Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

42
14
Low Cost
janwilmake icon

install-this-mcp

by janwilmake

Sec4

The tool generates comprehensive, client-specific installation guides for remote Model Context Protocol (MCP) servers, reducing friction for server maintainers.

Setup Requirements

  • ⚠️Only supports remote MCP servers, local MCPs are out of scope.
  • ⚠️Only supports public MCPs (without auth) or MCPs with OAuth, API key-based authentication is not supported.
  • ⚠️Relies on the availability and content of '.well-known/mcp' metadata from the provided MCP server URL.
Verified SafeView Analysis
The Cloudflare Worker fetches metadata (MCPServerCard) from a user-provided MCP URL. Fields like `description` and `instructions` from this metadata are directly embedded into the generated HTML with minimal sanitization (only Markdown-like replacements for `**` to `<strong>` and `\n` to `<br>`). This creates a Reflected Cross-Site Scripting (XSS) vulnerability, as a malicious MCP server could inject arbitrary HTML or JavaScript into these fields, which would then execute in the user's browser when they view the generated guide. Additionally, the `serverIcon` URL is directly inserted into an `<img>` tag without URL encoding, potentially allowing XSS via crafted `javascript:` URLs if the icon source is malicious. While no `eval` or hardcoded secrets are present, this vulnerability due to improper input sanitization for dynamically generated content is critical.
Updated: 2025-11-30GitHub
42
25
Low Cost
Kyure-A icon
Sec8

Controls Svakom Sam Neo sex toys by bridging Model Context Protocol (MCP) commands to the Buttplug protocol for device interaction.

Setup Requirements

  • ⚠️Requires a local Buttplug server running and accessible at `ws://localhost:12345`.
  • ⚠️Requires a Svakom Sam Neo device (Original, Neo 2, or Neo 2 Pro) connected to the Buttplug server.
  • ⚠️Requires Node.js and pnpm to install dependencies and run the server.
Verified SafeView Analysis
The server connects to a local Buttplug server via websocket (`ws://localhost:12345`), limiting direct external network exposure. There are no apparent hardcoded sensitive credentials or direct calls to external APIs. Debugging information is logged to `console.error`. The use of `ActuatorType: "Constrict" as any` is a type safety workaround but not a direct security vulnerability. The overall security relies heavily on the local Buttplug server's configuration and security.
Updated: 2025-12-11GitHub
42
16
Low Cost
bonigarcia icon

context-engineering

by bonigarcia

Sec8

Provides a Model Context Protocol (MCP) server that enables AI agents to control a web browser using Selenium for web automation tasks.

Setup Requirements

  • ⚠️Requires Node.js to be installed locally.
  • ⚠️Requires a local web browser (e.g., Chrome, Firefox) to be installed.
  • ⚠️The server does not directly incur LLM token costs as it is a tool provider, not an LLM itself.
Verified SafeView Analysis
The server itself runs locally and communicates via standard input/output (stdin/stdout), which significantly limits direct network exposure. Input validation for tool parameters (like 'url' for 'navigate_url' and 'browser_name' for 'open_browser') is handled by Zod. However, the core functionality involves controlling a local web browser via Selenium. If this server were exposed to untrusted or unsanitized external inputs (e.g., through a poorly secured wrapper API), an attacker could potentially instruct the local browser to visit malicious websites, scrape sensitive information from pages it navigates to, or trigger browser-specific vulnerabilities. The risk is primarily in the capabilities exposed (browser control) rather than internal code vulnerabilities like 'eval' or hardcoded secrets, which are not present.
Updated: 2026-01-19GitHub
42
12
Low Cost
ssssota icon

chapplin

by ssssota

Sec8

A framework for building type-safe ChatGPT Apps using the OpenAI Apps SDK with JSX-based UI rendering, streamlining the development and build process for Model Context Protocol (MCP) servers.

