Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

43
19
Medium Cost
samerfarida icon

mcp-ssh-orchestrator

by samerfarida

Sec10

Provides secure, policy-driven SSH orchestration for AI agents to manage server infrastructure with audit logging, enforcing zero-trust principles.

Setup Requirements

  • ⚠️Requires Docker and Docker Compose v2+ installed locally.
  • ⚠️Requires manual creation and population of 'config', 'keys', 'secrets' directories with YAML files and SSH keys, although a 'setup.sh' script is provided to assist.
  • ⚠️Strict SSH key file permissions (e.g., '0400') and populating 'known_hosts' are mandatory for successful connections.
  • ⚠️Configuration of secrets via environment variables, '.env' files, or Docker secrets is required and should follow documented best practices for secure deployment.
Verified SafeView Analysis
The server implements a robust defense-in-depth security model. Critical features include: extensive input validation (length limits, null byte/control character rejection), command normalization and chain parsing to prevent obfuscation/chaining bypasses, hard-banned dangerous shell patterns, strict file path validation (no path traversal, no symlinks/directories for secrets/keys), file size limits for configurations, mandatory SSH host key verification (CWE-295 mitigated), IP allowlists/blocklists, DNS rate limiting and caching for DoS prevention, non-root container execution, and comprehensive structured JSON audit logging for all policy decisions and executions. Sensitive information is sanitized from user-facing error messages.
Updated: 2026-01-19GitHub
43
31
High Cost
qiniu icon
Sec3

Provides a Model Context Protocol (MCP) server that enables AI models to interact with Qiniu cloud services including storage, intelligent multimedia processing, CDN, and live streaming.

Setup Requirements

  • ⚠️Requires Python 3.12 or higher.
  • ⚠️Requires `uv` package manager for installation and execution.
  • ⚠️Requires Qiniu Cloud Access Key, Secret Key, Region Name, Endpoint URL, and a comma-separated list of configured buckets (or QINIU_LIVE_API_KEY for live streaming functionality) as environment variables.
  • ⚠️Users of Claude may encounter `Error: spawn uvx ENOENT` requiring the absolute path to `uvx` in the command.
Review RequiredView Analysis
CRITICAL: The `LiveStreamingService` in `src/mcp_server/core/live_streaming/live_streaming.py` explicitly prints HTTP request information, including the `Authorization` header containing API keys (either `QINIU_LIVE_API_KEY` or `QINIU_ACCESS_KEY`/`QINIU_SECRET_KEY`) directly to standard output. This is a severe security risk as it exposes sensitive credentials in logs or console output, which should never happen in a production environment. While environment variables are used for secrets, the service includes fallback placeholder values (e.g., `YOUR_QINIU_ACCESS_KEY`) if not configured, although this does not expose real secrets. No other malicious patterns, `eval` usage, or obvious obfuscation were found.
Updated: 2025-11-27GitHub
43
45
Medium Cost
metoro-io icon

metoro-mcp-server

by metoro-io

Sec8

The Metoro MCP Server allows LLM applications, specifically the Claude Desktop App, to interact with Kubernetes cluster observability data provided by the Metoro platform.

Setup Requirements

  • ⚠️Requires the Claude Desktop App to be installed and configured.
  • ⚠️Requires Golang to be installed for building the server executable.
  • ⚠️Requires a Metoro account (or access to the public demo cluster) and configuration of `METORO_AUTH_TOKEN` and `METORO_API_URL` environment variables.
Verified SafeView Analysis
The server correctly retrieves API credentials (Metoro API URL and Auth Token) from environment variables, which is a good security practice. Input validation is present for time ranges and metric attributes. There are internal limits on response sizes (e.g., 20 logs, 20 traces, 200KB for profiles) to prevent excessive data consumption. The README provides a publicly available demo token for the Metoro Live Demo Cluster; users must be careful not to confuse this with a personal, secure token when configuring access to their own Metoro accounts.
Updated: 2026-01-16GitHub
43
59
Medium Cost
hloiseau icon

mcp-gopls

by hloiseau

Sec8

Provides a Model Context Protocol (MCP) server for AI assistants to interact with Go code via gopls, offering navigation, diagnostics, testing, coverage, and refactoring capabilities.

