Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

99
809
Medium Cost
microsoft icon

wassette

by microsoft

Sec9

A security-oriented runtime that runs WebAssembly Components via the Model Context Protocol (MCP), enabling AI agents to securely extend their capabilities with sandboxed tools.

Setup Requirements

  • ⚠️Requires Rust toolchain (1.75.0+ with wasm32-wasip2 target) for building Rust components.
  • ⚠️Python components require `uv` and `componentize-py` tooling.
  • ⚠️Go components require `TinyGo` (0.32+) and `wit-bindgen-go` tooling.
  • ⚠️Components run with deny-by-default permissions; explicit policies for network, storage, and environment variables must be granted (via CLI, manifest, or AI agent interaction) for components to access host resources.
Verified SafeView Analysis
Wassette is designed with a strong security model, leveraging WebAssembly sandboxing, deny-by-default fine-grained permissions (filesystem, network, environment variables), and runtime policy enforcement. It supports OCI digest verification for component integrity. Built-in tools for permission management promote least privilege. Structured logging with sensitive data redaction further enhances auditability. The core runtime itself is very secure. The main security caveat noted in the documentation is that certain example components, like 'eval-py', use inherently dangerous functions (e.g., `eval()`) which, if used with overly permissive policies or untrusted inputs, could lead to arbitrary code execution *within the component's sandbox*. Users are explicitly warned about this, emphasizing the importance of carefully vetting components and their granted permissions.
Updated: 2026-01-13GitHub
99
870
Low Cost
inkeep icon

agents

by inkeep

Sec3

This MCP (Model Context Protocol) Server acts as a proxy for the Inkeep Agent Framework's Management API. It exposes administrative functionalities (e.g., CRUD operations for agents, projects, tools, and credentials) via the MCP protocol, allowing other clients or agents to interact with the Inkeep Management API through a standardized interface.

Setup Requirements

  • ⚠️Requires a running Inkeep Management API backend (configured via `SDK_DEFAULT_BASE_URL`).
  • ⚠️Requires appropriate authentication credentials (e.g., API keys, Nango secrets) for its upstream calls to the Inkeep Management API to be supplied via environment variables.
  • ⚠️No built-in authentication for incoming HTTP requests; must be secured by an external proxy or gateway.
  • ⚠️Requires Node.js runtime and build environment for compilation and execution.
Review RequiredView Analysis
This MCP server exposes highly privileged administrative functionalities (e.g., creating, updating, deleting projects, agents, credentials). When configured to run as an HTTP server (`--transport=http`), the source code does not implement built-in authentication or authorization for *incoming* requests. It relies entirely on external security measures (e.g., being deployed as a trusted internal service, or behind an API Gateway/Load Balancer that enforces authentication and authorization). If exposed directly to the internet without such external safeguards, it would grant any caller full administrative control over the Inkeep Agent Framework instance it connects to via its configured upstream API keys and URLs. This is a critical security risk if not deployed correctly within a secured ecosystem.
Updated: 2026-01-19GitHub
99
922
Low Cost
rohitg00 icon
Sec10

A curated list of Model Context Protocol (MCP) servers focused on DevOps tools and capabilities, enabling AI models to discover and interact with various local and remote resources.

Verified SafeView Analysis
The provided source code consists solely of Markdown documentation files (README.md, CONTRIBUTING.md) which are not executable. Therefore, there are no inherent security risks such as 'eval', obfuscation, network vulnerabilities, hardcoded secrets, or malicious patterns within this repository's own code.
Updated: 2026-01-13GitHub
99
813
Low Cost
mcpjungle icon

MCPJungle

by mcpjungle

Sec3

MCPJungle is a self-hosted Model Context Protocol (MCP) Gateway that allows developers to register and manage various MCP servers and their tools from a central location, enabling AI agents to discover and consume these tools from a single gateway.

