Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
Stopy160 icon

uihash-hotnews

by Stopy160

Sec1

Analysis not possible: Source code was not provided in the prompt for this MCP server.

Setup Requirements

  • ⚠️Source code not provided, unable to identify any specific setup requirements or friction points.
Review RequiredView Analysis
CRITICAL: No source code was provided in the prompt for analysis. Therefore, a security audit could not be performed, and the server's safety, presence of 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns cannot be determined. The security score of 1 reflects this complete inability to assess the code.
Updated: 2026-01-19GitHub
0
0
High Cost
e11hzn icon
Sec8

The Codebase MCP Server acts as an AI expert to index, search, and analyze Git repositories, assisting developers in understanding, reviewing, and querying code with deep codebase context.

Setup Requirements

  • ⚠️Requires OpenAI/Anthropic API Key (Paid) for full AI-powered analysis (as demonstrated in examples, not the server itself).
  • ⚠️Repositories are stored in `/tmp/mcp-repos` and are cleared on server restart, requiring re-indexing for persistent use.
  • ⚠️Currently supports public GitHub/GitLab repositories only; private repositories require additional authentication setup not handled by the server.
Verified SafeView Analysis
The codebase leverages `simple-git` for Git operations, which typically handles command argument escaping to prevent injection vulnerabilities. Input validation is performed using Zod schemas. Regex patterns are constructed with an `escapeRegex` helper to prevent regex injection. File system operations are confined to a designated `/tmp/mcp-repos` directory, mitigating arbitrary file access. No hardcoded secrets or direct `eval` usage are present. The primary security consideration is the lack of built-in authentication/authorization for the MCP HTTP endpoint; if deployed publicly, it would require an external security layer to prevent unauthorized access.
Updated: 2025-11-27GitHub
0
0
Medium Cost
Sec1

Integrates Power BI Desktop with Claude AI models, likely functioning as a custom data connector or gateway for enhanced data analysis.

Setup Requirements

  • ⚠️Requires Claude API Key (Paid) or a local Claude instance.
  • ⚠️Requires Power BI Desktop installation.
Review RequiredView Analysis
CRITICAL: No source code was provided for analysis beyond the README. A comprehensive security audit could not be performed for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns. The score of 1 reflects this severe limitation and the inability to verify safety.
Updated: 2025-11-24GitHub
0
0
Low Cost
McSheaD icon
Sec8

Deploying an unauthenticated Model Context Protocol (MCP) server on Cloudflare Workers, providing simple calculator tools to AI clients.

Setup Requirements

  • ⚠️Requires deployment to Cloudflare Workers infrastructure.
  • ⚠️The server is 'authless' by design, making all exposed tools publicly accessible without authentication. Deployers should be aware of this open access.
  • ⚠️Local MCP clients like Claude Desktop require an `mcp-remote` proxy to connect to the deployed server.
Verified SafeView Analysis
The server is explicitly designed to be 'authless', making its tools publicly accessible without authentication. This is a deployment consideration, not a code vulnerability, as the exposed tools (basic calculator operations) are low risk. Linter settings are relaxed (`noDebugger: 'off'`, `noExplicitAny: 'off'`) but do not introduce immediate critical vulnerabilities in this context. No evident direct code injection or `eval` usage from user input.
Updated: 2025-11-24GitHub
0
0
High Cost
rintaro-s icon

sisterd_lite

by rintaro-s

Sec3

An AI-native OS core designed for LLMs to autonomously monitor, control, and optimize Linux systems by interacting with system services and tools.

Setup Requirements

  • ⚠️Requires a local Ollama server running for AI features (default: http://localhost:11434).
  • ⚠️Many system management tools require root privileges, which is not explicitly managed by the launch script.
  • ⚠️Container features require Docker to be installed and accessible.
Review RequiredView Analysis
The server exposes powerful system management tools, including direct shell command execution (`execute_shell_command` using `subprocess.run(..., shell=True)`) and self-modification capabilities (reading/writing workspace files). While a permission system (`PermissionManager`) and auditing decorators (`permission_audit`) are in place, the 'full' template explicitly grants AI agents broad, highly privileged access. This design is inherently high-risk, as a compromised or hallucinating LLM could execute arbitrary, destructive commands, including system reboots, user management, and sensitive file modifications. Network exposure through HTTP/JSON-RPC (ports 8089/7861 by README, 8888/7860 by script default) to these powerful tools without strong external authentication/sandboxing constitutes a severe vulnerability. The `OllamaClient` creates outbound connections, and `ContainerManager` directly invokes Docker commands, adding attack surface.
Updated: 2025-11-30GitHub
0
0
Medium Cost
matpb icon
Sec9

Provides secure, read-only access to MySQL databases through a Model Context Protocol (MCP) server, including schema introspection and Google Cloud SQL Proxy support.

