Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

44
41
Low Cost
DeepTrail icon

deepsecure

by DeepTrail

Sec7

Provides a zero-trust security control plane for AI agents, enabling cryptographic identity, authenticated ephemeral credentials, fine-grained policy enforcement, secret injection, and secure delegation for AI agent-to-agent interactions.

Setup Requirements

  • ⚠️Requires Docker and Docker Compose to run the backend Control Plane and Gateway services.
  • ⚠️Client-side SDK usage and local development require Python 3.9+ and pip.
  • ⚠️Secure storage of agent private keys relies on an OS keyring (macOS Keychain, Windows Credential Store, or Linux keyring), which may require specific system setup or permissions.
  • ⚠️Critical environment variables (e.g., `SECRET_KEY`, `BACKEND_API_TOKEN`, `GATEWAY_INTERNAL_API_TOKEN`, `POSTGRES_PASSWORD`, `GATEWAY_ENCRYPTION_KEY`, `MACAROON_SECRET_KEY`) have insecure default values and MUST be replaced with strong, unique secrets for any production or secure deployment.
Verified SafeView Analysis
The project uses strong cryptographic primitives (Ed25519, Shamir's Secret Sharing) and a robust dual-service architecture with JWT-based authentication. Client-side agent private keys are securely stored in the OS keyring. However, it ships with numerous insecure default values for critical environment variables (e.g., `SECRET_KEY`, `BACKEND_API_TOKEN`, `GATEWAY_INTERNAL_API_TOKEN`, PostgreSQL password, `GATEWAY_ENCRYPTION_KEY`) directly in `docker-compose.yml` and `app/core/config.py`. While the documentation advises changing these for production, their default presence poses a significant risk if not addressed by deployers.
Updated: 2026-01-18GitHub
44
37
High Cost
zoldyrk icon

RedNote-MCP

by zoldyrk

Sec7

Access and interact with Xiaohongshu (RedNote) content through Model Context Protocol (MCP) by automating browser interactions.

Setup Requirements

  • ⚠️Requires Playwright browser binaries to be installed (npx playwright install).
  • ⚠️Initial setup requires an interactive manual login process via a browser window to save cookies.
  • ⚠️Login sessions (cookies) may expire, requiring re-login.
Verified SafeView Analysis
The server uses Playwright for browser automation, which involves opening a browser and interacting with external websites (xiaohongshu.com). This carries an inherent risk as it executes JavaScript from a third-party site. User login cookies, containing sensitive authentication information, are saved locally in `~/.mcp/rednote/cookies.json`. While this avoids hardcoding secrets, the local storage of these cookies means they could be compromised if the user's system is breached. No 'eval', obfuscation, or other obvious malicious patterns were found in the provided source code.
Updated: 2025-12-15GitHub
44
2
Medium Cost
dehuy69 icon

kiotviet-mcp

by dehuy69

Sec9

An MCP server that enables AI agents to securely interact with the KiotViet Public API by proxying requests, providing a stateless interface for product, customer, order, and invoice management.

Setup Requirements

  • ⚠️Requires `CLIENT_ID` and `CLIENT_SECRET` from KiotViet OAuth2, which are managed by the upstream 'Culi Backend' or needed for local testing via `auths.env`.
  • ⚠️The 'retailer' name (KiotViet store name) must be known and provided with each tool call.
  • ⚠️The server functions as a proxy; token management (obtaining and refreshing `access_token`) is externalized to the calling AI agent's backend (e.g., Culi).
Verified SafeView Analysis
The server explicitly states and implements a stateless architecture, meaning no sensitive tokens or session information are stored on the MCP server itself. `access_token` and `retailer` are passed with each request, reducing risk. `CLIENT_ID` and `CLIENT_SECRET` are expected to be managed by the upstream Culi backend and stored in environment variables (or similar secure method) for testing scripts, not hardcoded. No `eval` or dynamic code execution from untrusted input was identified. API communication uses HTTPS, and the `httpx` client handles standard secure practices.
Updated: 2025-11-26GitHub
44
41
Low Cost
blacktop icon

mcp-tts

by blacktop

Sec9

Provides Text-to-Speech (TTS) capabilities to MCP (Model Context Protocol) clients using various AI and system-level TTS engines.

