official API. Without the full source code of the CSE API integration, a comprehensive audit is not possible, but the visible components are clean and secure for local use. The `AllowedHosts: "*"` in appsettings.json is a common default for development but should be restricted for public deployments.
Updated: 2025-12-14GitHub
0
0
Medium Cost
obot-platform icon
Sec8

This project is an automation test suite designed to validate the functionality of the Obot.ai AI chatbot platform, specifically focusing on its Multi-Cloud Platform (MCP) server integrations and AI agent capabilities through UI interactions.

Setup Requirements

  • ⚠️Requires Node.js (version 14.x or higher) and npm.
  • ⚠️Requires a compatible web browser (e.g., Chrome) and its corresponding WebDriver (e.g., ChromeDriver).
  • ⚠️Requires an OpenAI API Key for running the `eval` script, which incurs usage costs.
  • ⚠️Extensive environment variables are required for connecting to various MCP servers being tested (e.g., `OBOT_URL`, `WP_USERNAME`, `GITLAB_TOKEN`, `BQ_APP_CREDS`, `AWS_KEY_ID`, etc.), which need to be configured before execution.
Verified SafeView Analysis
The project handles credentials (API keys, URLs, usernames, passwords) through environment variables (`process.env`), which is a good practice for preventing hardcoded secrets. However, the `auto_eval.ts` script requires an `OPENAI_API_KEY` for grading, and running tests against various MCP servers will require numerous specific credentials to be set in the environment. Screenshot and page source capture on test failures (in `src/core/softAssert.ts`) could expose sensitive test data if not handled carefully, though this is standard for UI testing. There are no immediate signs of direct code injection vulnerabilities or obfuscation within the provided source.
Updated: 2025-12-16GitHub
0
0
Medium Cost
dorukardahan icon

twitterapi-io-mcp

by dorukardahan

Sec9

Provides offline access to TwitterAPI.io documentation (endpoints, pages, blogs) for Claude and other AI assistants.

Setup Requirements

  • ⚠️Requires Node.js >=18.18.0.
  • ⚠️For Claude Code users, the `claude` CLI must be installed to add the MCP server.
Verified SafeView Analysis
The server primarily serves documentation from a local snapshot. When fetching live URLs via the `get_twitterapi_url` tool, it explicitly restricts fetches to `twitterapi.io` and `docs.twitterapi.io` domains, reducing arbitrary network risks. No `eval` or obvious obfuscation detected. Hardcoded secrets are not present; API keys in examples are placeholders. Configuration via environment variables is supported, which is good practice.
Updated: 2025-12-27GitHub
0
0
Low Cost
jprio icon
Sec10

Provides sample implementations and templates for building serverless Minecraft Protocol (MCP) servers.

Verified SafeView Analysis
Only `README.md` was provided for source code analysis. No executable server code was available to audit for security risks such as 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns. The provided `README.md` itself contains no identifiable security risks.
Updated: 2025-11-30GitHub
0
0
Medium Cost
yusufkaracaburun icon

emeq-mcp

by yusufkaracaburun

Sec8

This package enables Laravel applications to integrate with AI assistants using the Model Context Protocol (MCP) and Laravel Boost for project-specific guidelines, providing tools, resources, and prompts for AI interaction.

Setup Requirements

  • ⚠️Requires Laravel 10.x, 11.x, or 12.x.
  • ⚠️Requires Laravel Boost (if Boost integration is enabled).
  • ⚠️Requires `php artisan mcp:start <server_name>` running as a long-lived process or a web endpoint configured via `Mcp::web()`.
Verified SafeView Analysis
The server exposes powerful application capabilities (Artisan commands, database queries, file operations, model CRUD) to AI agents. Key tools (`ArtisanCommandTool`, `DatabaseQueryTool`, `FileOperationTool`) include explicit security measures such as allowed command/path lists and query type restrictions (SELECT only). By default, these lists are empty or restrictive, requiring user configuration to enable broader access. This design is robust for an AI agent framework, however, user misconfiguration can lead to vulnerabilities. The `configure.php` script uses `shell_exec` but is a one-time setup script intended for deletion, making its transient use acceptable.
Updated: 2026-01-05GitHub
0
0
Medium Cost
Y4NN777 icon

devlens-mcp

by Y4NN777

Sec9

An MCP server that provides AI assistants with structured and token-efficient web access for search, scraping, and documentation gathering, aiming to reduce developer context-switching.