Setup Requirements

  • ⚠️Requires a MySQL database for functionality; connection details (host, port, user, password, database) must be provided via environment variables.
  • ⚠️If connecting to Google Cloud SQL, `CLOUD_SQL_PROXY_ENABLED` must be set to 'true' and `CLOUD_SQL_INSTANCE` (e.g., 'project:region:instance') is required. Cloud SQL authentication via service account JSON (`GOOGLE_APPLICATION_CREDENTIALS`) or `gcloud auth` application default credentials is also necessary.
  • ⚠️Requires Node.js version 18.19.0 or higher.
Verified SafeView Analysis
The server implements robust query sanitization using `QuerySanitizer.ts` to explicitly reject mutation operations (INSERT, UPDATE, DELETE, DROP, etc.), transaction commands, and dangerous keywords (INTO OUTFILE, FOR UPDATE). Table names in `DescribeTableTool` are sanitized via regex to prevent SQL injection. It loads credentials from environment variables, avoiding hardcoded secrets. The Cloud SQL Proxy provides a secure connection tunnel, and its binary is auto-downloaded from a trusted Google source. While the auto-download feature inherently depends on the integrity of the source, the overall implementation of read-only enforcement and secure connection methods is strong.
Updated: 2026-01-19GitHub
0
0
Medium Cost
yahykader icon
Sec7

An AI agent-based chat application demonstrating multi-language tool use with Spring AI and Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires an API key for an underlying Large Language Model provider (e.g., OpenAI, Google AI, etc.), which is essential for `ChatClient` functionality but not explicitly configured in the provided snippets.
  • ⚠️Requires a Python environment (Python 3.11 or newer) and the 'uv' package manager to run the `mcp-python-server` component, which is spawned by the Spring Boot client.
  • ⚠️The 'mcp-client's configuration (`mcp-servers.json`) contains a hardcoded absolute path (`D:/Formation-DATA-2024/...`) to the Python server script, which must be adjusted for different operating systems and project locations.
Verified SafeView Analysis
The Spring Boot client's chat endpoint (`/chat/send`) uses `@CrossOrigin("*")`, which allows requests from any origin. This is a security risk in production environments as it disables crucial same-origin policy protections. The `mcp-servers.json` contains a hardcoded absolute path to the Python server script, which needs to be adjusted; however, it's not a direct security vulnerability from code execution. No 'eval' or obvious malicious patterns found in the provided code snippets.
Updated: 2025-11-29GitHub
0
0
Medium Cost
alex-feel icon

mcp-context-server

by alex-feel

Sec9

A high-performance Model Context Protocol (MCP) server providing persistent multimodal context storage for LLM agents, enabling seamless context sharing across multiple agents working on the same task through thread-based scoping.

Setup Requirements

  • ⚠️Requires 'uv' package manager for installation and running.
  • ⚠️Python 3.12+ is the minimum required version.
  • ⚠️For local semantic search, requires an Ollama server running locally and the specific embedding model ('ollama pull model') downloaded.
  • ⚠️External API keys are mandatory for cloud-based embedding providers (e.g., OpenAI, Azure, HuggingFace, Voyage AI) if chosen.
  • ⚠️FlashRank reranking model (~34MB by default) is downloaded on first use.
  • ⚠️PostgreSQL backend requires a running PostgreSQL instance and connection string/credentials.
Verified SafeView Analysis
The source code demonstrates strong security practices including: extensive input validation (e.g., regex for metadata keys), parameterized SQL queries to prevent injection, use of Pydantic's `SecretStr` for API keys and sensitive configuration, constant-time comparison for authentication tokens (`hmac.compare_digest`), and explicit mitigation of known PostgreSQL vulnerabilities (`CVE-2018-1058`). Input size limits are enforced for images and total requests. No obvious `eval` or obfuscation patterns were found. The system is designed with a clear separation of concerns (repository pattern) which aids maintainability and security auditing.
Updated: 2026-01-18GitHub
0
0
Medium Cost
dogkeeper886 icon

wpa-mcp

by dogkeeper886

Sec3

An MCP server that enables AI agents to control WiFi connections on Linux systems via wpa_supplicant.

