Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(2689)

100
3566
High Cost
opensumi icon

core

by opensumi

Sec6

A framework for building AI-Native IDE products, providing core functionalities like editor, file management, terminal, debugging, search, and extension support, with a strong focus on AI integration and interactive UI components.

Setup Requirements

  • ⚠️Requires Node.js >= 18 for development and deployment.
  • ⚠️Requires Yarn as the package manager.
  • ⚠️Requires `git` command-line tool to be available in PATH for SCM features.
  • ⚠️Native module rebuilding (e.g., `node-pty`, `@parcel/watcher`, `nsfw`, `keytar`) may require `build-essential` and `libsecret-1-dev` (Linux) or other system-specific development tools.
  • ⚠️Installation of vscode-compatible extensions happens via `yarn run download-extension` from `open-vsx.org` by default.
Verified SafeView Analysis
The server includes extensive capabilities for file system access, network communication (websockets, HTTP), and running child processes for terminals, extensions, and debugging, which are inherent to an IDE. The use of `new Function` for executing webview content in `tools/cli-engine/src/webview/webview-host/webview-manager.ts` is a powerful feature that, if not rigorously sandboxed and input-sanitized, could pose a code injection risk. While sandboxing with `sandbox` iframe attributes is present, such constructs always warrant careful security review. The `staticAllowOrigin: '*'` setting in development server configurations is broad but typical for dev tools, though it could be a misconfiguration risk if deployed without restrictions. Overall, the project's nature as an extensible IDE means a larger attack surface, necessitating robust security practices for both the core framework and any integrated extensions.
Updated: 2025-12-02GitHub
100
2905
Medium Cost
laravel icon

boost

by laravel

Sec4

Laravel Boost accelerates AI-assisted development by providing context and specialized tools for AI to generate high-quality, Laravel-specific code.

Setup Requirements

  • ⚠️Requires an existing Laravel application.
  • ⚠️Initial setup requires running `php artisan boost:install` and potentially configuring editor-specific MCP settings (e.g., PhpStorm, VS Code, Cursor).
  • ⚠️The `SearchDocs` and `ReportFeedback` tools rely on an external hosted documentation/feedback API service (`boost.laravel.com`).
  • ⚠️Integration with Laravel Herd or Sail requires user confirmation during installation.
Review RequiredView Analysis
The `Tinker` tool uses `eval` for executing arbitrary PHP code within the application context. While intended for developer use and executed in an isolated subprocess by `ToolExecutor`, `eval` is inherently a high-risk function as it allows for remote code execution if an attacker gains control over the input. The `SearchDocs` and `ReportFeedback` tools make external HTTP requests to `boost.laravel.com`, sending user queries and feedback data, which might raise privacy concerns for some users. The `MakesHttpRequests` concern disables SSL verification for local/testing environments, which is common but should be noted.
Updated: 2025-12-05GitHub
100
1289
Low Cost
mcp-router icon

mcp-router

by mcp-router

Sec3

A desktop application for managing Model Context Protocol (MCP) servers, supporting local and remote connections, context management, and integration with AI tools.

Setup Requirements

  • ⚠️Requires Node.js >= 20.0.0 and pnpm >= 8.0.0 for development/building.
  • ⚠️The Electron app installation is platform-specific (Windows/macOS installer via releases page).
  • ⚠️User-defined 'hooks' in workflows utilize `vm.Script.runInContext`, which, despite sandboxing efforts, carries inherent security risks due to arbitrary code execution capabilities if exploited.
Review RequiredView Analysis
The application uses `vm.Script.runInContext` for executing user-defined 'hooks' in workflows. While attempts at sandboxing are present (using `vm.createContext`), `eval`-like mechanisms are inherently high-risk and can be vulnerable to bypasses if the sandbox is not perfectly isolated, potentially leading to arbitrary code execution. Additionally, a PostHog analytics API key is hardcoded in `posthog-service.ts`, which, while not a critical access credential, is a secret in plain text that is transmitted externally, contradicting the README's privacy statement about credentials never being transmitted externally. User-provided bearer tokens and API keys for MCP servers are stated to be stored locally and not transmitted externally without explicit configuration.
Updated: 2025-12-02GitHub
100
1661
High Cost
jamubc icon
Sec8

A Model Context Protocol (MCP) server that enables AI assistants to interact with the Google Gemini CLI for comprehensive code and file analysis, structured edit suggestions, and creative brainstorming.