Setup Requirements

  • ⚠️Requires Go 1.25+ to be installed locally.
  • ⚠️Requires `gopls` to be installed (e.g., `go install golang.org/x/tools/gopls@latest`).
  • ⚠️Requires manual configuration within your AI client (e.g., Cursor, Claude, GitHub Copilot) to point to the `mcp-gopls` binary and workspace.
  • ⚠️`--workspace` flag should be an absolute path to your Go project root.
Verified SafeView Analysis
The server's core function is to execute external Go tools (gopls, go test, go mod tidy, govulncheck) based on inputs from an AI client. This inherently involves running subprocesses with arguments derived from potentially untrusted AI input. The project mitigates direct shell injection by using `exec.Command` directly (not through a shell) and includes some path sanitization. It explicitly sets `GOTOOLCHAIN=local` for its child processes, which is good practice. The security largely depends on the trustworthiness of the AI client and the environment's `PATH` configuration. No obvious hardcoded secrets, 'eval' usage, or blatant malicious patterns were found, justifying its primary purpose as a developer tool.
Updated: 2026-01-07GitHub
43
26
High Cost
kumo-ai icon

kumo-rfm-mcp

by kumo-ai

Sec9

An MCP server enabling AI assistants to query KumoRFM for training-free predictions, evaluations, and explanations on relational multi-table data by interpreting it as a temporal heterogeneous graph.

Setup Requirements

  • ⚠️Python 3.10+ required for the traditional server installation.
  • ⚠️KumoRFM API Key required for authentication (can be generated for free, but is a necessary prerequisite).
  • ⚠️Requires internet access to interact with the KumoRFM model API.
Verified SafeView Analysis
The server uses standard practices for dependency management and API key handling, explicitly prompting for `KUMO_API_KEY` via environment variable or OAuth2. No 'eval', obfuscation, or hardcoded secrets were found. Communication defaults to standard input/output (stdio), which is generally secure for local agent interaction, reducing direct network attack surface. Local file system access for reading CSV/Parquet files is an inherent and necessary part of its data processing functionality; potential risks from file operations would primarily stem from an agent being prompted to misuse file path arguments for unauthorized access, rather than a vulnerability in the server's code itself. The use of `uv` for virtual environment management is a robust practice.
Updated: 2026-01-16GitHub
43
39
Low Cost
truss44 icon
Sec9

Provides real-time price data, market analysis, and historical trends for cryptocurrencies using the CoinCap API.

Setup Requirements

  • ⚠️Requires a CoinCap API Key for reliable and future-proof operation, as the v2 API (used by default without a key) is being deprecated.
  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️Requires an MCP-compatible client like Claude Desktop or Smithery to interact with the server effectively.
Verified SafeView Analysis
The server uses `process.env.COINCAP_API_KEY` for API key management, which is a secure practice. Input validation is performed using `zod` schemas, preventing malformed requests. Network requests are made via `fetch` to the CoinCap API and include robust error handling. No 'eval' or obvious malicious patterns were found. The project also employs SSH commit signing, indicating good development security practices.
Updated: 2026-01-19GitHub
43
22
Low Cost
alexanderop icon

mcp-server-starter-ts

by alexanderop

Sec6

A minimal TypeScript starter template for building Model Context Protocol (MCP) servers, enabling AI applications to connect with data sources and tools through a standardized interface.

Setup Requirements

  • ⚠️Requires Node.js version 20.11.0 or higher.
  • ⚠️Requires compiling TypeScript code (`npm run build`) before running the server.
  • ⚠️A manual MCP protocol handshake (initialize request + initialized notification) is required for full functionality when interacting with the server directly via stdio or custom clients.
Verified SafeView Analysis
The server defaults to allowing all CORS origins (`CORS_ORIGIN=*`) when run in HTTP mode. While configurable via environment variables, this default setting poses a significant security risk (e.g., CSRF vulnerabilities) for production deployments and should be restricted to known, trusted origins. No other direct 'eval', hardcoded secrets, or command injection vulnerabilities were found in the provided source code. Input validation for tools and prompts is handled using Zod schemas.
Updated: 2025-12-10GitHub
43
37
Low Cost
apvlv icon
Sec1

Enables AI assistants (like Claude) to directly control and interact with DaVinci Resolve for video editing and post-production tasks via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires DaVinci Resolve Studio (version 17 or higher) - a paid, professional software.
  • ⚠️Requires the `mcp` CLI tool for installation.
  • ⚠️Requires Claude Desktop or 5ire for AI integration.
Review RequiredView Analysis
CRITICAL: The `execute_python` tool allows arbitrary Python code execution on the host machine, granting full system access if the AI or client is compromised or misused. The `execute_lua` tool similarly allows arbitrary Lua script execution within DaVinci Resolve's Fusion environment. This constitutes a severe security vulnerability.
Updated: 2025-12-06GitHub
43
4
Medium Cost
pawneetdev icon

rest-to-mcp-adapter

by pawneetdev

Sec9

Transforms REST API specifications (OpenAPI, Swagger, OpenAPI Actions) into Model Context Protocol (MCP) tools, enabling AI agents like Claude and GPT to interact with any REST API.

