Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

0
0
Medium Cost
scopweb icon
Sec3

Translates Divi pages and WordPress posts by extracting translatable text, allowing an LLM to translate while preserving original structure and Divi shortcodes, then reassembling the content.

Setup Requirements

  • ⚠️Requires Go 1.21+ installed to build the executable.
  • ⚠️Requires Claude Desktop with MCP support to function as intended.
  • ⚠️WordPress mode requires a MySQL database connection, configured via environment variables (WP_MYSQL_USER, WP_MYSQL_DATABASE are mandatory). The user must ensure the database exists and is accessible.
Review RequiredView Analysis
The server has a critical path traversal vulnerability. The 'inputPath' and 'outputPath' parameters for file-based operations (e.g., 'extract_divi_text', 'start_divi_translation') are taken directly from user input and used without sufficient sanitization or restriction to a designated directory. This could allow an attacker to read from or write to arbitrary file system locations outside the intended working directory. WordPress MySQL credentials are handled via environment variables, which is standard practice, but requires users to securely manage their '.env' file or environment configuration.
Updated: 2026-01-18GitHub
0
0
Low Cost
mbeps icon
Sec9

A template for building Model Context Protocol (MCP) servers to expose tools and resources for AI interaction.

Setup Requirements

  • ⚠️Python 3.12+ only
  • ⚠️Requires uv for dependency management and execution
Verified SafeView Analysis
The server template uses Pydantic for input validation, which helps prevent malformed data from reaching the core logic. Logging is correctly directed to stderr, separating it from the MCP protocol communication on stdout. No 'eval' or similar dangerous functions, hardcoded secrets, or direct network exposures (beyond FastMCP's stdio transport) were identified in the provided source code. The code is clean and follows good practices for a foundational template, making it generally safe to run as provided. Any security risks would likely stem from extensions made to the template or its deployment environment.
Updated: 2025-12-13GitHub
0
0
Medium Cost
sathishkannan162 icon

simple-mcp-server-hono

by sathishkannan162

Sec5

A Model Context Protocol (MCP) server that provides AI agents or other applications programmatic access to PostgreSQL database schema and a read-only SQL query execution tool.

Setup Requirements

  • ⚠️Requires an external PostgreSQL database with `DATABASE_URL` configured.
  • ⚠️Designed for deployment on Cloudflare Workers, requiring `wrangler` CLI and a Cloudflare account for production deployment.
  • ⚠️The `execute-read-queries` tool allows direct execution of read-only SQL queries, necessitating robust input sanitization from clients to prevent SQL injection risks.
Review RequiredView Analysis
The `execute-read-queries` tool directly executes user-provided SQL queries (using `client.query(sql)`). While wrapped in a `READ ONLY` transaction to prevent writes, this poses a significant risk for read-only SQL injection, potentially leading to sensitive data leakage, denial-of-service via complex queries, or other resource abuses if the `sql` input is not strictly validated and sanitized by the consuming application before being passed to this endpoint. The current `zod.string()` validation for `sql` is insufficient for preventing SQL injection.
Updated: 2025-11-19GitHub
0
0
Medium Cost
dscv103 icon
Sec9

Recommends tools for step-by-step reasoning, tracks agent thought processes, and learns tool-chain patterns.

Setup Requirements

  • ⚠️Requires Node.js 20+.
  • ⚠️Requires an existing MCP client to interact with.
  • ⚠️Creates a local SQLite database file (mcp-thinking.db) by default for persistence.
Verified SafeView Analysis
The server primarily operates locally, using SQLite for persistence and standard I/O for MCP communication, which minimizes external network attack surfaces. Input validation (Valibot) is used for incoming MCP requests, and SQLite queries are prepared, preventing SQL injection. No 'eval' or direct execution of user-supplied commands found. The main potential risk would be if the configured DB_PATH points to a sensitive system location, but this is a configuration rather than a code vulnerability.
Updated: 2025-12-20GitHub
0
0
Low Cost
drogariamatogrossoti-wq icon

mcp-supabase-server

by drogariamatogrossoti-wq

Sec8

This server acts as a backend API for a Marketing/Content Platform (MCP) to facilitate product searches within a Supabase database.