Setup Requirements

  • ⚠️Requires Node.js v16.0.0 or higher
  • ⚠️Requires Google Gemini CLI installed and configured separately (including API key setup)
  • ⚠️Primarily designed and tested for Claude Desktop or Claude Code MCP clients
Verified SafeView Analysis
The server executes external commands via `child_process.spawn`. It correctly sets `shell: false` in `commandExecutor.ts`, significantly mitigating shell injection risks by treating arguments as distinct elements rather than a single shell command string. User-provided prompts are handled with care, including wrapping potentially problematic characters (like '@') in quotes before passing them to the Gemini CLI. No direct `eval` calls or obfuscation were found. There are no hardcoded secrets; API keys are expected to be configured with the Google Gemini CLI itself. The explicit 'sandbox' mode leverages Gemini's built-in safety features. Logging of command executions is a good practice for auditing. The primary security considerations shift to the underlying Gemini CLI and the permissions it operates with.
Updated: 2025-11-25GitHub
100
2046
Low Cost
sparfenyuk icon

mcp-proxy

by sparfenyuk

Sec6

The mcp-proxy allows switching between MCP server transports, primarily enabling communication between stdio and SSE/StreamableHTTP endpoints.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Installation via `uv` or `pipx` is recommended.
  • ⚠️For 'SSE to stdio' mode, exposing on non-localhost (`--host 0.0.0.0`) or using `--allow-origin='*'` without proper authentication (e.g., OAuth2 with `--client-id`, `--client-secret`, `--token-url`) creates significant security risks by allowing remote command execution.
  • ⚠️Requires an external MCP server or client to proxy for meaningful functionality.
Verified SafeView Analysis
The server's 'SSE to stdio' mode allows arbitrary local commands to be executed via a network endpoint. If the `--host` is set to `0.0.0.0` or a public IP, and authentication (OAuth2) is not configured, or `--allow-origin='*'` is used, this could allow unauthenticated users on the network to execute arbitrary commands on the host system where `mcp-proxy` is running. While `shlex.split` is used for command parsing, preventing basic shell injection, the core functionality allows specifying any executable. Care must be taken to secure network exposure and command inputs.
Updated: 2025-12-02GitHub
100
5006
Low Cost
firecrawl icon
Sec9

Provides web scraping, crawling, search, and structured data extraction capabilities to AI models via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires a Firecrawl API Key (paid service) for cloud API usage.
  • ⚠️Requires Node.js version 18 or higher to run.
  • ⚠️If using a self-hosted Firecrawl instance (`FIRECRAWL_API_URL`), ensure LLM support is configured for extraction tools, as it might not be enabled by default.
Verified SafeView Analysis
The server uses environment variables for API keys, avoiding hardcoded secrets. Input validation is performed using `zod` schemas. A `SAFE_MODE` is explicitly enabled for cloud deployments, disabling potentially dangerous interactive web actions (like clicks, writes, JavaScript execution) for enhanced security. The core scraping functionality relies on external `firecrawl-js` and `firecrawl-fastmcp` SDKs, whose internal security is assumed. No direct `eval` or obvious malicious patterns were found in the provided source.
Updated: 2025-11-22GitHub
100
3050
Low Cost
wong2 icon
Sec10

A central directory for discovering and referencing various Model Context Protocol (MCP) servers, clients, and frameworks for AI agents.

Verified SafeView Analysis
The provided "source code" is a static README.md file. It contains no executable code, network interactions, or hardcoded secrets. Therefore, it presents no inherent security risks. Any potential risks would stem from interacting with the external links or projects referenced within the README, which are beyond the scope of this source code analysis.
Updated: 2025-11-23GitHub
100
10098
High Cost
0xJacky icon

nginx-ui

by 0xJacky

Sec4

Nginx Log Analysis and Management UI with AI Assistant features for configuration, monitoring, and debugging across clustered Nginx instances.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid) for AI chat and code completion features.
  • ⚠️Requires Nginx installation and configuration, with accessible log and config paths.
  • ⚠️Requires downloading a GeoLite2 database for geo-IP log analytics (needs internet access).
  • ⚠️Best deployed via Docker Compose for a complete setup.
Review RequiredView Analysis
CRITICAL VULNERABILITY: The application uses MD5 to hash a secret key which is then used to derive the AES key for encrypting sensitive data like OTP secrets. MD5 is cryptographically broken and should never be used for key derivation, making encrypted data highly vulnerable. Additional Concerns: - While path validation is implemented for file operations (config, logs, certs), the robustness of `helper.CopyFile` in `api/streams/duplicate.go` and the `internal/backup.Restore` function is critical. Without a deeper dive, there's a potential risk of path traversal or arbitrary file overwrites during these sensitive operations. - Remote node synchronization relies on secure token management. Compromise of these tokens would allow control over remote Nginx instances. - LLM integration introduces inherent prompt injection risks, although system prompts are used to guide the AI.
Updated: 2025-12-06GitHub
100
1607
Medium Cost
samanhappy icon

mcphub

by samanhappy

Sec8

A hub for managing, orchestrating, and providing a unified API for various Model Context Protocol (MCP) servers and their tools, including user management, OAuth services, and discovery of external servers.

