Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
Treonix-in icon
Sec9

Manipulate Excel files (XLSX, XLSM) for data operations, formatting, charting, and reporting, with AI assistant (LLM) integration via Model Context Protocol.

Setup Requirements

  • ⚠️Requires Node.js 14.0 or higher
  • ⚠️Requires Python 3.8 or higher
  • ⚠️PDF export functionality requires either Microsoft Excel (on Windows) or LibreOffice/OpenOffice (on Linux/macOS) to be installed on the system.
Verified SafeView Analysis
Leverages `subprocess.run` for PDF export via external tools (LibreOffice or MS Excel on Windows). While precautions are taken (e.g., no `shell=True`, use of `os.path.abspath`), this introduces a dependency on the security of those external applications. Data sanitization is applied for Excel cell content. Independently audited by MseeP.ai with a 100/100 security score, indicating a low overall risk.
Updated: 2025-11-26GitHub
0
0
Low Cost
mattpodwysocki icon

ai-poland-mapbox-mcp

by mattpodwysocki

Sec9

This repository serves as a Slidev presentation demonstrating Mapbox's Model Context Protocol (MCP) and DevKit for building AI-powered location intelligence and developer tools.

Setup Requirements

  • ⚠️Requires `MAPBOX_ACCESS_TOKEN` to be set as an environment variable for the external Mapbox MCP servers demonstrated in the presentation code snippets to function correctly.
Verified SafeView Analysis
This repository primarily contains a Slidev presentation configuration and markdown slides. No explicit server-side logic, 'eval' usage, obfuscation, or hardcoded sensitive data is found within the provided source code for *this* repository. The `npx` commands shown in the slides demonstrate running external Mapbox MCP servers, which would require an API token, but this token is configured as an environment variable (`MAPBOX_ACCESS_TOKEN`) for the *external* server, not hardcoded in this presentation itself. As a presentation, the inherent security risk of this codebase is low, assuming external dependencies are vetted.
Updated: 2025-11-24GitHub
0
0
Medium Cost
VanshTheJudged icon

mcp-server

by VanshTheJudged

Sec8

This server implements the Model Context Protocol (MCP) to expose company data as tools and UI resources for use by AI models, enabling structured data search and profile rendering.

Setup Requirements

  • ⚠️Requires Node.js (version 18 or higher for ES module support, though package.json specifies ^25.2.1).
  • ⚠️Requires a `companies.csv` file to be present in a `./data` directory relative to the `index.js` file for data loading.
  • ⚠️Requires `CompanyProfile.html` and `CompanyTable.html` files in the same directory as `index.js` for serving UI resources.
Verified SafeView Analysis
The server handles requests to search and retrieve company data from a local CSV file. The `applyFilters` function safely handles user input by explicitly converting values to strings or numbers before comparison, mitigating direct code injection risks. File path constructions use `path.join(__dirname, ...)` which helps prevent path traversal vulnerabilities when serving HTML resources. No `eval` or similar direct code execution methods are observed. The `cors` policy is set to `origin: "*"`, allowing requests from any origin, which is common for public APIs or development, but should be noted if sensitive data is ever processed and tighter origin controls are needed. No hardcoded secrets (API keys, database credentials) are found. The server implements robust error handling for unknown MCP methods or tools. Rate limiting is not explicitly used on the main `/mcp` endpoint in the provided code, which could be a consideration for a production environment.
Updated: 2025-11-25GitHub
0
0
High Cost
ishumilin icon
Sec9

Provides an unofficial MCP server for querying Swiss company registry data (Zefix REST API and UID Webservice) to retrieve company information, validate identifiers, track publications, and generate comprehensive due diligence reports.

Setup Requirements

  • ⚠️Requires Zefix API credentials (username and password) which must be requested from the Federal Registry of Commerce (not publicly available).
  • ⚠️Tools returning search results, company details with enrichment, or due diligence reports can generate large JSON or Markdown outputs, potentially consuming significant LLM token limits and increasing costs.
Verified SafeView Analysis
The server leverages environment variables for sensitive API credentials (ZEFIX_USERNAME, ZEFIX_PASSWORD), preventing hardcoding. Robust input validation is implemented using Zod schemas across all tool arguments, mitigating common data-related vulnerabilities. API interactions (Zefix REST, UID Webservice SOAP) utilize well-established libraries ('ky' and 'soap') with features like retries and timeouts for network resilience. Logging is structured via Pino, and a basic in-memory cache is used responsibly. No 'eval' or other obfuscation/malicious patterns were identified in the provided source code. The primary residual risk is the secure management of the Zefix credentials by the deploying user.
Updated: 2025-11-20GitHub
0
0
High Cost
mukeshmk icon

zc9uVMJHDrT3dpLz

by mukeshmk

Sec8

A conversational AI system that answers user queries about movies using the MovieLens dataset and provides weather forecasts/alerts via a multi-agent LangGraph workflow.

