Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

100
1533
Low Cost
stacklok icon

toolhive

by stacklok

Sec9

ToolHive simplifies and secures the deployment, management, and orchestration of Model Context Protocol (MCP) servers, integrating them with AI clients and providing features like authentication, authorization, and observability.

Setup Requirements

  • ⚠️Requires Kubernetes (e.g., Kind) for operator and authenticated Keycloak setup.
  • ⚠️Requires Docker, Podman, or Colima for local MCP server execution.
  • ⚠️Requires Go (1.25+) and Task for development and building.
Verified SafeView Analysis
ToolHive demonstrates a strong commitment to security through container-based isolation, OIDC/OAuth2 authentication, Cedar policy-based authorization, and secure secret management (e.g., Kubernetes SecretKeyRef, TOOLHIVE_SECRET_ environment variable prefix). It explicitly avoids sensitive data in error messages and includes proposals like `.thvignore` for secure volume mounts. The architecture for Virtual MCP servers includes a zero-trust model with distinct authentication boundaries and per-backend token exchange to minimize blast radius. No 'eval' or obvious malicious patterns were found.
Updated: 2026-01-19GitHub
100
2002
Low Cost
AmoyLab icon

Unla

by AmoyLab

Sec6

Transforms existing MCP Servers and APIs into MCP protocol-compliant endpoints through configuration, enabling LLM tool calling without code changes.

Setup Requirements

  • ⚠️Requires Docker for quick setup; alternative deployments exist but are more complex.
  • ⚠️Critical environment variables (e.g., JWT secret key, admin credentials) must be securely set and not left as default values.
  • ⚠️Users need a foundational understanding of the Model Context Protocol (MCP) to effectively configure and utilize the gateway.
  • ⚠️Configuration is driven by YAML files, requiring users to be familiar with YAML syntax and the specific schema for defining routers, servers, tools, and prompts.
Verified SafeView Analysis
The system's core functionality relies on processing user-provided YAML configurations and OpenAPI specifications to dynamically build API tools. This design choice, while flexible, significantly shifts the security burden to ensuring the integrity and proper validation of these configurations. Malicious configurations or OpenAPI imports could lead to Server-Side Request Forgery (SSRF), data exfiltration, or injection vulnerabilities if templated fields (e.g., endpoint URLs, request/response bodies, headers) are not thoroughly sanitized and validated against internal access or unintended external interactions. The use of environment variables for sensitive data like JWT secrets and admin passwords is good practice, and authentication/authorization mechanisms are present for management APIs. However, the code using Go templates (`text/template` not `html/template`) for dynamic content requires careful auditing to prevent content injection. The `toJSON` function used for arguments in request bodies, if not securely implemented, could also pose a risk.
Updated: 2026-01-19GitHub
100
2912
High Cost
browserbase icon
Sec8

Enables LLMs to perform cloud browser automation tasks such as navigating, interacting with elements, extracting data, and capturing screenshots on web pages.

Setup Requirements

  • ⚠️Requires a Browserbase API Key (Browserbase is a paid cloud service).
  • ⚠️Requires a Browserbase Project ID.
  • ⚠️Requires an LLM API Key (e.g., GEMINI_API_KEY for the default Gemini model, or a custom API key like ANTHROPIC_API_KEY or OPENAI_API_KEY if configuring a different model via `--modelApiKey`). LLM usage will incur costs from the respective provider.
  • ⚠️Advanced Stealth mode is restricted to Browserbase Scale Plan users.
Verified SafeView Analysis
The server correctly uses environment variables for API keys, preventing hardcoding of sensitive data. It explicitly warns users about the security implications of binding the SHTTP server to '0.0.0.0'. No direct use of `eval` or other dangerous code execution patterns was identified. The overall security relies on securely managing the provided API keys for Browserbase and the integrated LLMs.
Updated: 2025-12-10GitHub
100
2088
Low Cost
agent-infra icon

sandbox

by agent-infra

Sec3

An all-in-one agent sandbox environment offering unified browser, shell, file, Jupyter, VSCode, and MCP operations for AI agents and developers.

Setup Requirements

  • ⚠️Requires Docker, specifically with `--security-opt seccomp=unconfined`, which disables a host security feature and increases risk.
  • ⚠️Python >= 3.13 is required for the evaluation framework (though SDK might support older).
  • ⚠️The evaluation framework relies on `uv` package manager.
  • ⚠️An OpenAI API Key (a paid service) is needed if using the Azure OpenAI Agent Loop for evaluation.
Review RequiredView Analysis
The server is designed to execute arbitrary code (Python, Node.js, shell commands, browser automation), which is inherently high-risk. The recommended Docker run command uses `--security-opt seccomp=unconfined`, disabling a critical host security feature. This removes a layer of defense against container escapes and makes the host system less secure if the container is exploited. Running untrusted AI agent code within such an environment, especially with disabled seccomp, poses a significant security risk to the underlying host.
Updated: 2026-01-19GitHub
100
11161
Low Cost
tadata-org icon

fastapi_mcp

by tadata-org

Sec9

Automatically converts FastAPI endpoints into Model Context Protocol (MCP) tools for seamless integration with LLM agents.

