Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(8554)

39
2
Medium Cost
doITmagic icon

rag-code-mcp

by doITmagic

Sec9

Provides AI-ready semantic code search and RAG capabilities for various programming languages to AI assistants, running entirely locally.

Setup Requirements

  • ⚠️Requires Docker for Qdrant and Ollama (by default), or pre-installed local Ollama and a remote/local Qdrant instance.
  • ⚠️Minimum 16GB RAM and 4 CPU cores are required for smooth operation, with more recommended for larger codebases or better performance.
  • ⚠️AI assistants like GitHub Copilot require VS Code 1.95+ for integration.
Verified SafeView Analysis
The server is designed for 100% local operation, significantly reducing external network attack surfaces. It primarily interacts with local Ollama and Qdrant instances. File system access for code analysis is expected for its functionality, but no dynamic code execution (`eval`-like mechanisms) from user input are observed. The installer requires broad system permissions for Docker setup and binary installation, which is a standard pattern for such tools. Input validation is performed for tool arguments, mitigating some injection risks.
Updated: 2025-11-26GitHub
39
15
Low Cost
jakub-k-slys icon

n8n-operator

by jakub-k-slys

Sec7

Automates the deployment and management of n8n workflow automation instances on Kubernetes clusters.

Setup Requirements

  • ⚠️Requires access to a Kubernetes cluster and `kubectl` with sufficient permissions (e.g., cluster-admin for installation).
  • ⚠️Requires an external PostgreSQL database; the operator does not provision the database for n8n instances.
  • ⚠️Building from source requires building and pushing the operator's Docker image to a registry accessible by the Kubernetes cluster.
Verified SafeView Analysis
The operator's own container (`controller-manager`) is configured with strong security contexts (`runAsNonRoot: true`, `allowPrivilegeEscalation: false`, `capabilities: drop: ALL`). However, the `ServiceMonitor` configuration for Prometheus metrics (used by the operator to monitor n8n instances) defaults to `insecureSkipVerify: true` in its TLS configuration. This poses a significant security risk for metrics communication, making it vulnerable to Man-in-the-Middle attacks. Users should configure proper TLS certificate verification for production monitoring setups.
Updated: 2026-01-17GitHub
39
11
Medium Cost
desplega-ai icon

qa-use

by desplega-ai

Sec8

Provides comprehensive browser automation and QA testing capabilities, integrating with a backend platform for automated tests, interactive debugging, and batch test execution.

Setup Requirements

  • ⚠️Requires `QA_USE_API_KEY` to be set as an environment variable or in `~/.qa-use.json` for most functionalities.
  • ⚠️Playwright's Chromium browser is required and automatically installed by the `ensure_installed` tool.
  • ⚠️Node.js version 20 or newer is required.
  • ⚠️Running in `tunnel` mode exposes a local browser instance to the public internet via localtunnel, requiring caution.
  • ⚠️Vercel deployments have a 60-second execution limit, which may prematurely terminate long-running sessions in HTTP/SSE mode.
Verified SafeView Analysis
The HTTP server enables CORS with `Access-Control-Allow-Origin: *`, which can be a risk for non-public deployments, though it's common for client-server protocols. The `tunnel` mode exposes a local browser instance publicly, an inherent risk that requires user awareness. The server executes commands from an external API (`desplega.ai`), which could lead to RCE if the API or commands are compromised. No `eval` or obvious hardcoded secrets found; API keys are expected from environment variables or a config file. Strong bearer token authentication is implemented for HTTP mode.
Updated: 2026-01-15GitHub
39
99
Medium Cost
cyberbuff icon
Sec8

An MCP server providing tools to search, validate, refresh, and optionally execute Atomic Red Team security tests for threat emulation and security development.

Setup Requirements

  • ⚠️Requires `uv` or Docker for easy installation; otherwise, manual Python environment setup is needed.
  • ⚠️The `execute_atomic` tool is disabled by default; enabling it (`ART_EXECUTION_ENABLED=true`) allows potentially dangerous security tests to run on the host system.
  • ⚠️The remote server option (e.g., on Railway) is on a free tier and may go offline due to usage limits.
Verified SafeView Analysis
The server's core functionality involves accessing and optionally executing security tests. By default, the `execute_atomic` tool is disabled, which significantly reduces the immediate security risk. When `ART_EXECUTION_ENABLED` is set to `true`, the server can execute commands on the host system via `atomic-operator`. This capability is inherently dangerous and, if exposed to untrusted environments, could lead to system compromise. However, the project explicitly warns users about this risk in the README and logs, advising use only in controlled, isolated environments. Authentication (`ART_AUTH_TOKEN`) is supported for remote deployments, and input validation is implemented for resource paths (`file://documents/{technique_id}`) to prevent path traversal. No hardcoded secrets or obvious malicious patterns were found. The primary security risk arises from user misconfiguration by enabling execution without proper isolation or authentication.
Updated: 2025-12-26GitHub
39
9
Medium Cost
angoran icon

