Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Low Cost
bluebillshtml icon

ideconnect

by bluebillshtml

Sec9

Provides a self-hosted Model Context Protocol (MCP) server for shared, persistent project context across multiple AI IDEs.

Setup Requirements

  • ⚠️Requires Node.js version 18 or higher.
  • ⚠️Requires write permissions to the project directory and potentially user-level application configuration directories for IDE setup.
  • ⚠️Manual IDE configuration may be required if auto-detection fails, which involves editing specific JSON files in user application data folders.
Verified SafeView Analysis
The server is self-hosted, local-only, and explicitly designed with no external network dependencies, paid APIs, or cloud services, significantly reducing network-based security risks. It stores context in local markdown files. The main security consideration is the trust required when installing a global Node.js package (`npm install -g ideconnect`) and running its setup script, which modifies local filesystem and potentially configuration files of other installed IDEs (e.g., Cursor, Claude Desktop). No 'eval' or obvious malicious patterns are present in the truncated source code, and no hardcoded secrets are identified. Overall, it appears to prioritize privacy and local control.
Updated: 2026-01-18GitHub
0
0
Low Cost
eddiebe147 icon

memmon

by eddiebe147

Sec7

A local development dashboard for macOS to monitor system resources (RAM, CPU, Swap) and manage active processes, including AI agents (e.g., Claude, Codex), development servers (e.g., Next.js, PostCSS workers), and local network services.

Setup Requirements

  • ⚠️Requires macOS: The API backend utilizes macOS-specific shell commands (`vm_stat`, `sysctl -n hw.memsize`, `osascript`, `purge`) and will not function correctly on other operating systems without extensive modification.
  • ⚠️Manual Path Configuration: The `scripts/start-memmon.sh` script contains a hardcoded absolute path (`/Users/eddiebelaval/Development/id8/memmon`) that must be updated to reflect the user's specific project directory.
  • ⚠️Privileged Access: Many management actions (e.g., `kill`, `pkill`, `lsof`, `purge`) require sufficient shell permissions, and `sudo purge` implies that the application or its startup script might need `sudo` privileges for full functionality.
Verified SafeView Analysis
The server executes shell commands (`ps aux`, `lsof`, `kill`, `pkill`, `sysctl`, `vm_stat`, `du`, `df`) directly from the backend. While these commands are generally hardcoded or constructed from validated integers (PIDs/ports) and predefined process names, avoiding direct arbitrary user input injection, the `pkill -f` commands are broad and could impact unintended processes if process names overlap. The 'use server' actions for system management are intended for the dashboard UI, not direct public API access. The `killPort` function specifically protects Memmon's own port (1111). Overall, the risks are mitigated given the tool's nature as a local developer utility, but direct shell execution is inherently more privileged than typical web apps.
Updated: 2025-11-19GitHub
0
0
Medium Cost
pslavchev11 icon

Stocks-MCP-Server

by pslavchev11

Sec9

A server providing real-time and historical stock market data, company financials, and news via JSON-RPC, designed to be integrated as a tool for other applications, potentially an AI agent.

Setup Requirements

  • ⚠️Requires an Alpha Vantage API key (free tier available, but usage limits apply).
  • ⚠️Requires a Java Development Kit (JDK) to build and run.
  • ⚠️Operates as a command-line application interacting via standard input/output (stdin/stdout) for JSON-RPC, rather than a traditional HTTP web server.
Verified SafeView Analysis
The server uses standard Java/Spring Boot practices and Jackson for JSON parsing, which is generally robust. Input parameters (symbol, limit) are extracted as basic data types (String, Integer) and used in URL query parameters for external API calls, mitigating direct injection risks. Error handling for API calls and JSON parsing is implemented. No 'eval' or obvious obfuscation is present. The primary security concern is the secure management of the Alpha Vantage API key, which is expected to be provided via environment variables or configuration.
Updated: 2025-11-30GitHub
0
0
Low Cost
cassiama icon

LicenseGuard-MCP

by cassiama

Sec8

Provides a Micro-Agent Protocol (MCP) server that analyzes project dependencies from 'requirements.txt' for their software licenses by interacting with a separate REST API.

Setup Requirements

  • ⚠️Requires Docker Desktop/Engine installed.
  • ⚠️An external REST-server (LicenseGuard-API) must be running and accessible before starting the MCP server.
  • ⚠️Mandatory environment variables BACKEND_URL_HOST and BACKEND_URL_PORT must be set for the server to function.
Verified SafeView Analysis
The server's code does not contain obvious malicious patterns like 'eval', 'exec', or direct shell command execution. Input validation is present for project name length and requirements content type, preventing basic injection attempts. Error handling for network, HTTP status, and timeout errors is robust, designed to prevent crashes and return structured error messages to the client. No hardcoded secrets are present; backend communication URLs are configured via environment variables. The overall security profile is intrinsically linked to the trustworthiness and security of the external REST-server it communicates with.
Updated: 2025-12-14GitHub
0
0
High Cost
Rafiza115 icon

lara-mcp

by Rafiza115

Sec9

This MCP server provides a single tool to translate text between languages using the Lara API, supporting language detection and context-aware translations.