Setup Requirements

  • ⚠️Requires Python 3.12 or newer.
  • ⚠️Requires `uv` package manager for installation and execution.
  • ⚠️`crawl4ai` dependency may implicitly require browser binaries (e.g., Chromium) on the system, though it typically manages this internally.
Verified SafeView Analysis
The project extensively interacts with external web content, which inherently carries risks. However, it mitigates these by: using established and robust libraries like `httpx`, `crawl4ai`, and `duckduckgo-search`; implementing URL format validation and basic filtering against known problematic links in `crawl_docs`; and strictly controlling same-domain link following. No `eval`, code obfuscation, or hardcoded secrets were found in the provided source. Input sanitization is present for search queries and URLs. The primary risk would be a highly sophisticated Server-Side Request Forgery (SSRF) if the server were exposed publicly without additional network layers, but the internal handling suggests reasonable precautions.
Updated: 2025-12-12GitHub
0
0
High Cost
skindyk icon
Sec5

Automate browser interactions for testing, web scraping, and page analysis using natural language commands via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️Requires manual installation of appropriate browser drivers (GeckoDriver for Firefox, EdgeDriver for Edge, Safari built-in needs `--enable`).
  • ⚠️The `execute_script` tool allows arbitrary JavaScript execution in the browser, posing a security risk if used with untrusted input.
Verified SafeView Analysis
The server provides an `execute_script` tool that allows execution of arbitrary JavaScript in the browser. While the README explicitly warns users about the security risks and advises against using untrusted input, this capability inherently lowers the security score for a general-purpose server. The file operations (`upload_file`, `take_screenshot`) implement basic path traversal checks to prevent writing/reading files outside the working directory, which is a good security practice. The server's overall security depends heavily on how the `execute_script` tool is used by the client.
Updated: 2025-11-23GitHub
0
0
Medium Cost
Priyesh95 icon
Sec8

An MCP server providing blog data via tools, resources, and prompts for AI applications, and an Express REST API for traditional consumption.

Setup Requirements

  • ⚠️Requires Node.js (v18+ is recommended by the '@modelcontextprotocol/sdk' dependency).
  • ⚠️Full MCP functionality (Tools, Prompts) requires an MCP-compatible LLM client (e.g., Claude Desktop) to connect to the MCP server via stdio.
Verified SafeView Analysis
The Express API server is configured with a permissive CORS policy (origin: '*') which is a security risk in production environments and should be restricted to known client origins. No critical vulnerabilities like 'eval', direct command injection, or hardcoded sensitive credentials were found. MCP communication over stdio is generally secure within its intended client-server model.
Updated: 2026-01-19GitHub
0
0
Medium Cost
Hasnizaa icon

MCP-Server

by Hasnizaa

Sec4

A backend server for a Minecraft-compatible game, handling client connections, authentication, and game packet processing.

Setup Requirements

  • ⚠️Authentication requires custom implementation (e.g., database, secure password hashing) for practical use.
  • ⚠️A compatible Minecraft client is required to connect to the server.
Review RequiredView Analysis
The `_authenticate` method implements "simulated authentication logic" which is a critical security risk. It may use static credentials or an unspecified insecure method. Real-world deployment requires robust authentication, secure password hashing, and potentially external identity providers. Malformed packet handling could also be a vector for denial-of-service or other attacks if not thoroughly robust. No 'eval' or obfuscation observed, and no hardcoded secrets other than the potential for static credentials in the authentication logic.
Updated: 2025-12-05GitHub
0
0
Low Cost
jbandu icon
Sec9

Provides real-time crew scheduling, legality checking, and disruption recovery tools for airline crew controllers, designed for high-pressure day-of-operations scenarios.