Setup Requirements

  • ⚠️Requires a Supabase project URL and API key.
  • ⚠️Requires a secret key (MCP_SECRET) for API authentication.
  • ⚠️Requires Node.js environment.
Verified SafeView Analysis
Secrets (Supabase credentials, MCP_SECRET) are correctly loaded from environment variables using dotenv. Access control is implemented via an 'x-api-key' header against MCP_SECRET. The Supabase client library is used for database interactions, which generally handles SQL parameterization and prevents injection, though direct string interpolation within `or` clauses could theoretically be a minor concern if not fully abstracted by the library. No 'eval' or malicious patterns were found.
Updated: 2025-12-01GitHub
0
0
Medium Cost
stateset icon
Sec9

Provides a robust Model Context Protocol (MCP) server for comprehensive e-commerce operations management.

Setup Requirements

  • ⚠️Requires a valid `STATESET_API_KEY` for integration with the StateSet API, which may be a paid service.
  • ⚠️For production deployments, a Docker or Kubernetes environment is highly recommended, requiring familiarity with these platforms.
  • ⚠️For advanced caching and distributed setups, a Redis instance is recommended and utilized by optional features.
Verified SafeView Analysis
The project demonstrates a strong focus on security. It utilizes `dotenv` for environment variable management, preventing hardcoded secrets. `src/middleware/security.ts` implements `helmet` for security headers, robust CORS configuration, request sanitization (removing null bytes), API key validation, and IP whitelisting. Input validation is rigorously enforced using `Zod` schemas (`src/tools/schemas.ts`). Error handling (`src/middleware/error-handler.ts`) is structured to prevent sensitive information leakage and offers actionable suggestions. These measures collectively make the server highly secure.
Updated: 2025-12-12GitHub
0
0
Low Cost
buyan-kh icon

designi

by buyan-kh

Sec4

Centralized management and serving of user design preferences (color, typography, tone, keywords) for AI agents to ensure aesthetic consistency.

Setup Requirements

  • ⚠️Requires Node.js 18+
Verified SafeView Analysis
The server has no authentication or authorization mechanisms implemented. The CORS policy `Access-Control-Allow-Origin: '*'` allows requests from any origin. This means any client that can reach the server's `/mcp` endpoint can call `get_design_identity` and `update_design_identity` tools, potentially allowing unauthorized access to read and modify the design profile. While suitable for a strictly local, single-user environment, it is highly insecure for public deployment without adding robust authentication and authorization layers. There is no `eval` or obvious malicious code patterns, and Zod is used for input validation, which is good for data integrity.
Updated: 2025-12-02GitHub
0
0
Low Cost
jeffellin icon
Sec9

A Python-based Model Context Protocol (MCP) server providing weather forecasting and alerts from the National Weather Service API, with optional JWT authentication.

Setup Requirements

  • ⚠️Requires Python 3 and installation of dependencies via `pip install -r requirements.txt`.
  • ⚠️Enabling JWT authentication requires setting several environment variables (e.g., `JWT_REQUIRED=true`, `JWT_JWKS_URI`, `JWT_CUSTOM_HEADER`, `JWT_ALGORITHM`) correctly, especially ensuring `JWT_JWKS_URI` points to a valid public key endpoint.
  • ⚠️The server fetches JWKS from an external URL which must be accessible and trusted.
Verified SafeView Analysis
The server implements JWT authentication using standard practices, fetching JWKS from a configurable URI for public key validation. It properly handles token extraction, validation (signature, expiration, etc.), and error cases (401 Unauthorized). No 'eval' or malicious patterns were found. Configuration is via environment variables, preventing hardcoded secrets. The reliance on an external JWKS URI introduces a trust dependency on that endpoint's security and availability, which is standard for JWT but a point to note. Input validation for weather tools is basic (e.g., coordinate rounding), which is generally sufficient for its purpose.
Updated: 2025-11-30GitHub
0
0
Low Cost
neerajnayan icon
Sec5

A remote Model Context Protocol (MCP) server deployed on Cloudflare Workers, providing unauthenticated access to basic calculator tools for AI agents.