Setup Requirements

  • ⚠️Requires Homebrew for MacOS installation due to binary not being notarized.
  • ⚠️Custom Docker images are needed if STDIO-based MCP servers rely on tools other than `npx` or `uvx`.
  • ⚠️Running STDIO-based filesystem MCP servers in Docker requires explicit host filesystem volume mounting (e.g., `- .:/host:ro`).
  • ⚠️When creating MCP clients or users from a configuration file, a custom access token MUST be provided, as the CLI cannot display an auto-generated one.
  • ⚠️Tool Groups do not currently support prompts or updates, requiring deletion and recreation for changes.
Review RequiredView Analysis
The server allows registration and execution of STDIO-based MCP servers, meaning it can execute arbitrary commands on the host machine if an attacker can register an MCP server. This is a critical risk unless strict isolation (e.g., Docker with restricted volumes) and robust access control (Enterprise mode) are properly configured. The `docker-compose.prod.yaml` includes hardcoded default credentials for PostgreSQL and pgAdmin ('mcpjungle' / 'mcpjungle' and 'admin@admin.com' / 'admin' respectively), which are highly insecure for production deployment and must be changed immediately.
Updated: 2026-01-19GitHub
99
837
Low Cost
hyper-mcp-rs icon

hyper-mcp

by hyper-mcp-rs

Sec9

A fast, secure Model Context Protocol (MCP) server that extends its capabilities through WebAssembly plugins, enabling AI agents to access tools, resources, and prompts.

Setup Requirements

  • ⚠️Requires `hyper-mcp` executable to be built or downloaded for execution.
  • ⚠️Docker is required for building and distributing plugins as OCI images.
  • ⚠️S3 plugin loading requires AWS credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, etc.) to be set in the environment.
  • ⚠️OCI image loading performs signature verification by default; custom Sigstore trust roots (Rekor/Fulcio keys) may be needed if not using the default TUF data. System keyring integration for auth requires specific OS tools (e.g., `security` on macOS, `secret-tool` on Linux, `cmdkey` on Windows) to be installed and configured.
Verified SafeView Analysis
Plugins run in a WebAssembly sandbox provided by Extism, with configurable resource limits (memory, execution time), allowed network hosts, and allowed filesystem paths. OCI plugin images are cryptographically verified by Sigstore by default upon loading, adding a strong layer of supply chain security. An explicit `--insecure-skip-signature` flag exists but is clearly labeled as insecure. Host functions exposed to plugins (e.g., for logging, progress, eliciting user input) are controlled, minimizing direct plugin access to the host system. Authentication details, including sensitive credentials, can be loaded from configuration files, environment variables, or system keyrings (macOS, Linux, Windows), avoiding hardcoding.
Updated: 2026-01-19GitHub
99
936
High Cost
robotmcp icon

ros-mcp-server

by robotmcp

Sec4

Enables large language models (LLMs) to bidirectionally control and observe robots operating on ROS or ROS2 by translating natural language commands into robot actions and providing real-time sensor data feedback.

Setup Requirements

  • ⚠️Requires ROS1 or ROS2 installation and a running `rosbridge_server` on the target robot/machine.
  • ⚠️Requires Python 3.10+ and pip 23.0+ for installation and operation.
  • ⚠️Requires specific configuration in the LLM client (e.g., Claude Desktop, Gemini CLI, Cursor IDE, ChatGPT Desktop) to integrate with the MCP server.
Review RequiredView Analysis
The server's core functionality relies on connecting to `rosbridge_server`, which by default lacks authentication, potentially allowing unauthorized command execution on the robot. The MCP server itself can expose an unauthenticated HTTP/Streamable-HTTP interface, especially when configured with `--host 0.0.0.0` or used with tunneling services like `ngrok` (as shown in examples), leading to high network exposure risks. The project explicitly states that 'Permission controls' are 'soon-to-be-implemented,' indicating a known missing security feature for safer deployments. Image data is saved to a fixed, overwritten local file (`./camera/received_image.jpeg`), which could be a denial-of-service vector if extremely large images are repeatedly streamed, though limited by the overwrite mechanism.
Updated: 2026-01-19GitHub
99
758
High Cost
chunkhound icon

chunkhound

by chunkhound

Sec8

Provides local-first codebase intelligence, extracting architecture, patterns, and institutional knowledge for AI assistants.

