Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
raja-aiml icon

air

by raja-aiml

Sec8

Provides a comprehensive Go framework for building production-ready AI agents and MCP (Model Context Protocol) servers with integrated observability, testing, and infrastructure management.

Setup Requirements

  • ⚠️Requires Go 1.24+ runtime.
  • ⚠️Docker and Docker Compose are explicitly required for local infrastructure management.
  • ⚠️Requires either an OpenAI API Key or an Anthropic API Key (paid services) for full Natural Language Processing (NLP) capabilities.
Verified SafeView Analysis
The project uses environment variables for sensitive configurations (e.g., database URLs, JWT secrets, API keys) which is good practice. The use of `os.exec.Command` and direct SQL query execution (`db.query`, `db.shell`) is present, but primarily within developer tools and testing infrastructure, where such operations are expected and justified. LLM integrations use tool-calling with structured schemas, which mitigates arbitrary code injection via natural language input. Local Docker Compose configurations use default 'test' credentials, which should not be used in production. Network services in local dev are exposed to 0.0.0.0, requiring users to secure production deployments appropriately.
Updated: 2025-11-24GitHub
0
0
Medium Cost
attilacsanyi icon

weather-mcp-server

by attilacsanyi

Sec9

Provides weather forecast and alert information by integrating with the National Weather Service (NWS) API, enabling external agents to query weather data for specific locations or states.

Setup Requirements

  • ⚠️Requires Node.js runtime (v16+)
  • ⚠️Requires build step (`npm run build`) before running
Verified SafeView Analysis
Input validation is performed using Zod schemas for 'state', 'latitude', and 'longitude' parameters. External API calls are made to the official NWS API over HTTPS. No hardcoded secrets or direct command execution are present. Error messages are generic, preventing information leakage. The implementation is straightforward and does not introduce obvious vulnerabilities.
Updated: 2025-12-01GitHub
0
0
Medium Cost
cladjidane icon
Sec7

Provides an MCP (Model Context Protocol) interface for Claude to manage events and registrations in EventLite using natural language.

Setup Requirements

  • ⚠️Requires an EventLite API Key (EVENTLITE_API_KEY) to be set as an environment variable.
  • ⚠️The EventLite API URL (EVENTLITE_API_URL) must be configured; defaults to localhost but production requires the official URL.
  • ⚠️If installing via npm, Node.js v18+ is required. For building standalone binaries, Bun is required.
  • ⚠️On macOS, downloaded binaries may require manual execution permission (`chmod +x`) and quarantine removal (`xattr -d com.apple.quarantine`).
Verified SafeView Analysis
The server correctly uses environment variables for API keys. However, the `upload_image` tool allows fetching images from arbitrary public URLs provided by the AI, which introduces a potential Server-Side Request Forgery (SSRF) risk if the upstream AI model is not adequately secured against malicious inputs.
Updated: 2025-11-26GitHub
0
0
Low Cost
script-dragonmkop8t icon

cryptopanic-mcp-server

by script-dragonmkop8t

Sec9

Provides AI agents with the latest cryptocurrency news by fetching data from the CryptoPanic API.

Setup Requirements

  • ⚠️Requires a CryptoPanic API Key and API Plan (external service, may be paid depending on plan).
  • ⚠️Requires Python 3.13 or higher.
  • ⚠️The provided `run_command` example uses `uv`, which needs to be installed (e.g., `pip install uv`).
Verified SafeView Analysis
The server correctly uses environment variables for API keys, preventing hardcoding. It uses the standard `requests` library for external API calls, and limits the number of pages fetched to 10, mitigating potential abuse or excessive resource usage. Basic error handling is present around API calls. No dangerous functions like `eval` or `exec` are used. The primary security consideration is reliance on an external API (CryptoPanic) for data, which is inherent to its functionality.
Updated: 2025-12-11GitHub
0
0
Medium Cost
hisinha-rakesh icon

postgresql-mcp-server

by hisinha-rakesh

Sec4

Manage and interact with a PostgreSQL database using natural language queries, enabling full DDL, DML, TCL, and backup/restore operations via an AI assistant.