Setup Requirements

  • ⚠️Requires a Cloudflare account and configured bindings (Durable Object, KV Namespace) for deployment.
  • ⚠️The server is explicitly unauthenticated; implementing proper authentication is a critical step for any production use.
  • ⚠️Requires Node.js and npm/pnpm/yarn to set up and run locally.
Verified SafeView Analysis
The server is explicitly designed to operate "without auth" as indicated by its name and README. This means that anyone with the deployed URL can invoke the calculator tools without any authentication or authorization. While acceptable for a demo or development environment, deploying this as-is in a production environment poses a critical security risk due to the complete lack of access control. The provided code does not contain 'eval', hardcoded secrets, or obvious injection vulnerabilities within the tool implementations (which utilize Zod for schema validation).
Updated: 2025-11-27GitHub
0
0
Low Cost
jtcole icon
Sec9

Provides performance benchmarking capabilities for an exploratory data analysis (EDA) server built on the Model Context Protocol.

Setup Requirements

  • ⚠️Requires `Pydantic` (v2 implied by `model_dump_json`).
  • ⚠️Requires `NumPy`.
  • ⚠️GPU benchmarks require `PyTorch` and a CUDA-compatible GPU, otherwise, they are skipped gracefully.
Verified SafeView Analysis
The provided code is a local benchmarking script with no network interaction or sensitive data handling. It writes results to a local file specified by the user, posing a minor risk only if a malicious output path is provided (e.g., overwriting critical system files), which is a standard CLI risk. No `eval`, obfuscation, or hardcoded secrets found.
Updated: 2025-12-05GitHub
0
0
Low Cost
shoaibraza123 icon

promptbook-mcp

by shoaibraza123

Sec1

This project is likely a server-side component or framework designed for developing and managing modifications (mods) within a Minecraft server environment, facilitating custom gameplay or features.

Setup Requirements

  • ⚠️Source code is not available for review, preventing identification of specific setup requirements, dependencies, or configuration parameters. Running this project would first require obtaining the source code.
  • ⚠️Based on its name, it likely requires a running Minecraft server environment or specific Minecraft-related development tools and dependencies.
Review RequiredView Analysis
No source code was provided for analysis. A comprehensive security audit could not be performed. Running this project without access to and a thorough review of its source code is highly risky due to unknown vulnerabilities, potential malicious patterns, or hardcoded secrets.
Updated: 2026-01-19GitHub
0
0
Medium Cost
tdnupe3 icon
Sec8

Connects LLMs to real-time blockchain, crypto, and traditional market data via 38 Coin Railz micropayment services.

Setup Requirements

  • ⚠️Requires Coin Railz account and API key for most services (paid via credits or x402 protocol).
  • ⚠️Sends anonymous telemetry data to Coin Railz.
  • ⚠️Requires Python 3.10 or higher.
Verified SafeView Analysis
The server relies on an external API (coinrailz.com) for all its functionality, meaning trust in the Coin Railz backend is essential. It handles the API key securely via environment variables and does not contain obvious code injection vulnerabilities like 'eval' or hardcoded secrets. It sends anonymous telemetry data to the Coin Railz backend, and automatically attempts to fetch a demo API key from Coin Railz if `COINRAILZ_API_KEY` is not set. While no direct security flaws were found in the provided local code, users should be aware of these external communications and the paid nature of most services.
Updated: 2025-12-14GitHub
PreviousPage 701 of 713Next