git-netai

by angoran

Sec8

Provides a unified, asynchronous Model Context Protocol (MCP) server for managing multi-platform network infrastructure (routers, firewalls, WiFi, monitoring, data centers) via a single AI-accessible API.

Setup Requirements

  • ⚠️Requires Python 3.12 or higher.
  • ⚠️Requires UV package manager for dependency management.
  • ⚠️Requires an MCP-compatible client (e.g., Claude Desktop, Warp AI) to interact with the server's exposed tools.
Verified SafeView Analysis
The project uses `.env` files for local credential management and provides clear guidelines for production secret management using tools like 1Password CLI. However, it defaults to `known_hosts=None` for SSH connections and `VERIFY_SSL=false` for some API connectors (APIC, NDFC, Aruba) in development, explicitly stating these are not suitable for production and require strict validation. This clear documentation mitigates the risk, but the default insecure options for development lower the score slightly. No 'eval' or obvious code injection vulnerabilities were found.
Updated: 2026-01-19GitHub
39
38
Medium Cost
krzyzanowskim icon

XcodeDocsMCP

by krzyzanowskim

Sec8

This MCP server provides tools for querying Apple developer documentation and SDK symbols directly from a local Xcode installation on macOS.

Setup Requirements

  • ⚠️Requires macOS 14.0+
  • ⚠️Requires Xcode with command line tools installed
  • ⚠️Requires Swift 6.0+
Verified SafeView Analysis
The server executes external commands (mdfind, grep, xcrun, sh) based on user input, which inherently carries risk. However, it implements input sanitization (escaping single quotes) for queries passed to 'mdfind' and 'grep' commands to mitigate shell injection vulnerabilities. Temporary directories used for symbol graph extraction are created with UUIDs and promptly cleaned up. The server operates locally, reading from stdin and writing to stdout, with no explicit network listeners or outgoing connections, limiting network-based attack vectors.
Updated: 2025-12-15GitHub
39
10
Medium Cost
ragieai icon

mcp-gateway

by ragieai

Sec9

A multi-tenant secure proxy for AI clients to Ragie Model Context Protocol (MCP) services with WorkOS authentication and role-based access control.

Setup Requirements

  • ⚠️Requires Node.js 18+ runtime environment.
  • ⚠️Requires a PostgreSQL database with a 'collections' table (schema provided, needs initialization).
  • ⚠️Requires a WorkOS account and application setup, including API keys, client ID, and authorization server URL.
  • ⚠️Ragie API keys for each organization/collection must be provisioned and securely stored (encrypted in the database).
Verified SafeView Analysis
The server uses strong cryptographic practices for API key encryption (AES-256-GCM, PBKDF2, SHA-256) with a randomly generated IV for each encryption and environment variables for secrets. Authentication is robust, involving JWT verification via WorkOS JWKS and an explicit WorkOS API call to validate user organization membership and roles, addressing a potential JWT limitation. Server-side filters prevent data access bypasses. No 'eval' or similar dangerous patterns were found in the provided code. The fixed salt for PBKDF2 is acceptable as it's used for deterministic key derivation from a strong master key, not for individual data encryption.
Updated: 2026-01-11GitHub
39
2
Low Cost
ignaciohermosillacornejo icon

copilot-money-mcp

by ignaciohermosillacornejo

Sec9

The Copilot Money MCP Server enables AI-powered queries of personal financial data by reading locally cached Copilot Money data.

Setup Requirements

  • ⚠️Requires Copilot Money (macOS App Store version) to be installed and to have synced data locally.
  • ⚠️Only runs on macOS as the database path is platform-specific.
  • ⚠️Data is read from the local cache, which may not contain a user's full transaction history; users need to open the Copilot Money app and scroll through older transactions to populate the cache.
Verified SafeView Analysis
The server explicitly states it is 100% local, read-only, and performs zero network requests, aligning with strong privacy commitments. All tools are marked with `readOnlyHint: true`. Data is accessed from the local Copilot Money LevelDB cache. It copies the database to a temporary directory for read access, ensuring no conflicts with the running app. Zod is used for data validation, contributing to robustness. No hardcoded external secrets or malicious patterns were identified. A score of 9 is given due to its strong privacy and local-only guarantees, with a slight deduction as any local file access has inherent, albeit minor, system interaction risks.
Updated: 2026-01-19GitHub
39
7
Low Cost
marconae icon

spec-oxide

by marconae

Sec1

A simple and lightweight Micro-Container Platform (MCP) designed for spec-driven development workflows.

