Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(3677)

100
3590
Medium Cost
opensumi icon

core

by opensumi

Sec5

An extensible IDE framework for building web-based, desktop (Electron), and AI-native development environments, providing core UI components like message notifications and modal dialogues.

Setup Requirements

  • ⚠️Requires Node.js >= 18.12.0.
  • ⚠️Requires Yarn for dependency management (`yarn install`, `yarn run init`).
  • ⚠️Native modules (e.g., `node-pty`, `keytar`, `nsfw`, `@parcel/watcher`) require compilation, which might involve `build-essential`, `libsecret-1-dev`, `node-gyp`, and specific Python/Electron development headers depending on the environment. The `yarn rebuild-native` command assists with this.
  • ⚠️The `GITHUB_TOKEN` environment variable is required for changelog generation scripts (development/maintenance task).
Verified SafeView Analysis
The framework extensively uses `new Function()` for loading and activating extensions (e.g., in `ext.host.ts`, `worker.host.ts`, `webview-manager.ts`). While this is a common pattern for extensible IDEs like VSCode, it means the runtime executes code from extensions, requiring a high degree of trust in installed extensions. Webviews are sandboxed, but the `allow-same-origin` permission could be a concern if coupled with other vulnerabilities. Development/CLI server configurations (e.g., `tools/dev-tool/src/server.ts`, `tools/cli-engine/src/node/server.ts`) exhibit broad network access policies (`staticAllowOrigin: '*'`, open CORS), which are acceptable for local development but would be risky in a broadly exposed production environment. Sensitive `GITHUB_TOKEN` is used for changelog generation (development task) but is handled via environment variables. `keytar` is used for secure credential storage (good practice).
Updated: 2026-01-15GitHub
100
3076
Medium Cost
laravel icon

boost

by laravel

Sec3

Accelerates AI-assisted development by providing essential context and structure for generating high-quality, Laravel-specific code via an MCP server.

Setup Requirements

  • ⚠️Requires a Laravel application environment.
  • ⚠️Requires specific setup and configuration within your chosen AI agent or IDE (e.g., PhpStorm, VS Code, Cursor).
  • ⚠️The 'Search Docs' tool makes external API calls to boost.laravel.com, requiring internet connectivity.
Review RequiredView Analysis
The server exposes powerful tools with significant security implications. The 'Tinker' tool uses `eval()` allowing arbitrary PHP code execution, and 'Database Query' executes raw SQL queries (`DB::select`) after a basic keyword whitelist, posing a risk of SQL injection if the whitelist is bypassed. The 'CommandDetectionStrategy' and `installShellMcp` also dynamically execute shell commands for detection and installation, which could be exploited if inputs are not fully trusted. Additionally, the browser logger injects JavaScript into HTML responses to capture client-side logs and errors, which could inadvertently expose sensitive user data if not managed carefully. Disabling SSL verification for local/testing environments, though common, also adds a slight risk if misconfigured. These features, while intended, necessitate running the server in highly trusted and isolated development environments.
Updated: 2026-01-19GitHub
100
1586
Low Cost
mcp-router icon

mcp-router

by mcp-router

Sec8

A desktop application that simplifies the management and aggregation of Model Context Protocol (MCP) servers.

Setup Requirements

  • ⚠️Requires Node.js >=20.0.0 and pnpm >=8.0.0 for development.
  • ⚠️Core functionality relies on managing Model Context Protocol (MCP) servers, which need to be separately configured or imported (e.g., via DXT files).
  • ⚠️Optional cloud synchronization features depend on an external subscription service (mcp-router.net).
Verified SafeView Analysis
The application stores all user data locally and implements end-to-end encryption for optional cloud synchronization. Authentication uses PKCE. The workflow system uses `vm.Script` for executing user-defined hooks, which provides a sandboxed environment, but always carries an inherent risk if not perfectly contained. Analytics API keys are present but are not sensitive user data.
Updated: 2026-01-19GitHub
100
1661
High Cost
jamubc icon
Sec8

A Model Context Protocol (MCP) server that enables AI assistants to interact with the Google Gemini CLI for comprehensive code and file analysis, structured edit suggestions, and creative brainstorming.