Setup Requirements

  • ⚠️Requires Python 3.10+ (Python 3.12+ recommended).
  • ⚠️FastAPI routes should ideally define explicit `operation_id` for clearer MCP tool names.
  • ⚠️OAuth authentication (if configured with `AuthConfig`) requires providing client IDs/secrets and potentially proxying external OAuth provider URLs, with security depending on the trustworthiness of the external OAuth service.
Verified SafeView Analysis
The library primarily uses secure practices, including ASGI transport for internal FastAPI communication and `httpx` for external HTTP requests. OAuth proxying features rely on user-provided URLs (e.g., `metadata_url`, `authorize_url`), which places the responsibility for trusting external services on the developer. No 'eval' or direct malicious patterns were identified in the source code.
Updated: 2025-11-24GitHub
100
25687
Medium Cost
microsoft icon

playwright-mcp

by microsoft

Sec6

Provides a Model Context Protocol (MCP) server for LLMs to automate browser interactions using Playwright's accessibility tree, avoiding pixel-based vision models.

Setup Requirements

  • ⚠️Requires Node.js 18 or newer.
  • ⚠️Connecting to an existing browser instance requires installing the 'Playwright MCP Bridge' Chrome/Edge extension manually in developer mode, which is a friction point.
  • ⚠️Bypassing the extension's connection approval dialog requires copying an authentication token from the extension UI and setting it as the PLAYWRIGHT_MCP_EXTENSION_TOKEN environment variable in the client's configuration.
Verified SafeView Analysis
The server's core functionality involves powerful browser automation, including tools like 'browser_evaluate' and 'browser_run_code' that allow arbitrary JavaScript or Playwright code execution within the browser context. If an LLM's output is not carefully validated, this could lead to unintended or malicious actions in the browser. The '--allow-unrestricted-file-access' option, though false by default, can expose the local filesystem if enabled. The browser extension component restricts connections to loopback addresses (127.0.0.1 or [::1]), which is a good security measure, and uses an authentication token to prevent unauthorized connections.
Updated: 2026-01-16GitHub
100
3742
Low Cost
open-webui icon

mcpo

by open-webui

Sec7

Exposes Model Context Protocol (MCP) tools as OpenAPI-compatible HTTP servers.

Setup Requirements

  • ⚠️Requires Python 3.11+
  • ⚠️Requires the proxied MCP server command/tool to be installed and available in the environment.
  • ⚠️OAuth token storage in `~/.mcpo/tokens/` is plaintext and relies on OS-level permissions for security.
Verified SafeView Analysis
The core functionality involves executing user-provided commands for MCP servers. While this is by design, it introduces a significant arbitrary code execution risk if `mcpo` is deployed with high privileges and its configuration (CLI arguments or config file) can be controlled by untrusted entities. Strong authentication (`--api-key`) and network segmentation are crucial for secure deployment. Default host `0.0.0.0` and `cors_allow_origins='*'` are permissive but configurable. OAuth tokens, when using file storage, are stored in plaintext in `~/.mcpo/tokens/` and rely on OS-level file permissions for security, as noted in the documentation.
Updated: 2025-12-08GitHub
99
875
Medium Cost
neo4j-contrib icon

mcp-neo4j

by neo4j-contrib

Sec9

The MCP Neo4j Cypher server enables AI models to interact with a Neo4j graph database, execute Cypher queries (read and write), explore the graph schema, and manage query performance and response sizes.

Setup Requirements

  • ⚠️Requires a running Neo4j database instance with connection details (URI, username, password).
  • ⚠️The 'get_neo4j_schema' tool requires the APOC plugin to be installed and enabled in the Neo4j database.
  • ⚠️Python 3.10 or higher is required.
Verified SafeView Analysis
The server implements robust security measures including configurable CORS and Trusted Host middleware for HTTP/SSE transports, and a 'read-only' mode to prevent write operations. Secrets like Neo4j password are primarily sourced from environment variables, with explicit guidance to use secure mechanisms like AWS Secrets Manager. A default 'password' exists in the code if environment variables are not set, which could be a misconfiguration risk for non-production environments but is clearly intended for local development.
Updated: 2026-01-12GitHub
99
1015
Medium Cost
YuzeHao2023 icon

Awesome-MCP-Servers

by YuzeHao2023

Sec3

Cataloging and describing Model Context Protocol (MCP) servers, tools, frameworks, clients, and utilities, which enable AI models to interact with various local and remote resources.