Setup Requirements

  • ⚠️Requires Python 3.13+
  • ⚠️Requires local Ollama server with a tool-calling compatible model (e.g., 'qwen3:8b') OR an OpenAI/Groq API Key.
  • ⚠️Requires manual MovieLens dataset download and database ingestion (`python -m convai.data.ingest`).
  • ⚠️Requires running a separate MCP Weather Server process (`uv run python mcp_server/weather_server.py --transport http`) for weather query functionality.
Verified SafeView Analysis
The application leverages established frameworks (FastAPI, SQLAlchemy, LangChain) with standard security practices like ORM for database interactions and structured output for LLM agents, which helps mitigate direct prompt injection leading to arbitrary code. API keys are managed via environment variables. The MCP server uses `httpx` for external API calls, and the `stdio_client` for the weather agent launches a Python script as configured by `MCP_SERVER` environment variable, which implies trust in this configuration value. No direct `eval` or user-controlled command injection points were found from typical user input.
Updated: 2025-11-28GitHub
0
0
Medium Cost
thatgeeman icon

upgrade-advisor

by thatgeeman

Sec3

AI-powered agent for Python package dependency analysis, vulnerability detection, and upgrade recommendations using `uv` and PyPI/GitHub data.

Setup Requirements

  • ⚠️Requires Hugging Face Inference API Key (potentially a paid service)
  • ⚠️Requires GitHub Personal Access Token (PAT) with public repo read scope
  • ⚠️Python 3.10+ only
Review RequiredView Analysis
The server executes external commands, specifically installing `uv` using `curl -LsSf https://astral.sh/uv/<VERSION>/install.sh | sh` and then running `uv pip compile` on user-uploaded `pyproject.toml` files. While executed in a temporary directory, this involves running untrusted shell scripts from an external URL and processing potentially malicious configuration files, which presents significant supply chain and command injection risks. The `smolagents` framework introduces potential LLM prompt injection vulnerabilities, where malicious input could lead to misuse of tools or generation of harmful content. File uploads are checked for path traversal, but the core execution model involving dynamic `uv` installation and execution is a high-risk area.
Updated: 2025-12-01GitHub
0
0
Medium Cost
Sec9

Provides intelligent access to Veradigm Unity API for healthcare data integration via a remote Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires Node.js 18+ and TypeScript development environment.
  • ⚠️Requires comprehensive Veradigm Unity API credentials (application and EHR user accounts) configured in a `.env` file.
  • ⚠️The `UNITY_APP_PASSWORD` must be enclosed in quotes within the `.env` file if it contains special characters like `#`.
Verified SafeView Analysis
The server's design uses a single authenticated Unity API session for all incoming MCP client connections, leveraging pre-configured EHR credentials (`UNITY_EHR_USERNAME`, `UNITY_EHR_PASSWORD`). This single-session model is explicitly stated in the README and impacts multi-user scenarios where distinct user-level authentication per MCP client is expected. Sensitive data like `SSN`, `MRN`, and `Password` are actively sanitized from logs using a dedicated utility. All credentials are sourced from environment variables, preventing hardcoding. HTTPS usage in production is recommended but the server itself runs over HTTP by default. No `eval` or obvious malicious patterns were found.
Updated: 2025-11-26GitHub
0
0
High Cost
jenreh icon

image.serv

by jenreh

Sec7

Provides an AI-powered server for generating and editing images from text prompts using OpenAI and Google models, accessible via both MCP and REST APIs.

Setup Requirements

  • ⚠️Requires Azure OpenAI API key and endpoint (paid service) for image generation and editing.
  • ⚠️Requires Python 3.12 or later.
  • ⚠️The `uv` package manager is recommended for dependency installation and running the server.
  • ⚠️Google AI API key is optional for additional image generation capabilities (also a paid service).
Verified SafeView Analysis
The server uses environment variables for API keys, preventing hardcoded secrets. It employs a layered architecture which aids in maintainability and potential security reviews. However, the `url_to_bytes` utility function accepts arbitrary URLs for image input, which could pose a Server-Side Request Forgery (SSRF) risk if not properly restricted in a production environment (e.g., to prevent access to internal network resources). Additionally, the `/_upload` endpoint, used for serving generated images, mounts a temporary directory (`TMP_PATH`) using FastAPI's `StaticFiles` with `check_dir=False`. While generated filenames are unique (UUID-based) which mitigates direct path traversal, careful consideration is needed to ensure the `TMP_PATH` has appropriate permissions and is not exposed beyond its intended use.
Updated: 2025-12-22GitHub
0
0
Medium Cost
gladysvalerie icon