Setup Requirements

  • ⚠️Requires API keys for OpenAI, ElevenLabs, and/or Google TTS (these are paid services, usage costs apply).
  • ⚠️The `say_tts` functionality is only available on macOS systems.
Verified SafeView Analysis
The server implements comprehensive input validation and sanitization, particularly for arguments passed to the macOS `say_tts` tool, effectively preventing command injection. API keys are handled securely by being read from environment variables and masked in logs. Resource limits and robust cancellation mechanisms are in place to prevent Denial of Service (DoS) attacks and memory leaks. The project includes dedicated security testing scripts which confirm injection prevention.
Updated: 2026-01-12GitHub
44
2
Low Cost
es6kr icon
Sec4

Manages Claude Code conversation history and sessions through CLI tools and a web-based GUI.

Setup Requirements

  • ⚠️Requires Python 3.10+
  • ⚠️Requires Claude Code (for full MCP integration and to generate session data)
Review RequiredView Analysis
The Flask web GUI runs with `debug=True` when started, including when launched via the MCP `start_gui` tool. Running Flask in debug mode in a production or even semi-exposed environment is a critical security vulnerability, as it can allow arbitrary code execution. Additionally, the server processes user-provided `project_name` and `session_id` arguments directly in constructing file paths. Malicious input (e.g., `../`) within these arguments could lead to path traversal, allowing file operations (read, delete, rename, move) outside the intended `~/.claude/projects` directory. The web GUI binds to `0.0.0.0`, potentially exposing the debug-enabled server to a local network.
Updated: 2025-12-11GitHub
43
43
High Cost
IlyaGusev icon

academia_mcp

by IlyaGusev

Sec4

An MCP server providing tools for searching, fetching, analyzing, and reporting on scientific papers and datasets, often powered by LLMs.

Setup Requirements

  • ⚠️Requires Python 3.12+
  • ⚠️Full functionality (LLM, search, image processing) requires API keys (e.g., OPENROUTER_API_KEY, TAVILY_API_KEY, EXA_API_KEY, BRAVE_API_KEY, OPENAI_API_KEY), many of which are for paid services.
  • ⚠️LaTeX/PDF compilation and reading tools require a local LaTeX distribution (pdflatex, latexmk) installed and on PATH.
  • ⚠️Many tools depend on `WORKSPACE_DIR` environment variable being set for file operations, which needs to be a writable directory.
  • ⚠️Optional authentication stores tokens in a local JSON file in plaintext, requiring secure file system permissions and HTTPS in production.
Review RequiredView Analysis
The `compile_latex` tool allows compilation of LaTeX code from files within the `WORKSPACE_DIR`. If an attacker can control the content of these LaTeX files, they could potentially execute arbitrary system commands via LaTeX's `\write18` feature or similar mechanisms, leading to remote code execution. The `visit_webpage` tool can fetch content from arbitrary URLs, which could pose a Server-Side Request Forgery (SSRF) risk if not used carefully, though this is an intended feature. PDF parsing/downloading also introduces risks if processing malicious PDF files. The optional token-based authentication stores tokens in plaintext in `tokens.json` (mode 600), which requires careful protection of the file itself and use over HTTPS.
Updated: 2026-01-19GitHub
43
34
Low Cost
stainless-api icon

mcp-front

by stainless-api

Sec8

mcp-front acts as an authentication gateway for Model Context Protocol (MCP) servers, enabling Claude.ai to securely access internal APIs, databases, and tools with multi-user authentication and per-user isolation.