Setup Requirements

  • ⚠️Requires Node.js v16.0.0 or higher
  • ⚠️Requires Google Gemini CLI installed and configured separately (including API key setup)
  • ⚠️Primarily designed and tested for Claude Desktop or Claude Code MCP clients
Verified SafeView Analysis
The server executes external commands via `child_process.spawn`. It correctly sets `shell: false` in `commandExecutor.ts`, significantly mitigating shell injection risks by treating arguments as distinct elements rather than a single shell command string. User-provided prompts are handled with care, including wrapping potentially problematic characters (like '@') in quotes before passing them to the Gemini CLI. No direct `eval` calls or obfuscation were found. There are no hardcoded secrets; API keys are expected to be configured with the Google Gemini CLI itself. The explicit 'sandbox' mode leverages Gemini's built-in safety features. Logging of command executions is a good practice for auditing. The primary security considerations shift to the underlying Gemini CLI and the permissions it operates with.
Updated: 2025-11-25GitHub
100
2167
Low Cost
sparfenyuk icon

mcp-proxy

by sparfenyuk

Sec8

Acts as a transparent proxy for Model Context Protocol (MCP) servers, allowing switching between stdio, Server-Sent Events (SSE), and Streamable HTTP transports.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Installation recommended via `uv` or `pipx`.
  • ⚠️If acting as an SSE to stdio proxy, the security of the setup depends on the trustworthiness of the commands configured for the local stdio MCP server(s).
Verified SafeView Analysis
The mcp-proxy itself appears well-engineered, utilizing standard and reputable libraries (uvicorn, Starlette, httpx) and implementing good practices such as masking sensitive headers (e.g., Authorization) in logs. It correctly handles SSL verification. The primary security consideration arises from its 'SSE to stdio' mode, where it executes arbitrary commands provided by the user to spawn local MCP servers. While `shlex.split` is used when parsing command strings from named server definitions to mitigate simple shell injection, users are ultimately responsible for ensuring the commands they configure are safe and non-malicious.
Updated: 2026-01-15GitHub
100
5286
High Cost
firecrawl icon
Sec9

A Model Context Protocol (MCP) server for integrating Firecrawl's web scraping, crawling, search, and structured data extraction capabilities with AI agents.

Setup Requirements

  • ⚠️Requires a Firecrawl API Key (paid service, unless self-hosting your own Firecrawl instance).
  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️Crawl operations can return very large amounts of data, potentially exceeding token limits or incurring high costs if processed by an LLM.
  • ⚠️Windows users running via `npx` might need to prefix the command with `cmd /c`.
Verified SafeView Analysis
The server implements a 'SAFE_MODE' for cloud deployments, which disables potentially risky interactive actions (click, write, executeJavascript) and webhooks. API keys are handled securely via environment variables or headers, not hardcoded. The `skipTlsVerification` option exists but is off by default. Overall, good security practices are in place, especially for hosted environments.
Updated: 2026-01-14GitHub
100
91652
Medium Cost
google-gemini icon

gemini-cli

by google-gemini

Sec8

Provides an A2A (Agent-to-Agent) server for the Gemini CLI, enabling external agents to interact with and utilize the CLI's capabilities for executing tasks and accessing tools.

Setup Requirements

  • ⚠️Node.js version 20 or higher is required.
  • ⚠️Docker or Podman is required for container-based sandboxing, which is used by the underlying Gemini CLI.
  • ⚠️A Google Cloud Storage bucket name (`GCS_BUCKET_NAME`) is required for task persistence if GCS is configured.
Verified SafeView Analysis
The A2A server leverages the robust policy and sandboxing mechanisms of the underlying `gemini-cli-core` package. It uses `express` for HTTP communication with configurable CORS to restrict access. Input validation for task IDs is implemented to prevent path traversal in cloud storage paths. API keys and authentication tokens are expected to be provided via environment variables. The primary security risks would stem from a misconfiguration of the `gemini-cli-core` settings (e.g., enabling YOLO mode or overly permissive tool policies) or from vulnerabilities in underlying dependencies. No direct `eval` or blatant hardcoded secrets are evident, but reliance on the core CLI's runtime execution policies is critical.
Updated: 2026-01-19GitHub
100
10428
High Cost
0xJacky icon

nginx-ui

by 0xJacky

Sec7

A web-based UI for managing Nginx configurations, monitoring logs, automating SSL certificate issuance via ACME, and providing AI-powered assistance for Nginx-related tasks and terminal commands.