Setup Requirements

  • ⚠️Requires LARA_ACCESS_KEY_ID environment variable.
  • ⚠️Requires LARA_ACCESS_KEY_SECRET environment variable.
  • ⚠️Requires Node.js and a package manager (pnpm recommended for local development/build).
Verified SafeView Analysis
Credentials (LARA_ACCESS_KEY_ID, LARA_ACCESS_KEY_SECRET) are correctly handled via environment variables. All input arguments for the 'translate' tool are rigorously validated using Zod schemas, significantly mitigating common injection vulnerabilities. Output is safely stringified to JSON. The use of StdioServerTransport indicates communication over standard I/O, which is generally secure for a local process execution and doesn't expose network ports by default. No 'eval' or other highly dangerous patterns with user-controlled input were found.
Updated: 2025-12-15GitHub
0
0
Low Cost
deptz icon

qontak-mcp

by deptz

Sec9

Provides a Model Context Protocol (MCP) server for managing Contacts, Companies, Deals, Tickets, Tasks, Notes, Products, and Product Associations in Qontak CRM with dynamic field discovery capabilities.

Setup Requirements

  • ⚠️Requires Qontak CRM API Refresh Token.
  • ⚠️Requires Python 3.10+.
  • ⚠️Redis server is recommended for development/staging performance (local Redis or Docker setup provided).
  • ⚠️For production, HashiCorp Vault is required for token storage (needs VAULT_ADDR, VAULT_TOKEN, and proper Vault setup).
Verified SafeView Analysis
The server demonstrates a strong security posture with extensive use of Pydantic for input validation (including 'forbid extra fields' and custom regex for injection prevention). It implements robust multi-tenant isolation via user_id validation and structured security logging with sensitive data redaction. Authentication uses lazy token refresh with tiered token storage options (environment for local dev, Redis for dev/staging, and Vault for production-grade security with encryption/auditing). The HTTP client explicitly verifies SSL certificates. All hardcoded API endpoints are for the known Qontak service. Explicit warnings are provided for non-production token storage solutions. No 'eval' or similar dangerous patterns were found. A score of 9 is given due to the explicit warnings about plain-text token storage in Redis for staging environments, which is a deployment-level risk if misused without proper network security, although the code itself responsibly highlights this.
Updated: 2025-11-30GitHub
0
0
High Cost
liliankasem icon
Sec9

An Azure Functions MCP (Model Context Protocol) server that provides comprehensive monitoring and insights tools for Azure Functions resources.

Setup Requirements

  • ⚠️Requires .NET 10 SDK installed.
  • ⚠️Requires explicit configuration of AZURE_SUBSCRIPTION_ID in local.settings.json or environment variables.
  • ⚠️Requires the Azure identity (user or service principal) to have 'Reader' role on the Azure subscription containing Function Apps.
Verified SafeView Analysis
The server leverages Azure's managed identities for permissions, granting read-only roles (Monitoring Reader, Reader) to minimize risk. It avoids hardcoding secrets by requiring explicit configuration of subscription IDs and relying on Azure CLI login or service principals. While the 'QueryApplicationInsights' tool allows custom KQL queries, this is a feature, and its security largely depends on the permissions granted to the Function App and the context in which it is used; it does not inherently introduce code execution vulnerabilities within the server itself.
Updated: 2025-11-27GitHub
0
0
Medium Cost
JEdward7777 icon
Sec6

Acts as a proxy server to bridge MCP clients with the translation-helps-mcp HTTP API, handling JSON-RPC 2.0 protocol translation and response formatting for translation resources.

Setup Requirements

  • ⚠️Project is explicitly marked as DEPRECATED in its README, stating it 'will no longer work because of the upstream changes', which critically contradicts other parts of the documentation claiming it is 'PRODUCTION READY'. This implies the core functionality may be broken.
  • ⚠️Requires Python 3.10 or newer (specified in `pyproject.toml`).
  • ⚠️By default, SSL certificate verification is disabled for connections to the upstream server, posing a significant security risk (Man-in-the-Middle attacks).
Review RequiredView Analysis
The `MCPProxyServer` class and temporary proxy instances (e.g., for `--list-tools` command) default to `verify_ssl=False` for `httpx.AsyncClient` connections to the upstream server. This disables SSL certificate verification, making connections vulnerable to Man-in-the-Middle attacks. It is a critical security risk for sensitive data or in production environments and should be explicitly set to `True` where possible. Input arguments for tool calls are passed to the upstream server; while `httpx` generally encodes parameters safely, the overall security relies on the upstream API's sanitization for complex inputs. No 'eval' or hardcoded secrets were found within the provided source code for this project.
Updated: 2025-11-25GitHub
0
0
High Cost
CampbellPedersen icon

slopchat

by CampbellPedersen

Sec8

This MCP server enables AI models to generate and send chat messages to Atrioc's Twitch stream by providing real-time stream context, trending Reddit posts, and top news stories.