Setup Requirements

  • ⚠️Requires Python 3.11+ (as stated in README).
  • ⚠️Currently in beta status (v0.1.0), meaning the API may evolve and require updates.
  • ⚠️Requires users to provide API keys, bearer tokens, or other credentials for most real-world API integrations.
Verified SafeView Analysis
The codebase demonstrates good security practices including `yaml.safe_load`, proper JSON parsing, robust URL validation, and explicit handling of circular `$ref` references during spec dereferencing. It explicitly advises against logging credentials and for secure storage (e.g., environment variables). External `$ref` support is intentionally disabled due to security considerations. Authentication parameters are automatically filtered from user-facing tool schemas.
Updated: 2025-11-27GitHub
43
34
Medium Cost
Muvon icon

octomind

by Muvon

Sec2

Session-first AI development assistant with built-in Model Context Protocol (MCP) tools and multi-provider LLM support for interactive coding, file management, and web research.

Setup Requirements

  • ⚠️Requires API keys for chosen LLM providers (e.g., OpenRouter, OpenAI, Anthropic) and Brave Search API key, typically for paid services.
  • ⚠️Relies on external binaries `ripgrep` (for `list_files`) and `ast-grep` (`sg`) (for `ast_grep`); must be installed manually on Windows or via provided `install.sh` script on Linux/macOS.
  • ⚠️OAuth-enabled external MCP servers require initial browser interaction for authentication.
Review RequiredView Analysis
CRITICAL: The `shell()` tool, when invoked by the AI, executes arbitrary commands directly on the host system without human confirmation. While the CLI `octomind shell` command offers a `--yes` flag to skip a prompt, the AI-invoked tool does not expose such a safeguard. This allows an AI agent to execute potentially malicious or destructive commands without user intervention. File manipulation tools (`text_editor`, `batch_edit`, `extract_lines`) are designed with some safety (e.g., no overwrite by `create`, history for `undo_edit`), but direct file system access by an autonomous agent carries inherent risks. External command execution tools (`list_files` with `ripgrep`, `ast_grep` with `sg`) could also be misused. API keys are handled securely via environment variables or OAuth.
Updated: 2026-01-17GitHub
43
24
Medium Cost
themesberg icon

flowbite-mcp

by themesberg

Sec9

Enables AI assistants to create UI components using the Flowbite library and generate custom Tailwind CSS themes.

Setup Requirements

  • ⚠️Requires a Figma personal access token (`FIGMA_ACCESS_TOKEN`) to use the 'Figma to code' tool.
  • ⚠️Different client configurations are needed for `stdio` (default for CLI) vs. `http` (for server deployments) transport modes.
  • ⚠️Running locally requires `npm install` and `npm run build` or `npx` for a simpler startup.
Verified SafeView Analysis
The server primarily handles API calls to Figma (with an environment variable token) and internal data processing for theme generation. User-provided URLs for Figma are sanitized using `encodeURIComponent` before being used in API requests. File paths for data loading are constructed from internal application paths, limiting exposure. No direct 'eval' or obvious malicious patterns were found. Logging of requests and responses is implemented. The Docker setup mounts data as read-only, enhancing security.
Updated: 2026-01-04GitHub
43
32
Medium Cost
kelvin6365 icon

plane-mcp-server

by kelvin6365

Sec9

Enables LLMs to interact with Plane.so to manage projects and issues through its API, facilitating project management workflows.

Setup Requirements

  • ⚠️Requires a Plane.so API Key and Workspace (obtained from a Plane.so account)
  • ⚠️Requires Node.js 22.x or higher
Verified SafeView Analysis
The server securely loads API keys and workspace slugs from environment variables, preventing hardcoding. It explicitly checks for the presence of required environment variables (`PLANE_API_KEY`, `PLANE_WORKSPACE_SLUG`). Input schemas are defined for tools, and additional runtime checks are performed on critical arguments like `project_id`. The `create-issue` and `update-issue` tools include robust logic to handle potentially malformed `assignees` input from LLMs, reducing the risk of invalid data being sent to the Plane API. All external API calls are made using `fetch` with proper error handling. No `eval` or other dynamic code execution is observed.
Updated: 2025-12-06GitHub
PreviousPage 72 of 713Next