Setup Requirements

  • ⚠️Project is explicitly a 'work in progress' and 'not production ready'; expect breaking changes.
  • ⚠️Requires Google Cloud Console setup for OAuth credentials (Client ID, Client Secret, Redirect URI) for production deployments.
  • ⚠️Docker socket access is required for 'stdio' transport, granting significant privileges to the mcp-front container on the host.
Verified SafeView Analysis
The project demonstrates strong security practices for an alpha stage: OAuth 2.0 with PKCE, AES-256-GCM encryption for session cookies and secrets, HMAC-SHA256 for token signing, Google Workspace domain validation, and robust header sanitization for requests forwarded to backend MCP servers. It enforces 32-byte minimums for JWT and encryption keys. Std-io MCP servers run in isolated Docker containers per user, and an explicit configuration syntax (`{"$env": "VAR"}`) prevents shell injection. However, the README explicitly states it's 'not production ready' and clarifies that 'mcp-front handles authentication, MCP servers handle authorization and input validation,' shifting responsibility for backend data integrity to the configured MCP servers. Granting Docker socket access for 'stdio' transport also presents a significant privilege escalation risk if not managed carefully.
Updated: 2026-01-19GitHub
43
3
Low Cost
isaacpalomero icon

promptbook-mcp

by isaacpalomero

Sec9

A server for organizing, managing, and semantically searching AI prompts extracted from coding assistant sessions.

Setup Requirements

  • ⚠️Requires Python 3.9+ and pip-installable dependencies (mcp, chromadb, sentence-transformers, watchdog).
  • ⚠️Requires a minimum of 2GB RAM for local embedding models.
  • ⚠️Optional: If 'lmstudio' is chosen as the `EMBEDDING_PROVIDER`, an LMStudio server instance must be running locally.
  • ⚠️An MCP-compatible client (e.g., Claude Desktop) needs to be configured to interact with this server.
Verified SafeView Analysis
The server implements strong path validation (`_validate_safe_path`) to prevent directory traversal and the use of absolute paths in user-controlled inputs. JSON parsing is utilized for internal index files, mitigating risks associated with arbitrary code injection. Configuration relies on environment variables, preventing hardcoded secrets. No direct use of `eval` or `os.system` with untrusted input was identified in the provided source code.
Updated: 2025-12-09GitHub
43
13
Medium Cost
hemanth icon

mcp-web-client

by hemanth

Sec8

A web-based client for the Model Context Protocol (MCP), enabling users to connect to multiple MCP servers, browse tools/resources/prompts, and interact via an AI-powered chat interface.

Setup Requirements

  • ⚠️Requires API keys for OpenAI, Anthropic, or Google Gemini LLM providers (paid services).
  • ⚠️Requires GitHub account client ID and secret for user authentication.
  • ⚠️Requires Cloudflare D1 database setup (CF_ACCOUNT_ID, D1_DATABASE_ID, CF_API_TOKEN) for persistent server configurations.
  • ⚠️If using the Ollama LLM provider, a local Ollama instance must be running.
Verified SafeView Analysis
The server uses `new Function()` for executing JavaScript orchestration code, which, while scoped, is a dynamic code execution method. It also acts as a proxy for user-defined MCP servers and LLM APIs, meaning the backend will make requests to arbitrary external URLs based on user input. This inherent design choice, while necessary for functionality, introduces potential risks like Server-Side Request Forgery (SSRF) or proxy abuse if deployed without proper network-level isolation or rate limiting. OAuth credentials and client registrations are stored in `localStorage` on the client-side, making them vulnerable to Cross-Site Scripting (XSS) attacks if any exist on the site. However, no direct 'eval' or hardcoded secrets were found.
Updated: 2026-01-18GitHub
43
14
Medium Cost
julymetodiev icon

post-cortex

by julymetodiev

Sec9

Provides long-term, persistent memory and knowledge management for AI assistants, enabling them to store, semantically search, and retrieve conversation context, decisions, and code-related insights.