Setup Requirements

  • ⚠️Requires Azure OpenAI API Key with Claude deployment (Paid Service)
  • ⚠️Requires a running PostgreSQL database
  • ⚠️Requires Python 3.8+
  • ⚠️PostgreSQL client tools (pg_dump, psql, pg_restore) must be installed and in PATH for full backup/restore functionality.
Review RequiredView Analysis
The application is a proof-of-concept for executing LLM-generated SQL, which is inherently dangerous. While the 'enterprise' server attempts to use structured tool calls with parameters for DML operations (reducing direct SQL injection risk), DDL operations still involve the LLM generating raw SQL which is then executed. The server also uses `subprocess.run` for `pg_dump`/`pg_restore` which, if arguments are not perfectly sanitized, could be vulnerable to command injection (though efforts are made to pass arguments safely). The project README explicitly highlights these critical security risks and strongly advises against production use without significant safeguards like human-in-the-loop validation, least privilege database users, and sandboxing.
Updated: 2025-12-14GitHub
0
0
Low Cost
mayank-vikki icon

test-remote-mcp-server

by mayank-vikki

Sec9

This server provides an API for managing personal expenses, allowing users to add, list, and summarize financial transactions.

Setup Requirements

  • ⚠️Database data is ephemeral as it's stored in a temporary directory and will be lost on system restarts or temporary file cleanup.
  • ⚠️Requires Python 3.11 or higher.
  • ⚠️Dependencies `aiosqlite` and `fastmcp` must be installed.
Verified SafeView Analysis
The code utilizes parameterized SQL queries which prevents SQL injection vulnerabilities. No 'eval', 'exec', or similar dangerous functions are used. There are no hardcoded secrets found. The database is stored in a temporary directory, which is a functional detail rather than a security flaw, but implies ephemerality. The server defaults to listening on 0.0.0.0:8000, which is broad for production but standard for development and containerized environments.
Updated: 2025-11-26GitHub
0
0
Medium Cost
slomo-b icon
Sec9

Provides comprehensive Hero UI documentation and design principles to AI assistants via the Model Context Protocol (MCP), enabling them to answer development-related queries.

Setup Requirements

  • ⚠️Requires Python 3.8 or higher.
  • ⚠️Requires `pip install fastapi uvicorn pydantic`.
  • ⚠️The `cwd` path in Claude Desktop/Cline integration configurations must be manually adjusted to the local repository path.
Verified SafeView Analysis
The server primarily reads local JSON files and processes simple string queries for information retrieval. No dynamic code execution (e.g., eval, exec), direct system calls, or external network requests are observed within the provided source. Input parameters are used for lookup and searching against predefined data, mitigating injection risks. Error handling for tool calls is robust. Security largely depends on the integrity of the local JSON data and the deployment environment.
Updated: 2025-11-29GitHub
0
0
Low Cost
sentice icon

mcp-server

by sentice

Sec8

An MCP server providing a tool to retrieve user balance data from an external backend service, intended for use by LLMs or other agents that can consume MCP tools.

Setup Requirements

  • ⚠️Requires Docker and Docker Compose for the intended setup.
  • ⚠️An external 'food2' Docker network is expected to exist (or configuration adjustment needed).
  • ⚠️Requires a '.env' file with 'BACKEND_URL' pointing to the Adonis backend service.
Verified SafeView Analysis
The server uses environment variables for sensitive configurations like BACKEND_URL, which is good practice. It handles incoming requests and dispatches them to a backend service. The 'users_balance' tool accepts a 'filters' object from the client which is passed to an external Adonis backend. The security of this data flow (e.g., against SQL injection or other backend vulnerabilities) depends entirely on how the Adonis backend processes these 'filters'. However, within the scope of the provided MCP server code itself, no direct 'eval', command injection, or hardcoded secrets are present. Broad CORS ('*') is enabled, which is generally acceptable for public APIs or development environments but might need stricter control in production.
Updated: 2025-12-02GitHub
0
0
Medium Cost
EfeSenerr icon

demo_mcp_learn

by EfeSenerr

Sec9

A multi-agent demonstration integrating the Model Context Protocol (MCP) with the Microsoft Agent Framework to create collaborative AI agents.