Setup Requirements

  • ⚠️Requires Node.js (>=20.0.0).
  • ⚠️Smart Routing feature requires an OpenAI API Key (paid service) and a PostgreSQL database with `pgvector` extension if enabled.
  • ⚠️Cloud Market feature requires a MCPROUTER_API_KEY for API access.
  • ⚠️Running in database mode (`DB_URL` environment variable set) requires a PostgreSQL database with `pgvector` extension.
Verified SafeView Analysis
The system includes user authentication and role-based access control, with password hashing for user credentials. It leverages `@node-oauth/oauth2-server` for robust OAuth 2.0 implementation. Environment variables (like API keys) are typically loaded from `process.env` or `mcp_settings.json` and warned if not set in production. The `StdioClientTransport` allows administrators to configure and execute arbitrary commands, which is a core feature for managing external MCP servers; this capability is restricted to authenticated users with write permissions, implying trust in administrators not to inject malicious commands. No direct `eval` or blatant unauthenticated Remote Code Execution (RCE) vectors were identified. File uploads for DXT archives are handled with `AdmZip.extractAllTo` to a temporary, generated directory, reducing path traversal risks.
Updated: 2025-12-06GitHub
100
1720
Medium Cost
metatool-ai icon

metamcp

by metatool-ai

Sec8

Dynamically aggregates multiple MCP servers into a unified MetaMCP server, applies middleware, and exposes them through configurable API endpoints.

Setup Requirements

  • ⚠️Docker and Docker Compose are highly recommended for local development and production deployment.
  • ⚠️A PostgreSQL database is required for persistent storage of configurations and user data.
  • ⚠️Critical environment variables (e.g., `BETTER_AUTH_SECRET`, `POSTGRES_PASSWORD`) must be changed from their default values in production environments for security.
  • ⚠️If integrating custom MCP servers with additional dependencies, a custom Dockerfile will be necessary to install these dependencies and mitigate cold start issues.
  • ⚠️The frontend development container setup requires a reliable network connection for initial dependency installation and image building.
Verified SafeView Analysis
The project uses `helmet` and explicit CORS policies for different routers. OAuth 2.1 with PKCE is implemented following modern security recommendations for token generation, redirect URI validation, and secret handling. Rate limiting is present for OAuth endpoints, though it's in-memory and less robust for distributed deployments. Default secrets (`BETTER_AUTH_SECRET`, `POSTGRES_PASSWORD`) are hardcoded in `docker-compose.dev.yml` and `example.env` for convenience, but clearly marked for production changes. Public endpoints use `cors({ origin: true })` but rely on API key or OAuth for authorization. Overall, strong security practices are applied for its architectural pattern.
Updated: 2025-11-24GitHub
100
2801
Low Cost
punkpeye icon

fastmcp

by punkpeye

Sec9

Build Model Context Protocol (MCP) servers in TypeScript with features like session management, authentication (including OAuth), streaming, and type-safe tool/resource/prompt definitions.

Setup Requirements

  • ⚠️Optional JWKS (JSON Web Key Set) verification requires manual installation of the `jose` peer dependency (`npm install jose`).
  • ⚠️OAuth authentication requires pre-configuration with an upstream provider (e.g., Google, GitHub, Azure) and setting corresponding environment variables (e.g., `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`).
  • ⚠️For OAuth functionality, the `baseUrl` of the FastMCP server and the `redirectPath` (`/oauth/callback` by default) must be correctly configured in your upstream OAuth provider's settings.
Verified SafeView Analysis
The framework demonstrates strong security practices, especially around OAuth flows, token storage (encryption and token swap by default), and PKCE implementation. Sensitive keys are expected to be provided via environment variables, not hardcoded. The `authenticate` function, `imageContent` and `audioContent` helpers allow custom logic or fetching from external/local paths; developers using the framework must ensure proper input sanitization and validation for user-controlled inputs to prevent risks like SSRF or path traversal. The optional 'jose' dependency for JWKS verification is a well-regarded cryptographic library.
Updated: 2025-12-05GitHub
100
1205
Medium Cost
Flux159 icon
Sec8

Manages Kubernetes clusters by executing kubectl and Helm commands, facilitating automation and interaction through the Model Context Protocol.

Setup Requirements

  • ⚠️Requires `kubectl` to be installed and in PATH.
  • ⚠️Requires a valid `kubeconfig` file with configured contexts for cluster access, or specific environment variables for authentication.
  • ⚠️Requires `Helm v3` to be installed and in PATH if Helm operations are used.
  • ⚠️HTTP/SSE transport modes (`ENABLE_UNSAFE_SSE_TRANSPORT`, `ENABLE_UNSAFE_STREAMABLE_HTTP_TRANSPORT`) are marked as 'UNSAFE' and need external security layers (e.g., proxy with authentication/authorization) for production use. DNS rebinding protection might also need explicit enabling (`DNS_REBINDING_PROTECTION`, `DNS_REBINDING_ALLOWED_HOST`).
Verified SafeView Analysis
The server executes external CLI commands (kubectl, helm, aws, gcloud, curl) via `execFileSync` and `spawn`. While arguments are generally passed as arrays to mitigate command injection, this pattern inherently carries risk. Explicit warnings are provided for 'UNSAFE' HTTP/SSE transports, recommending proxies for authentication/authorization. Secrets masking for 'kubectl get secrets' is enabled by default. Tool filtering via environment variables (`ALLOW_ONLY_READONLY_TOOLS`, `ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS`, `ALLOWED_TOOLS`) is a strong positive.
Updated: 2025-12-06GitHub
PreviousPage 1 of 225Next