Setup Requirements

  • ⚠️MCP servers can execute arbitrary code on the host without proper sandboxing, posing significant security risks.
  • ⚠️Requires running servers in VMs or isolated containers for untrusted implementations.
  • ⚠️Requires careful review of server code and configuration prior to deployment.
Review RequiredView Analysis
The provided source code (README files) explicitly contains a critical security warning regarding running MCP servers. It states that without proper sandboxing, MCP servers can execute arbitrary code on the host system with full permissions (files, network, system resources), leading to code execution, prompt injection, and data exposure. Best practices emphasize running servers in VMs or isolated containers, reviewing code and configuration, limiting permissions, and monitoring activity. This security score reflects the inherent risks of running an *unsecured* generic MCP server as described in the documentation, not the documentation repository itself.
Updated: 2026-01-15GitHub
99
807
Medium Cost
golf-mcp icon

golf

by golf-mcp

Sec4

A Python framework for building conversational AI servers (MCP servers) by defining tools, resources, and prompts as modular Python files, with integrated authentication, telemetry, and LLM interaction utilities.

Setup Requirements

  • ⚠️Requires Python 3.10+ (minimum 3.8+ as per `pyproject.toml`) for optimal functionality.
  • ⚠️Relies on `fastmcp>=2.14.0` as a core, tight dependency.
  • ⚠️Authentication can be complex to configure (supporting JWT, OAuth Server, API Key, and Static Tokens) and often requires specific environment variables (`auth.py` and `.env` configuration) for production deployments.
Review RequiredView Analysis
The example `calculator.py` tool (generated by default with `golf init`) uses `eval()` to evaluate mathematical expressions. While it includes a basic character whitelist, `eval()` is inherently dangerous and, if exposed to untrusted input (e.g., from an LLM generating malicious input or a direct API call), it poses a critical remote code execution vulnerability. For production environments, this tool should be removed or replaced with a safer expression parser. Other `exec()` and `subprocess` calls within the framework are for executing trusted local project files during the build/run process, which is generally acceptable. Telemetry uses a public API key and explicitly disables IP address collection.
Updated: 2026-01-17GitHub
99
982
High Cost
openops-cloud icon

openops

by openops-cloud

Sec7

OpenOps is a No-Code FinOps automation platform that helps organizations reduce cloud costs, streamline financial operations, and automate key FinOps processes through customizable workflows and AI capabilities.

Setup Requirements

  • ⚠️Requires Docker and Docker Compose for local or self-hosted deployments.
  • ⚠️Critical: For self-hosted deployments, manual generation and configuration of sensitive environment variables (e.g., OPS_ENCRYPTION_KEY, OPS_JWT_SECRET, admin passwords) are required, as placeholders are provided.
  • ⚠️Requires Node.js versions 18 or 20 for development setup.
  • ⚠️Cloud provider (AWS, Azure, GCP) credentials/service accounts are necessary for activating respective integration blocks.
Verified SafeView Analysis
The platform inherently executes external commands for integrations (e.g., `gcloud`, `az`, `aws`) using `child_process.spawn` and `execFile`. `eval` is utilized for dynamic module loading of blocks in development mode, which is a potential risk but restricted to that context. Hardcoded secrets in `deploy/helm/openops/values.yaml` are explicitly marked as placeholders (`please-change-this-secret`) requiring user replacement, which is a good practice. `docker-entrypoint.sh` and `tools/link-packages.sh` perform sensitive actions like `npm install` and `rm -rf node_modules`, typically executed in trusted build/deployment environments.
Updated: 2026-01-19GitHub
99
1008
Medium Cost
containers icon
Sec9

Facilitates AI agent interaction with Kubernetes and OpenShift clusters by exposing management and observability tools via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires access to a Kubernetes or OpenShift cluster with `kubectl` installed and configured.
  • ⚠️Initial setup of a dedicated ServiceAccount and RBAC (requiring cluster-admin permissions) is highly recommended for secure operation.
  • ⚠️If enabling the Kiali toolset, a Kiali instance must be running and its URL (and optionally a CA certificate path) must be configured.
  • ⚠️ServiceAccount tokens are time-bound and will require periodic renewal for long-running operations.
Verified SafeView Analysis
The server is implemented in Go, directly interacting with the Kubernetes API, which is generally more secure than shell-based wrappers. It features robust OAuth/OIDC authentication with token exchange capabilities, can enforce read-only operation, and allows disabling destructive tools. A critical security feature is the `AccessControlRoundTripper` which enables fine-grained denial of specific Kubernetes resources at the API proxy level, regardless of the ServiceAccount's broader permissions. Deployment guides recommend using dedicated, least-privileged ServiceAccounts. Sensitive data redaction in logs is also implemented. The main binaries are distributed via npm/PyPI wrappers that `spawn` the native Go executable, which is a common and acceptable pattern for such distributions. No direct 'eval' or obvious malicious patterns were found.
Updated: 2026-01-19GitHub
PreviousPage 8 of 713Next