mcp-server-test

by gladysvalerie

Sec9

Orchestrates an AI assistant to help users with coding problems by decomposing them into subproblems and checking solutions using an MCP server for tool execution.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid service)
  • ⚠️Requires Python 3.11 or higher
Verified SafeView Analysis
The system relies on `json.loads` to parse LLM outputs for tool arguments and structured responses. While `json.loads` itself is generally safe, any downstream processing of potentially crafted JSON could theoretically pose a risk, although no explicit vulnerabilities are apparent. The MCP server uses `stdio` transport, limiting direct network exposure to external connections. No 'eval' or other highly dangerous patterns were found.
Updated: 2025-11-20GitHub
0
0
Low Cost
TJC2002 icon

mcp-server-demo

by TJC2002

Sec8

This server provides a Microservices Communication Protocol (MCP) endpoint, exposing Python functions as callable tools, dynamic resources, and prompt generators over an HTTP transport.

Setup Requirements

  • ⚠️Requires 'uv' for running as per the documentation comments.
  • ⚠️Requires the 'mcp' Python library to be installed.
  • ⚠️The server binds to port 8000; ensure this port is free.
Verified SafeView Analysis
The provided code does not contain obvious direct security vulnerabilities like 'eval' or malicious patterns. User inputs for greetings are used in f-strings, which is generally safe. However, the server defaults to 'streamable-http' on localhost:8000 without explicit authentication in the code. If exposed externally without proper network security (e.g., firewall, authentication layer), it would be vulnerable to unauthorized access and tool invocation. The example 'mcp-config-example.json' even shows 'auth: "type": "none"', highlighting that some MCP servers might operate without built-in security, relying on external mechanisms.
Updated: 2025-12-04GitHub
0
0
Low Cost
Poushali-02 icon
Sec9

A comprehensive personal finance management system for tracking income, expenses, and generating financial reports.

Setup Requirements

  • ⚠️Requires Python 3.13+ for local installation.
  • ⚠️Requires 'uv' for dependency management and running the server.
  • ⚠️Requires a PostgreSQL 15+ database instance.
  • ⚠️Requires a `.env` file with `DATABASE_URL`, `SECRET_KEY`, and SMTP email service credentials (`SMTP_HOST`, `SMTP_PORT`, `SMTP_USER`, `SMTP_PASSWORD`).
  • ⚠️Intended for integration with Claude Desktop (or Claude Pro via custom connector).
Verified SafeView Analysis
The server employs strong security practices including bcrypt for password hashing, JWT-based authentication with token expiry, robust password strength validation, and environment variable loading for all sensitive credentials (e.g., SECRET_KEY, SMTP credentials, DATABASE_URL). All database interactions use parameterized queries via asyncpg, preventing SQL injection. User data is strictly isolated by filtering all queries with the authenticated user_id. Email verification is required for critical actions like account deletion and password resets, and there are attempt limits for verification/reset codes. The default SECRET_KEY provided in the code explicitly warns it should be changed in production.
Updated: 2026-01-11GitHub
0
0
Low Cost
AshishBagdane icon

simple-mcp-server

by AshishBagdane

Sec8

Provides a Micro-Agent Communication Protocol (MCP) server for real-time currency conversion using an external API.

Setup Requirements

  • ⚠️Requires a free or paid API Key from ExchangeRate-API (EXCHANGERATE_API_KEY environmental variable) for currency conversion, which needs to be obtained by the user.
  • ⚠️Requires `mcp`, `requests`, and `python-dotenv` Python libraries to be installed.
  • ⚠️Requires internet connectivity to reach the ExchangeRate-API service.
Verified SafeView Analysis
The server correctly loads the API key from environment variables (EXCHANGERATE_API_KEY), preventing hardcoding. It relies on `requests` for external API calls, which is standard and secure. Input parameters for currency conversion are directly used in the API URL, which is typical for such services and not an immediate vulnerability given the context of currency codes. No `eval` or direct `subprocess` calls are found within the server logic itself. The `test_server.py` uses `subprocess` for testing, but that is not part of the deployed server. Error messages returned to the client are informative but do not expose critical internal system details beyond API error types.
Updated: 2025-12-10GitHub
PreviousPage 678 of 713Next