Setup Requirements

  • ⚠️Requires familiarity with the OpenAI Apps SDK and Model Context Protocol for effective application development.
  • ⚠️Requires Node.js (version >=18) and pnpm as the package manager for installation and development.
  • ⚠️Developers need to be proficient with TypeScript and JSX syntax, choosing a UI library (React, Preact, Hono JSX, or SolidJS) for widget development.
Verified SafeView Analysis
The `chapplin` framework itself doesn't expose glaring runtime security vulnerabilities in its core logic, relying on established server (Hono, Express) and build (Vite, Rollup) technologies. The build process involves parsing and transforming developer-provided code (e.g., JSX components into HTML widgets), which is a common pattern in build tools but carries inherent risks if not handled securely or if underlying dependencies have flaws. No direct use of `eval` or hardcoded secrets found within the provided source code for the framework's runtime. Environment variables like `OPENAI_API_KEY` would be critical for applications built with `chapplin` to interact with OpenAI services, but are not directly required by the framework's core to function.
Updated: 2026-01-19GitHub
42
184
Medium Cost
huggingface icon

hf-mcp-server

by huggingface

Sec7

The Hugging Face MCP Server acts as a universal adapter, allowing various LLM clients (like Claude, Gemini, VSCode, Cursor) to interact with the Hugging Face Hub, Gradio applications, and other Hugging Face services through a standardized Model Context Protocol (MCP) interface.

Setup Requirements

  • ⚠️Requires a Hugging Face API Token (`DEFAULT_HF_TOKEN` or `HF_TOKEN`) for most functionalities, especially authenticated operations and higher rate limits.
  • ⚠️Relies heavily on external Hugging Face APIs; network connectivity to `huggingface.co` and `*.hf.space` is essential.
  • ⚠️Local execution requires Node.js (>=18) and pnpm, or Docker as an alternative.
Verified SafeView Analysis
The server's design focuses on proxying and facilitating interactions with external Hugging Face APIs and Gradio Spaces. It handles authentication via Hugging Face tokens, which can be provided in the Authorization header or as a `DEFAULT_HF_TOKEN` environment variable. The `start.sh` script explicitly warns about the security implications of `DEFAULT_HF_TOKEN`, indicating awareness of this risk. Extensive network interactions occur with `huggingface.co` and `*.hf.space`. CORS is configured with a default allowlist but is overrideable via environment variables. Input validation for tool calls is performed using `zod` schemas, mitigating common injection risks. While the server constructs commands for remote job execution (e.g., `uv run` commands for the Hugging Face Jobs API), it does not execute these commands locally, shifting that security boundary to the remote Hugging Face Jobs platform. No direct instances of `eval()` for local server execution were found. The primary security considerations for operators revolve around secure management of Hugging Face API tokens and careful configuration of environment variables, especially `DEFAULT_HF_TOKEN` and `CORS_ALLOWED_ORIGINS`.
Updated: 2025-12-18GitHub
42
1
Medium Cost
auth-agent icon

mcp-auth

by auth-agent

Sec2

Provides an OAuth 2.1 authorization server for Model Context Protocol (MCP) servers, enabling secure authentication for AI agents interacting with third-party APIs like Adobe Premiere Pro.

Setup Requirements

  • ⚠️Requires a Cloudflare account for deployment and operation of the OAuth server.
  • ⚠️Requires a Supabase account for the PostgreSQL database backend.
  • ⚠️For the Adobe Premiere Pro integration, Adobe Premiere Pro (24.4+) must be installed and the corresponding UXP/CEP extension configured.
  • ⚠️Requires `wrangler` CLI for deploying the Cloudflare Worker.
Review RequiredView Analysis
The example `mcp-adobe-premiere-pro` server's UXP plugin (`uxp-plugin/bridge.js`) uses `eval(script)` and `app.executeExtendScript(script)` to execute arbitrary ExtendScript code received from command files. These commands are generated by the `PremiereProTools` class based on tool calls from AI agents. This design presents a critical remote code execution vulnerability if an attacker can inject malicious script fragments into tool arguments, bypassing `zod` validation or exploiting vulnerabilities in script string construction. The core `mcp-auth` OAuth server itself demonstrates good security practices (PBKDF2 hashing, JWT signing, PKCE, secure secret management, HTTPS). However, the presence of `eval` in the provided example, meant to be used with this authorization server, significantly lowers the overall safety score.
Updated: 2025-11-28GitHub
42
11
Medium Cost
aserper icon