Setup Requirements

  • ⚠️Requires Python 3.10+ and 'uv' package manager.
  • ⚠️API keys are required for cloud-based embedding (VoyageAI, OpenAI) and LLM (Anthropic, OpenAI) providers, incurring costs.
  • ⚠️Integration with local LLMs (Ollama, LM Studio) requires a running local server.
  • ⚠️The 100% AI-generated codebase may imply unique contribution and debugging workflows for human developers.
  • ⚠️May encounter DuckDB-specific database corruption issues, requiring WAL file cleanup.
Verified SafeView Analysis
The project emphasizes 'local-first' to keep code on the user's machine, enhancing privacy. It integrates with various external LLM/embedding providers (OpenAI, Anthropic, VoyageAI) and local CLI tools (Claude Code CLI, Codex CLI, Ollama), which inherently introduces dependencies on external services. The use of `subprocess` for CLI tools appears to be managed with sanitization and validation, mitigating risks of arbitrary code execution from untrusted input. The '100% AI-generated codebase' claim is unusual but the project states a focus on production quality and human guidance.
Updated: 2026-01-19GitHub
99
891
Medium Cost
mongodb-js icon

mongodb-mcp-server

by mongodb-js

Sec9

Provides a robust AI agent interface for interacting with MongoDB databases and MongoDB Atlas cloud services, enabling tool-calling for data management, monitoring, and search operations.

Setup Requirements

  • ⚠️Requires Azure CLI (2.55.0+) for Bicep deployment on Azure.
  • ⚠️Requires MongoDB MCP server container image (e.g., mongodb/mongodb-mcp-server:1.2.0) if deploying to Azure Container Apps or via Docker.
  • ⚠️Requires Docker daemon to be running for 'atlas-local' tools.
  • ⚠️Requires MongoDB Atlas API credentials (MDB_MCP_API_CLIENT_ID, MDB_MCP_API_CLIENT_SECRET) for 'atlas' category tools.
  • ⚠️Requires VoyageAI API Key (MDB_MCP_VOYAGE_API_KEY) for vector search text-to-embedding conversions.
Verified SafeView Analysis
The server implements several security measures including: explicit warnings for untrusted data in responses, configurable read-only mode, confirmation for destructive tools, temporary database user creation for Atlas connections, and validation of Atlas API credentials. It also warns about insecure HTTP host bindings. Secrets are handled via a Keychain for redaction in logs. However, inherent risks of exposing an API exist, and client-side handling of `postMessage` (for UI iframes) is critical for full security, which is outside the server's direct control. Query parameter overrides are explicitly blocked for secret fields, enhancing security.
Updated: 2026-01-19GitHub
99
826
High Cost
splx-ai icon

agentic-radar

by splx-ai

Sec3

A legal support chatbot capable of web search, employee database queries, JIRA interaction, and generating/retrieving supplier liability documents for companies.

Setup Requirements

  • ⚠️Requires Python 3.11.
  • ⚠️Potential Rust dependency issues during `pip install`, requiring manual Rust installation.
  • ⚠️Requires numerous API keys for paid services (OpenAI, Pinecone, Azure, Jira, AWS, Tavily) to be set in an `.env` file.
  • ⚠️Local non-Docker deployment requires running both `uvicorn` and `streamlit` in separate terminals.
  • ⚠️Some functionalities require `npx` (Node.js package manager) or `uvx` (Rust/Python package runner) to be installed system-wide.
Review RequiredView Analysis
CRITICAL VULNERABILITIES DETECTED: - Arbitrary Code Execution (ACE) via `eval()`: The `calculate` tool in `examples/openai-agents/mcp/multiple_servers_in_async_with/multiple_servers_in_async_with.py` directly uses `eval(expression)`, which is a severe vulnerability. If user input can reach this function, an attacker can execute arbitrary code on the host system. - Unrestricted External Command Execution: Examples utilize `MCPServerStdio` with `npx` or `uvx` to run external MCP servers (e.g., `@modelcontextprotocol/server-filesystem`, `mcp-server-git`). This introduces significant risks, as it allows the execution of unverified or potentially malicious external packages, especially if arguments can be manipulated by an attacker. - Potential Server-Side Request Forgery (SSRF): In `examples/openai-agents/mcp/sse_example/server.py`, `requests.get(f"{endpoint}/{city}")` is used, where `city` is derived from LLM input. While `wttr.in` is benign, this pattern could be exploited for SSRF if the target URL or input is manipulated to access internal network resources. - JSON Parsing Risks: `json.loads` is used in several places (e.g., `examples/langgraph/Gladiator2/nodes/researcher.py`, `examples/langgraph/Gladiator2/Tools/create_tools.py`). Although safer than `eval`, improper error handling for malformed JSON from untrusted sources could lead to denial of service. - Data Handling: The system processes sensitive employee data and supplier liability contracts. While `PIIProtectionStep` is noted for prompt hardening, comprehensive, system-level access control and sanitization are essential to prevent sensitive information disclosure across all data interactions.
Updated: 2025-11-27GitHub
99
938
High Cost
arabold icon