Setup Requirements

  • ⚠️If using SurrealDB as the storage backend (instead of default RocksDB), a separate SurrealDB instance needs to be set up and configured, along with corresponding entries in `daemon.toml`.
  • ⚠️When first using semantic search features, an embedding model (e.g., MultilingualMiniLM) will be downloaded from HuggingFace, requiring an internet connection and local disk space. This happens automatically on first use and is then cached.
  • ⚠️For integration with Claude Desktop, a specific configuration entry must be manually added to `~/Library/Application Support/Claude/claude_desktop_config.json`.
Verified SafeView Analysis
The server demonstrates a strong security posture. It is designed for local processing with explicit claims of 'no external APIs' for core operations, enhancing privacy. Input validation and type coercion are rigorously applied to tool parameters (see `daemon/validate.rs` and `daemon/coerce.rs`), mitigating injection and misuse vulnerabilities. The use of robust, lock-free concurrency primitives (ArcSwap, DashMap) minimizes common concurrency bugs that could have security implications. No 'eval' or dynamic code execution patterns were identified. While it exposes a network-facing daemon (defaulting to localhost), this is a common pattern for local services. The initial download of embedding models from HuggingFace requires internet access but is from a trusted source and cached locally, with inference then performed entirely offline. No hardcoded secrets were found; external database credentials (for SurrealDB) are user-provided configuration.
Updated: 2026-01-16GitHub
43
34
Medium Cost
hauptsacheNet icon

typo3-mcp-server

by hauptsacheNet

Sec9

Enables AI assistants to safely view, manage, and analyze TYPO3 pages and records through its workspace system.

Setup Requirements

  • ⚠️Requires `ANTHROPIC_API_KEY` environment variable for LLM-specific tests, which will incur API costs.
  • ⚠️Requires TYPO3 v13.4+.
  • ⚠️Requires TYPO3 Workspaces extension (automatically installed as dependency).
  • ⚠️Requires PHP 8.1.0-8.4.99.
Verified SafeView Analysis
All AI-driven content changes are automatically queued in TYPO3 workspaces, requiring explicit publishing to become live. Authentication uses OAuth for backend users. Input validation and SQL injection protection are implemented (e.g., in `SearchTool`). File system access (e.g., `sys_file_reference`) for inline relations is intentionally restricted due to workspace limitations. A default admin password (`Admin123!`) is hardcoded in the `Build/setup-typo3.sh` setup script for bootstrapping local/test environments, which is a weak default but not a production application secret.
Updated: 2026-01-11GitHub
43
27
High Cost
damionrashford icon

RivalSearchMCP

by damionrashford

Sec9

Advanced MCP server for web research, content discovery, and trends analysis, integrating AI for enhanced insights and orchestrating various data gathering tools.

Setup Requirements

  • ⚠️For PubMed searches, the hardcoded 'Email' header in `src/core/scientific/search/providers/pubmed.py` (research@example.com) might be flagged by NCBI for excessive use. Users should consider replacing it with their actual email for better practice and higher limits.
  • ⚠️AI-enhanced research (research_workflow) leverages OpenRouter. While it attempts to find free models, providing an `OPENROUTER_API_KEY` is recommended for reliability and potentially better performance/access to advanced models. Without it, fallback free models are used, which may have varying performance.
Verified SafeView Analysis
The server demonstrates a strong focus on security. It includes explicit `RateLimiter` and `InputValidator` modules. The `InputValidator` defines and checks for `DANGEROUS_PATTERNS` like script injection, iframes, directory traversal, and `eval`/`exec` calls in user queries and URLs, which is a critical protection against common web vulnerabilities. Numeric and boolean parameters are also validated. The `SecurityMiddleware` integrates these components to block suspicious requests. `OPENROUTER_API_KEY` is retrieved from environment variables, preventing hardcoded secrets. While comprehensive, no system is perfectly impenetrable, hence a score of 9.
Updated: 2026-01-18GitHub
PreviousPage 70 of 713Next