Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(3)

42
28
Medium Cost
CheckPointSW icon

mcp-servers

by CheckPointSW

Sec8

Provides seamless integration with Check Point's Threat Emulation and Anti-Virus cloud services for comprehensive malware analysis, file scanning, and threat detection through a simple, standardized interface.

Setup Requirements

  • ⚠️Requires a valid Check Point Threat Emulation API Key (implies a paid cloud service subscription).
  • ⚠️Requires Node.js v20.0.0 or higher.
  • ⚠️File analysis tools require locally accessible, uncompressed file paths (not URLs or compressed archives).
Verified SafeView Analysis
The server relies on environment variables for API key authentication, which is a standard and secure practice. It performs network requests to Check Point cloud services, an expected part of its functionality. The `mcp-utils` dependency's `ui-dialog.ts` uses `child_process.execAsync` to open a browser for interactive prompts, but this function strictly validates URLs to only allow `http/https` protocols and `localhost` hostnames, significantly mitigating potential risks of arbitrary command execution or external resource loading. No direct 'eval' or hardcoded sensitive credentials are found within the server's core logic.
Updated: 2025-12-15GitHub
30
1
High Cost
exjskdjsdfks icon

pentest-mcp-server

by exjskdjsdfks

Sec3

Automating penetration testing operations on a remote Linux target via SSH and Tmux, enabling AI agents to manage sessions and execute various security tools.

Setup Requirements

  • ⚠️Requires a separate Linux pentesting distribution (e.g., Kali, Parrot) as the 'target system'.
  • ⚠️Requires SSH access with either password or key-based authentication configured on the target.
  • ⚠️The `tmux` utility must be installed on the target system.
  • ⚠️Disables SSH host key checking (`known_hosts=None`), which is a security risk for MITM attacks unless deployed in a strictly isolated and trusted network environment.
Review RequiredView Analysis
The server explicitly sets `known_hosts=None` in its SSH connection, disabling host key verification. This creates a critical Man-in-the-Middle (MITM) vulnerability, allowing a malicious actor to impersonate the target SSH server without detection. While potentially for convenience in a controlled lab, this practice is a significant security flaw for a tool that executes arbitrary commands and transfers files. The `_validate_command` function provides a basic blacklist for dangerous commands but is not foolproof. The overall power to execute arbitrary commands on a remote system means misuse could have severe consequences.
Updated: 2025-12-15GitHub
0
0
Medium Cost
gen0sec icon

mcp-server

by gen0sec

Sec8

Generates and validates Wirefilter WAF rules, providing security context and testing tools for AI-driven rule creation.

Setup Requirements

  • ⚠️Requires `uv`, `mcpb`, and `git` command-line tools for local setup.
  • ⚠️Relies on an external WAF validation API (default: `https://public.gen0sec.com/v1/waf/validate`).
  • ⚠️Requires Python 3.12+ for local development/execution (runtime compatibility allows >=3.8.0).
  • ⚠️Requires an MCP-compatible client (e.g., Claude Desktop, Cursor IDE) to fully utilize.
Verified SafeView Analysis
The server uses `subprocess` calls for `git clone`/`pull` to fetch CVE exploit templates and `pip install` for dependency management. While used for intended functionality (fetching public security resources and self-managing dependencies), this introduces a dependency on the integrity of external repositories. It also makes external HTTP requests to a WAF validation API (`public.gen0sec.com`) and GitHub for fetching data. No obvious hardcoded secrets or malicious patterns were found. The security of WAF rule validation is dependent on the external API.
Updated: 2025-12-15GitHub