docs-mcp-server

by arabold

Sec6

The Documentation MCP Server indexes documentation from web sources, local files, and package registries, making it searchable via the Model Context Protocol (MCP) and providing semantic search capabilities to AI coding assistants.

Setup Requirements

  • ⚠️Requires Playwright browser installation (Chromium by default), which downloads significant binaries.
  • ⚠️Requires API keys for embedding providers (e.g., OpenAI, Google, AWS Bedrock) which are paid services.
  • ⚠️Requires Node.js 22.x to run.
Review RequiredView Analysis
The server's core functionality involves processing content from arbitrary, potentially untrusted, web sources. While sandboxing for JavaScript execution (`node:vm` with JSDOM) and Playwright for rendering are used, comments explicitly warn about these not being suitable for arbitrary web pages due to limitations in replicating full browser security and APIs. Network requests to external domains are inherent. Custom HTTP headers can be passed by users, which could be a risk if sensitive information is exposed. Resource interception helps mitigate some risks by aborting non-essential content (images, fonts, media) in Playwright, but the fundamental risk of ingesting potentially malicious external content remains.
Updated: 2026-01-19GitHub
99
955
Medium Cost
jae-jae icon

fetcher-mcp

by jae-jae

Sec7

This MCP server is designed for fetching web page content using a Playwright headless browser, enabling intelligent content extraction, JavaScript execution, and flexible output formats.

Setup Requirements

  • ⚠️Requires Playwright Chromium browser to be installed (typically via `npx playwright install chromium` or the `browser_install` tool)
  • ⚠️Headless browser operations can be resource-intensive (CPU/memory), especially with parallel fetching.
Verified SafeView Analysis
The server includes robust URL protocol validation to prevent requests to disallowed schemes, which is a good security practice. However, the Playwright Chromium browser is launched with `--no-sandbox` argument in `BrowserService`. While often necessary in containerized environments, disabling the browser sandbox reduces isolation from potentially malicious web content, making the host system more vulnerable if the browser itself is compromised. The `browser_install` tool uses `child_process.spawn` with `shell: true` on Windows, which is generally riskier, but the command and arguments are fixed and controlled, mitigating some of this risk. No direct `eval` or hardcoded sensitive secrets were identified.
Updated: 2026-01-14GitHub
99
860
Low Cost
pathintegral-institute icon

mcpm.sh

by pathintegral-institute

Sec8

MCPM is a command-line tool for managing Model Context Protocol (MCP) servers, enabling discovery, installation, execution, sharing, and integration with various MCP clients.

Setup Requirements

  • ⚠️Requires Python 3.12 or higher.
  • ⚠️Node.js/npm/npx is required for many npm-based MCP servers and the `inspect` command.
  • ⚠️Internet connectivity is required to fetch server metadata from the MCP registry.
Verified SafeView Analysis
The project uses `subprocess.call` and `subprocess.Popen` extensively to execute external programs like installed MCP servers, `npx` commands (e.g., for `inspector`), and `frpc` for tunneling. While `shlex.split` is used to mitigate shell injection for some commands, the core functionality relies on executing user-defined or registry-sourced commands. The `frpc` binary is downloaded from a HuggingFace CDN with checksum validation, which is a reasonable security measure but still relies on an external dependency and hardcoded checksums. A compromised configuration file (JSON/YAML) could lead to arbitrary command execution. API keys for sharing are generated and stored locally in `auth.json`. Overall, the tool's design emphasizes transparency and user control over what gets executed, making it safe to run as long as the user is vigilant about the origins of installed servers and the integrity of configuration files.
Updated: 2026-01-15GitHub
PreviousPage 9 of 713Next