doc-mcp-server

by aserper

Sec5

Provides real-time access to up-to-date documentation from various package ecosystems (PyPI, npm, GitHub, etc.) for LLM-powered coding agents, mitigating hallucination and outdated information.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️GitHub API rate limits are severely restricted (60 requests/hour) without a GITHUB_TOKEN or GitHub CLI ('gh') authentication configured via GITHUB_AUTH.
  • ⚠️Processing unverified external content carries inherent security risks, mitigated by 'RTFD_FETCH=false' or 'VERIFIED_BY_PYPI=true' but requiring explicit user configuration.
Review RequiredView Analysis
The server is designed to fetch and process potentially unverified content from external sources (PyPI, npm, GitHub, web scraping), which inherently introduces risks of indirect prompt injection and malicious code execution, as explicitly warned by the project itself. While it uses httpx and subprocess.run (for 'gh' CLI) in a controlled manner, the core function involves ingesting untrusted data. Mitigations like 'RTFD_FETCH=false' (disables all content fetching) and 'VERIFIED_BY_PYPI=true' (restricts Python packages to verified sources) are available but require explicit configuration by the user.
Updated: 2026-01-16GitHub
42
21
Low Cost
mafzaal icon

d365fo-client

by mafzaal

Sec7

This server provides a Model Context Protocol (MCP) interface for a D365 F&O client, enabling AI assistants and other MCP-compatible tools to interact with Microsoft Dynamics 365 Finance & Operations environments for metadata retrieval, CRUD operations, action execution, and data querying.

Setup Requirements

  • ⚠️Requires D365 F&O environment URL and configured Azure AD authentication (client_id/secret/tenant_id or DefaultAzureCredential).
  • ⚠️Python 3.8+ is required.
Verified SafeView Analysis
The MCP server incorporates authentication mechanisms (API Key or Azure AD) which are crucial for its security. The core client handles D365 F&O authentication securely (Azure Default Credentials or client_id/secret/tenant_id via environment or Key Vault). However, the `d365fo_execute_sql` tool within the MCP server exposes direct SQL querying capabilities to the underlying SQLite metadata cache. While there's a `_validate_query_safety` mechanism mentioned, exposing raw SQL via an API, even to a local cache, is inherently a high-risk surface area if not perfectly implemented and contained. Deploying the MCP server over HTTP/SSE with inadequate network access controls or weak authentication could lead to unauthorized data access or manipulation of the metadata cache. Ensure strong authentication is enabled and only trusted entities can access the MCP server's endpoints.
Updated: 2026-01-19GitHub
42
21
High Cost
xorrkaz icon

cml-mcp

by xorrkaz

Sec6

Enables AI assistants to interact with and automate Cisco Modeling Labs (CML) network lab operations using natural language.

Setup Requirements

  • ⚠️Requires Python 3.12 or later.
  • ⚠️CLI command execution on CML nodes requires PyATS to be installed (use `cml-mcp[pyats]` extra) and additional device credentials (PYATS_USERNAME, PYATS_PASSWORD, PYATS_AUTH_PASS).
  • ⚠️Windows users need Windows Subsystem for Linux (WSL) or Docker for PyATS-based CLI command support.
  • ⚠️When using HTTP transport mode, MCP clients require Node.js and the 'mcp-remote' bridge to connect, and must send CML credentials via HTTP headers (Base64 encoded).
Verified SafeView Analysis
The `send_cli_command` tool allows direct execution of CLI commands on running CML nodes. This poses a significant risk for command injection on target network devices if the AI is unconstrained or if the commands are not properly sanitized. The server's HTTP transport mode supports client-provided CML server URLs, but attempts to validate them against `CML_ALLOWED_URLS` or `CML_URL_PATTERN` to prevent SSRF. Credentials for CML and PyATS are handled via environment variables (for stdio mode) or HTTP headers (for HTTP mode), and the ACL feature in HTTP mode allows for granular control over tool access.
Updated: 2026-01-16GitHub
42
29
Medium Cost
tandemai-inc icon