Setup Requirements

  • ⚠️Requires Nginx to be installed and its configuration directories (e.g., `/etc/nginx`) to be accessible by the `nginx-ui` application, often necessitating specific permissions or Docker volume mounts.
  • ⚠️Utilizing LLM features for Nginx configuration or code completion requires an OpenAI API Key, which is a paid service, and should be considered for potential data exposure to third-party providers.
  • ⚠️Proper configuration of `LogDirWhiteList` in settings is mandatory for Nginx log viewing and indexing functionality; misconfiguration will prevent log access.
Verified SafeView Analysis
The project implements robust authentication mechanisms including WebAuthn, TOTP, external OAuth integrations, and brute-force protection for login, which is commendable. API endpoints are generally well-validated, and critical file access paths (e.g., Nginx logs) utilize whitelisting (`LogDirWhiteList`) to prevent path traversal. Encrypted parameters for login requests enhance credential security in transit. However, there are notable areas for improvement: The backup/restore functionality transmits the AES encryption key and IV directly in HTTP headers or form data, which means an attacker intercepting the transaction could decrypt the backup. A more secure approach would involve a user-provided passphrase for key derivation. Additionally, the integration with external LLMs (like OpenAI) for configuration assistance and code completion poses inherent data leakage risks, as sensitive Nginx configurations or system information could be sent to third-party services. Users must be aware of and configure these integrations carefully. Finally, as an Nginx management tool, ensuring proper least-privilege execution and hardening permissions in the deployment environment is critical to mitigate potential privilege escalation vulnerabilities, although the Go code itself attempts to constrain file operations to defined paths.
Updated: 2026-01-17GitHub
100
1728
Medium Cost
samanhappy icon

mcphub

by samanhappy

Sec5

An orchestration hub that aggregates, manages, and routes Model Context Protocol (MCP) servers and their tools, providing a centralized interface, user management, OAuth 2.0 authorization server capabilities, and AI-powered tool discovery and routing.

Setup Requirements

  • ⚠️Database (PostgreSQL) is required for 'Better Auth', 'Activity Logging', and 'Smart Routing' features (configured via DB_URL environment variable).
  • ⚠️OpenAI API Key (Paid) and an embedding model are required for 'Smart Routing' (AI-powered tool discovery using vector search).
  • ⚠️CRITICAL: The JWT_SECRET environment variable MUST be explicitly set in production for security and persistent user sessions; a temporary random key is generated otherwise.
Review RequiredView Analysis
CRITICAL RISKS: 1. Remote Code Execution (RCE) via `ServerConfig` 'command' and 'args' fields, allowing arbitrary command execution on the host system. This is a very high-severity vulnerability if server configuration can be modified by an attacker or unauthorized user. 2. DXT file uploads (ZIP archives) pose a high risk for path traversal and arbitrary file writes/execution due to inadequate sandboxing during extraction and processing. 3. Parsing of user-controlled base64-decoded JSON from the `state` parameter in OAuth callbacks could be vulnerable to prototype pollution. 4. The JWT_SECRET falls back to a temporary random key if not explicitly set, creating a critical security flaw in production as it leads to session invalidation on restarts and potential session hijacking if guessed or deduced. 5. Public OAuth dynamic client registration (RFC 7591) without authentication (default config) requires careful security considerations. 6. The `OpenAPIClient`'s `passthroughHeaders` could expose sensitive information or allow injection if not explicitly managed.
Updated: 2026-01-18GitHub
100
1093
Medium Cost
joey-zhou icon
Sec2

Provides backend support and a management platform for smart hardware devices, focusing on AI-powered voice interaction, device management, and IoT control.