Setup Requirements

  • ⚠️Requires Python 3.10+ (pyproject.toml specifies >=3.10).
  • ⚠️Requires a GitHub Personal Access Token (`GITHUB_TOKEN`) for the GitHub Models API, which may incur costs or require specific GitHub account access.
  • ⚠️Requires a 'The One API' Key (`ONE_API_KEY`), which is an external API for LOTR quotes.
Verified SafeView Analysis
The code relies on external APIs (The One API, GitHub Models API) for functionality. API keys are properly handled via environment variables and are not hardcoded. No 'eval' or other directly dangerous patterns are observed.
Updated: 2025-11-21GitHub
0
0
Medium Cost
SEMGOODD icon
Sec6

Facilitates an AI agent to access internal project data and fetch external website content through a standardized tool-calling interface (MCP).

Setup Requirements

  • ⚠️Requires Ollama to be running locally with the 'llama3.2:latest' model downloaded.
  • ⚠️Requires Python 3.12 or newer.
  • ⚠️The 'server.py' file must be present in the same directory as 'client.py'.
Verified SafeView Analysis
The `fetch_website_content` tool allows the AI model to make arbitrary HTTP GET requests to any URL. This presents a moderate risk for Server-Side Request Forgery (SSRF) if the server is running in an environment where it can access internal networks. It could also be misused for external reconnaissance or denial-of-service attempts against external targets. There are no other obvious hardcoded secrets or dangerous functions like `eval` detected.
Updated: 2025-11-26GitHub
0
0
Low Cost
Taiinguyenn139 icon

self-mcp

by Taiinguyenn139

Sec9

Develops and hosts custom MCP (Model Context Protocol) tool servers for integration with LLMs like Claude, providing real-time information or capabilities.

Setup Requirements

  • ⚠️Requires Python 3.12+
  • ⚠️Requires Anthropic API Key (Paid) for the client application to interact with Claude
  • ⚠️Requires dependency installation (e.g., `uv sync` or `pip install -r requirements.txt`)
Verified SafeView Analysis
No direct 'eval' or obvious malicious patterns found. The client executes server scripts specified via command-line arguments, which is standard for CLI tools but assumes trusted input for the script path. External API calls use httpx with basic error handling. No hardcoded secrets; API keys are loaded from environment variables via python-dotenv.
Updated: 2025-11-23GitHub
0
0
Medium Cost
nestr-dev icon

nestr-mcp

by nestr-dev

Sec9

Connects AI assistants to Nestr workspaces, enabling them to manage tasks, projects, organizational structures, and retrieve insights.

Setup Requirements

  • ⚠️Requires `NESTR_API_KEY` or `NESTR_OAUTH_TOKEN` environment variable for authentication.
  • ⚠️For self-hosted OAuth, `NESTR_OAUTH_CLIENT_ID` and `NESTR_OAUTH_CLIENT_SECRET` must be configured after contacting Nestr to register an OAuth client.
  • ⚠️Requires Node.js version 18 or higher.
Verified SafeView Analysis
The server implements robust security measures including explicit environment variable usage for API keys/OAuth tokens, proper input validation (using Zod schemas), and HTML escaping for error messages to prevent XSS. It handles OAuth with PKCE verification by proxying to Nestr, adding an important security layer. Session management relies on MCP client termination or server shutdown for cleanup, but `oauth/storage.ts` includes a periodic cleanup for pending auth requests. No `eval` or blatant obfuscation detected. Dynamic client registration, while a standard OAuth feature, always carries inherent risks that appear well-mitigated through validation.
Updated: 2026-01-19GitHub
PreviousPage 672 of 713Next