Setup Requirements

  • ⚠️Requires `sudo` permissions for `wpa_cli`, `dhclient`, `ip`, `wpa_supplicant`, `systemctl`, `pkill`. The user running the server may need passwordless sudo configured.
  • ⚠️NetworkManager must be disabled or configured to ignore the WiFi interface to prevent interference with `wpa_supplicant`.
  • ⚠️Playwright's Chromium browser must be installed separately using `npx playwright install chromium` for browser automation tools.
  • ⚠️The `browser_run_script` tool allows arbitrary JavaScript execution from the configured scripts directory if not carefully secured, leading to a critical security risk.
Review RequiredView Analysis
The `browser_run_script` tool, which executes Playwright automation scripts, uses `import(scriptUrl)` where `scriptUrl` is constructed from user-provided `script_name` without robust path traversal validation. This poses a critical arbitrary code execution vulnerability if an attacker can craft the `script_name` parameter to point to a malicious JavaScript file on the server. Additionally, Playwright is launched with `--no-sandbox` which disables important security isolation mechanisms, increasing the risk when interacting with untrusted web content. Many core functionalities (e.g., `wpa_cli`, `dhclient`, `ip`, `pkill`) are executed with `sudo` privileges, making the application a high-privilege target. Any successful command injection would lead to system-level compromise. While some input quoting is present, the extensive use of `execAsync` and `spawn` with `sudo` presents a large attack surface. The server listens on `0.0.0.0` by default, exposing its API to the network, which requires careful firewall configuration.
Updated: 2026-01-16GitHub
0
0
High Cost
a6401040 icon

nanobanana-mcp

by a6401040

Sec7

Provides an MCP (Model Context Protocol) server for AI image generation and editing using the Google Gemini API, enabling AI clients to create and modify images via structured tool calls.

Setup Requirements

  • ⚠️Requires a Google API Key with access to Gemini models (GOOGLE_API_KEY environment variable or --apiKey CLI argument).
  • ⚠️Requires Node.js >= v18.0.0.
  • ⚠️Image tools that do not specify `output_path` will return base64 encoded image data, which can be very large and consume significant bandwidth/memory from the calling client's context.
Verified SafeView Analysis
The server allows writing files to absolute paths on the file system via `output_path` in its tools. While designed for integration with trusted AI clients/IDEs that would manage these paths responsibly, a malicious calling agent could potentially instruct the server to write to arbitrary system locations, leading to data overwrites or disk filling. The content written is image data, mitigating arbitrary code injection. Additionally, the default API base URL (`https://api.tu-zi.com/v1`) is not Google's official Gemini API endpoint, implying a proxy or custom service is used by default, which may introduce additional trust considerations.
Updated: 2025-11-30GitHub
0
0
Low Cost
TrBaPhong icon
Sec3

Extending AI capabilities by providing tools to fetch real-time financial asset prices (cryptocurrency, stocks, gold) through a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires the `MCP_ENDPOINT` environment variable to be set, pointing to the WebSocket server endpoint for MCP communication.
  • ⚠️The `docker-compose.yml` specifies `command: python mcp_pipe.py getassetprice.py`. However, `getassetprice.py` is configured with `mcp.run(transport="sse")`, meaning it expects to run as an SSE server, not communicate via standard I/O (stdin/stdout) with its parent process (`mcp_pipe.py`). This is a fundamental misconfiguration and the service will not function as intended without modifying `getassetprice.py` to use `transport="stdio"` or adjusting the `docker-compose.yml` to launch it via `mcp_proxy` as per `mcp_config.json`'s SSE server definitions.
  • ⚠️Critical API keys (for CoinMarketCap and BTMC) are hardcoded in `getassetprice.py`. These must be manually changed in the source code for any deployment and are exposed in the repository. They should be refactored to use environment variables for security and flexibility.
Review RequiredView Analysis
The project includes 'calculator.py' which uses 'eval()' to execute arbitrary Python expressions. While attempts are made to restrict the scope, 'eval()' is inherently dangerous and poses a significant security risk if untrusted inputs from an AI model are passed, especially since 'calculator.py' is configurable via 'mcp_config.json'. Furthermore, 'getassetprice.py' hardcodes two critical API keys (CoinMarketCap and BTMC_API_KEY). Hardcoding secrets is a severe security vulnerability, as they should always be loaded securely from environment variables or a secret management system. The overall project structure allows for potentially insecure 'tools' to be exposed and managed.
Updated: 2025-11-28GitHub
0
0
High Cost
jingchen0529 icon

claude-mcp-bridge

by jingchen0529

Sec6

A simple Claude MCP service for integrating custom Claude API endpoints with Claude Desktop.

Setup Requirements

  • ⚠️Requires a paid Claude API Key and custom API endpoint.
  • ⚠️API keys must be manually configured in `src/mcp_service.py` which poses a risk if not git-ignored.
  • ⚠️Manual configuration of Claude Desktop via `claude_desktop_config.json` with an absolute project path is required.
Verified SafeView Analysis
The default configuration in `src/mcp_service.py` involves hardcoding API keys directly into the source file. While the README provides a strong warning against committing these keys to Git and suggests best practices (like using a template and editing locally), the initial setup design makes accidental exposure of API keys a significant risk if users are not careful. The server itself does not use 'eval' or other directly exploitable patterns for arbitrary code execution. Error logging (`log_error` in `mcp_stdio_server.py`) could expose internal stack traces to stderr, which might be a minor information leak in some deployment scenarios, though less critical for a local desktop integration.
Updated: 2026-01-19GitHub
PreviousPage 676 of 713Next