Setup Requirements

  • ⚠️Requires API keys for chosen LLM (e.g., OpenAI, ZhiPuAI, Xunfei, Ollama, Coze, Dify), STT, and TTS providers.
  • ⚠️Requires Docker or local installations of MySQL and Redis for data persistence and caching.
  • ⚠️Implicitly requires ESP32 hardware for full functionality as an IoT backend. Local Vosk and Silero VAD models need to be present at `models/vosk-model` and `models/silero_vad.onnx` respectively.
  • ⚠️Frontend JSEncrypt keys (`web/src/utils/jsencrypt.ts`) need to be managed and are a potential security concern if not for trivial local storage encryption.
Review RequiredView Analysis
A critical security vulnerability exists in `WebSocketHandler.java` where device authentication is commented out, allowing any device with a known `device-id` to connect without a valid token. The frontend code (`web/src/utils/jsencrypt.ts`) contains hardcoded RSA public and private keys, which is a significant client-side security risk if used for anything beyond local storage convenience. File upload functionality (`FileUploadController.java`) allows configurable upload paths, which could be exploited for arbitrary file writes if the target directory is not properly secured on the server. The application uses Spring Security/Sa-Token for API authentication, which is generally good, but this does not cover the unauthenticated WebSocket endpoint.
Updated: 2026-01-13GitHub
100
2881
Low Cost
punkpeye icon

fastmcp

by punkpeye

Sec8

A TypeScript framework for building Model Context Protocol (MCP) servers, providing high-level abstractions and boilerplate handling for features like tools, prompts, resources, sessions, authentication, and HTTP streaming.

Setup Requirements

  • ⚠️OAuth features, especially with persistent token storage, require `jwtSigningKey` and `encryptionKey` to be consistently configured (e.g., via environment variables) across server restarts to prevent data loss. Auto-generated keys are not persistent.
  • ⚠️Using JWKS verification (`JWKSVerifier`) requires manually installing the optional `jose` package via `npm install jose`.
  • ⚠️Implementing authentication (`authenticate` function) requires careful handling of `http.IncomingMessage` and user-provided credentials to prevent injection or other HTTP-related vulnerabilities.
Verified SafeView Analysis
The framework utilizes Zod/ArkType/Valibot for robust input validation in tools, which is a strong security practice. It provides explicit authentication hooks (`authenticate` function) and granular access control (`canAccess` on tools). The OAuth Proxy implementation includes essential security features like PKCE and `redirect_uri` validation. Encrypted token storage (`EncryptedTokenStorage`) is available for sensitive data. Potential risks include user-controlled `fetch` URLs in `DiscoveryDocumentCache` or content processing, which could lead to SSRF if not properly validated by the implementing developer. Additionally, misconfiguration of OAuth keys or persistent storage for OAuth can introduce vulnerabilities, although the framework encourages best practices and secure defaults (e.g., auto-generated strong keys for encryption/signing if not provided). JWKS verification (via `JWKSVerifier`) requires the optional `jose` package, and its absence could lead to silent failures if JWKS is expected for token validation.
Updated: 2026-01-19GitHub
100
1263
High Cost
Flux159 icon
Sec8

This MCP server enables AI agents to connect to and manage Kubernetes clusters by executing kubectl and Helm commands.

Setup Requirements

  • ⚠️Requires kubectl installed and in your PATH.
  • ⚠️Requires a valid kubeconfig file with contexts configured.
  • ⚠️Requires Helm v3 installed and in your PATH (optional if not using Helm).
Verified SafeView Analysis
The server uses `child_process.execFileSync` and `spawn` to run external `kubectl` and `helm` commands, which inherently carries risk. However, significant mitigation measures are in place: 1. The `exec_in_pod` tool explicitly accepts commands as an array of strings to prevent shell injection, strictly avoiding direct shell interpretation. 2. Other `kubectl` tools construct arguments programmatically, reducing the risk of injection. 3. Secrets masking (`MASK_SECRETS`) is implemented for `kubectl get secrets` output, though it does not cover all sensitive data exposure in logs. 4. Non-destructive (`ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS`) and read-only (`ALLOW_ONLY_READONLY_TOOLS`) modes are available via environment variables for granular access control. 5. The Helm chart templates include robust security configurations like Pod Security Contexts, `readOnlyRootFilesystem: true`, `allowPrivilegeEscalation: false`, `capabilities.drop: ALL`, customizable RBAC, and NetworkPolicies with default deny, requiring explicit egress rules. 6. For HTTP transports, `ENABLE_UNSAFE_SSE_TRANSPORT` is deprecated in favor of `ENABLE_UNSAFE_STREAMABLE_HTTP_TRANSPORT`, which includes DNS rebinding protection and supports `MCP_AUTH_TOKEN` for header-based authentication. SSE is explicitly flagged as 'unsafe'. These measures demonstrate a strong focus on security best practices for a tool that directly interacts with a Kubernetes cluster.
Updated: 2026-01-15GitHub
PreviousPage 1 of 307Next