Setup Requirements

  • ⚠️Requires Node.js runtime to be installed.
  • ⚠️For real-world deployment, significant development is needed to replace mock data and mocked external service calls with actual crew tracking systems, databases (e.g., PostgreSQL, Redis), and external APIs (for notifications, booking, etc.).
  • ⚠️Integration with tools like Claude Desktop requires manual configuration of the absolute path to the server's executable (`dist/index.js`).
Verified SafeView Analysis
The server communicates via standard I/O (stdio) using the Model Context Protocol, which limits direct network exposure. Most external integrations (e.g., database, ML models, notification services, booking systems) are explicitly mocked within the source code, reducing immediate security risks related to external API keys or connections in this specific version. The only environment variable used (`NODE_ENV`) is not a secret. Future enhancements and real-world integrations will introduce new security considerations.
Updated: 2025-12-01GitHub
0
0
Medium Cost
Superuser666-Sigil icon

SigilDERG-Custom-MCP

by Superuser666-Sigil

Sec9

A Model Context Protocol (MCP) server providing IDE-like code search and navigation, including trigram-based text search, symbol-based navigation, and semantic code search via vector embeddings, designed for integration with AI assistants and agents.

Setup Requirements

  • ⚠️Requires external executable 'universal-ctags' for symbol extraction.
  • ⚠️Python dependencies like 'rocksdict', 'lancedb', 'pyarrow' (for embeddings), and 'watchdog' (for file watching) may have complex native library requirements. Installation via `pip install .[lancedb]` or similar is needed.
  • ⚠️OpenAI embedding provider requires a paid OpenAI API Key. Local embedding models via `llama-cpp-python` require downloading large GGUF model files and may demand significant CPU/GPU resources.
  • ⚠️If `admin_ui_auto_start` is enabled, Node.js and `npm` (or `bun`) are required to run the Vite-based Admin UI development server.
Verified SafeView Analysis
The server implements multiple layers of authentication including OAuth2 with PKCE, API keys, and IP whitelisting. Sensitive data (API keys, client secrets) are generated and stored with restricted file permissions or sourced from environment variables, avoiding hardcoding. A Host Allowlist Middleware mitigates DNS rebinding. The Admin API is protected by IP whitelisting and an optional API key. While `allow_local_bypass` is convenient for development, it's flagged with warnings for production deployments.
Updated: 2025-12-16GitHub
0
0
Medium Cost
agileandy icon

mcp-secure-server

by agileandy

Sec9

A security-first Model Context Protocol (MCP) server designed to run locally, providing controlled external network access and extensible tool execution capabilities for AI agents.

Setup Requirements

  • ⚠️Requires Python 3.11+ and `uv` for dependency management.
  • ⚠️The security policy (config/policy.yaml) is deny-by-default and requires explicit configuration for any network access, filesystem paths, and command permissions. Misconfiguration can prevent desired functionality.
  • ⚠️Plugin development (adding new tools) requires adherence to the `PluginBase` interface and careful updates to the security policy for any external interactions like network or filesystem access.
Verified SafeView Analysis
The server features a robust, security-first design with a deny-by-default network firewall, comprehensive input validation (JSON Schema, path traversal, command sanitization), per-tool rate limiting, and audit logging with sensitive data redaction. Plugins are isolated and audited. No 'eval' or obvious hardcoded secrets were found. The architecture promotes defense-in-depth, relying heavily on a configurable security policy, making it generally safe to run with a well-defined policy.
Updated: 2025-12-12GitHub
PreviousPage 654 of 713Next