Setup Requirements

  • ⚠️Requires a Twitch account that follows 'biggreenau' to use the service.
  • ⚠️Requires Twitch Developer Application setup to obtain Client ID and manage OAuth.
  • ⚠️Requires a NewsAPI API Key for fetching news stories.
Verified SafeView Analysis
The server correctly uses environment variables for sensitive API keys (Twitch Client ID, NewsAPI key, Host) and the Twitch OAuth server URL. It implements a restrictive CORS policy, allowing only specific origins (Claude AI, local MCP inspector). Twitch access tokens are validated for client ID and required scopes. There are no apparent uses of `eval` or intentional obfuscation. The `exchangeAuthorizationCodeForToken` endpoint relies on the `URLSearchParams` from `req.body` to include necessary OAuth parameters (likely `client_id` and `client_secret` if it's a confidential client flow, or other PKCE parameters), but the server itself doesn't explicitly read a `TWITCH_CLIENT_SECRET` from its environment variables for this exchange. The `getChatMessageBatch` uses a hardcoded 5-second `sleep` which is not a direct security risk but could be a performance bottleneck under high load if not properly managed.
Updated: 2026-01-19GitHub
0
0
High Cost
ajaysingh-codes icon

team-synapse

by ajaysingh-codes

Sec8

Transforms meeting recordings into a knowledge graph, enabling AI-powered chat and visualization for corporate memory and team intelligence.

Setup Requirements

  • ⚠️Requires Google Cloud Platform (GCP) project with Vertex AI API enabled and a GCS bucket.
  • ⚠️Requires a GCP Service Account Key file (`GOOGLE_APPLICATION_CREDENTIALS`).
  • ⚠️Requires a Neo4j AuraDB instance URI and credentials.
  • ⚠️Requires a Google Gemini API Key (`GEMINI_API_KEY` or `GOOGLE_API_KEY`) for live agent.
  • ⚠️Notion integration requires Node.js/npm to run the `@notionhq/notion-mcp-server` subprocess.
  • ⚠️Miro integration requires `MIRO_API_TOKEN` and `MIRO_BOARD_ID`.
Verified SafeView Analysis
The application relies heavily on environment variables for sensitive credentials (GCP, Neo4j, Gemini, Miro, Notion), which is good practice. The Gradio server can be launched with `share=True`, which would expose it publicly without authentication if `GRADIO_USERNAME` and `GRADIO_PASSWORD` are not set. The Notion integration uses `npx @notionhq/notion-mcp-server`, implying a dependency on Node.js/npm and potentially introducing supply chain risks from that external package, though it's a standard tool. No 'eval' or obvious malicious code patterns were found.
Updated: 2025-11-26GitHub
0
0
Low Cost
tyagianant1 icon
Sec9

An asynchronous MCP server designed for tracking and summarizing personal or small-scale expenses with a local SQLite database, exposing its functionality via an HTTP API.

Setup Requirements

  • ⚠️Requires Python 3.14 or higher (Note: Python 3.14 is currently pre-release and not widely available)
  • ⚠️Requires a writable temporary directory for database storage
Verified SafeView Analysis
The server uses parameterized queries with aiosqlite, effectively preventing SQL injection vulnerabilities. No 'eval', direct shell execution, or hardcoded sensitive credentials were found. The database is created in a temporary directory, which is generally safe but means the database is not persistently stored in a fixed location across system reboots unless specifically handled.
Updated: 2025-11-20GitHub
0
0
Medium Cost
learner14 icon

mcpserver

by learner14

Sec5

To host multiplayer sessions for the Minecraft game.

Setup Requirements

  • ⚠️Requires proper network port configuration for external access
  • ⚠️Sufficient system resources (RAM, CPU) required based on player count and world complexity
Review RequiredView Analysis
A thorough security audit could not be performed as the source code was not provided. Game servers inherently expose network ports, which could pose risks (e.g., DDoS, unauthenticated access) if not properly secured. Specific vulnerabilities like 'eval', hardcoded secrets, or malicious patterns cannot be identified without the code.
Updated: 2025-12-10GitHub
PreviousPage 683 of 713Next