Review RequiredView Analysis
Security audit is severely limited as only the `README.md` file was provided. No source code was available to analyze for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns. Based solely on the README, no immediate risks are apparent, but this does not imply safety without the actual code.
Updated: 2026-01-17GitHub
39
6
High Cost
kessler-frost icon

imprint

by kessler-frost

Sec6

Enables AI agents to programmatically control a terminal, capture screenshots, and extract text for TUI testing and interaction.

Setup Requirements

  • ⚠️Requires `ttyd` and `tmux` to be installed on the system (installation script attempts to install them, possibly requiring `sudo` on Linux).
  • ⚠️`go-rod` will auto-download a headless Chrome/Chromium browser (~100-200MB) on first run, requiring significant disk space and bandwidth.
  • ⚠️Requires Go installed for building from source or running examples.
Review RequiredView Analysis
The `imprint` server executes shell commands via `exec.Command` in its `internal/terminal/terminal.go` component, specifically using `sh -c {shell}` for the `t.shell` variable. This `t.shell` originates from the `--shell` command-line argument and the `command` parameter of the `restart_terminal` MCP tool. If a malicious AI agent or a compromised orchestrator provides a crafted `command` (e.g., containing `; rm -rf /`), it can lead to arbitrary command injection on the host system. The `install.sh` script also requires `sudo` privileges for package manager installations, which is a point of privilege escalation during installation. Network exposure for `ttyd` is limited as it binds to `127.0.0.1`, reducing direct remote attack vectors. Use of `page.Eval` is contained within a sandboxed headless browser context for known `xterm.js` APIs, posing a lower risk.
Updated: 2026-01-18GitHub
39
7
Low Cost
javiarmesto icon
Sec9

This server integrates with Microsoft Dynamics 365 Business Central to expose its data and functionality as MCP tools for Claude Desktop, enabling AI-powered interactions with ERP data.

Setup Requirements

  • ⚠️Requires Python 3.12 or higher.
  • ⚠️Full Business Central integration requires Azure AD App Registration (Client ID, Client Secret, Tenant ID) and Business Central Company ID/Environment name, which can be complex to configure. Mock data mode is available as a fallback but offers limited functionality.
  • ⚠️Requires Claude Desktop application to be installed for client interaction.
Verified SafeView Analysis
The server uses STDIO transport, which inherently limits network exposure to local communication. Authentication with Business Central relies on standard OAuth2 Client Credentials flow via Azure AD. Credentials are loaded from environment variables (.env file) and are not hardcoded. The client implements robust error handling and token refresh mechanisms. No 'eval' or malicious patterns were detected. Logging of full API responses at debug level could potentially expose sensitive data if debug logs are mishandled, but this is a standard configuration point.
Updated: 2025-11-23GitHub
39
18
Low Cost
kakaxi3019 icon

wechat_oa_mcp

by kakaxi3019

Sec7

This server acts as a Model Control Protocol (MCP) wrapper for WeChat Official Account APIs, enabling AI systems or automation workflows to manage WeChat content.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Requires a WeChat Public Platform AppID and AppSecret to function.
  • ⚠️The hardcoded external IP `106.15.125.133` must be added to your WeChat Public Platform's IP whitelist.
  • ⚠️Explicitly states '此 MCP 服务器仅限研究用途,禁止用于商业目的。'
Verified SafeView Analysis
The server relies on a hardcoded external IP address (106.15.125.133) for its backend services. While this is an intentional architectural choice to solve WeChat's IP whitelist requirement and the project includes a disclaimer for research use only, it introduces a critical dependency on the security and availability of that specific external server. If the external server were compromised or its IP repurposed, sensitive `AppID`, `AppSecret`, and `access_token` could be exposed. No 'eval', 'exec', or direct OS command injection vulnerabilities were found in the provided source code, and JSON payloads are handled by the `requests` library which typically provides serialization safety. Input parameters are obtained using `.get()` methods, which is safer than direct dictionary access.
Updated: 2025-11-22GitHub
PreviousPage 96 of 713Next