rdkit-mcp-server

by tandemai-inc

Sec1

Enables language models to interact with RDKit cheminformatics functions through a Model Context Protocol server.

Setup Requirements

  • ⚠️Requires an OpenAI API Key for the CLI client and evaluations (paid service).
  • ⚠️RDKit installation via `pip` can sometimes be challenging due to dependencies; `conda` might be a more stable alternative.
  • ⚠️Requires the local RDKit MCP server to be running before the client can connect.
Review RequiredView Analysis
CRITICAL: The `decode_mol` function uses `pickle.loads` on client-provided data (`PickledMol`), which can lead to arbitrary code execution if a malicious pickle string is supplied. CRITICAL: Several tools (`mol_to_sdf`, `mol_to_pdb`, `MolToFile`, `MolsMatrixToGridImage`, `MolToImage`) accept an arbitrary `file_dir` path, allowing an attacker to write files anywhere on the server's filesystem. The server also disables DNS rebinding protection.
Updated: 2026-01-16GitHub
42
22
High Cost
CognitionAI icon

metabase-mcp-server

by CognitionAI

Sec8

Enables AI assistants to interact with and manage Metabase's analytics platform by providing comprehensive API access through a Model Context Protocol server.

Setup Requirements

  • ⚠️Requires a running Metabase instance.
  • ⚠️Requires Node.js 20.19.0+ and npm 8.0.0+ for optimal compatibility.
  • ⚠️Metabase authentication details (either `METABASE_API_KEY` or `METABASE_USERNAME` and `METABASE_PASSWORD`) must be explicitly provided via environment variables.
Verified SafeView Analysis
The primary execution path (via `npx` or `docker`) correctly enforces the use of environment variables for Metabase credentials, preventing accidental exposure. However, an alternative/example `sse-server.js` file, which is not part of the standard deployment, contains hardcoded default Metabase admin credentials (`admin@metabase.local`, `MetabaseAdmin2024!`) and an `Access-Control-Allow-Origin: '*'` header. Its direct execution without overriding these defaults would pose a significant security risk. The extensive API access provided (including write operations) requires careful management of permissions on the connected Metabase instance.
Updated: 2026-01-15GitHub
42
5
Low Cost
danielealbano icon
Sec9

This MCP server enables LLM agents to manage Azure DevOps Boards by creating, updating, querying, and linking work items, as well as listing teams, boards, and iteration paths.

Setup Requirements

  • ⚠️Requires Azure CLI (`az login`) for authentication prior to running the server.
  • ⚠️Running in HTTP server mode (`--server`) binds to `0.0.0.0`, exposing it to the network. Ensure appropriate firewall rules are in place.
  • ⚠️The WIQL query tool (`azdo_query_work_items_by_wiql`) allows direct execution of Work Item Query Language, which an LLM should use carefully to avoid unintended results.
Verified SafeView Analysis
The server leverages Azure CLI's `az login` for authentication, securely offloading credential management. The HTTP server mode binds to `0.0.0.0`, which means it listens on all network interfaces; users should ensure proper network security (e.g., firewall) if enabling this mode. The `azdo_query_work_items_by_wiql` tool executes raw WIQL queries, which is powerful but requires careful use by the calling agent to prevent unintended data exposure or manipulation. Other query tools construct WIQL safely.
Updated: 2025-12-07GitHub
PreviousPage 78 of 713Next