Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

99
1063
High Cost

elevenlabs-mcp

by elevenlabs

Sec8

An official ElevenLabs Model Context Protocol (MCP) server that enables AI clients (e.g., Claude Desktop, Cursor) to interact with ElevenLabs Text-to-Speech, voice cloning, transcription, and audio processing APIs.

Setup Requirements

  • ⚠️Requires an ElevenLabs API Key (paid service after free tier credits are consumed).
  • ⚠️Requires `uv` Python package manager to be installed and accessible via `uvx` (or its absolute path).
  • ⚠️Windows users must enable 'Developer Mode' in Claude Desktop to use the MCP server.
Verified SafeView Analysis
The server uses environment variables for API keys, which is a standard secure practice. It handles file outputs configurable via `ELEVENLABS_MCP_BASE_PATH` (defaulting to `~/Desktop`), which could involve local disk writes but is for expected outputs and not arbitrary code execution. No obvious 'eval' or obfuscation risks are present. It primarily acts as an API wrapper.
Updated: 2025-11-17GitHub
99
826
High Cost
splx-ai icon

agentic-radar

by splx-ai

Sec3

A legal support chatbot capable of web search, employee database queries, JIRA interaction, and generating/retrieving supplier liability documents for companies.

Setup Requirements

  • ⚠️Requires Python 3.11.
  • ⚠️Potential Rust dependency issues during `pip install`, requiring manual Rust installation.
  • ⚠️Requires numerous API keys for paid services (OpenAI, Pinecone, Azure, Jira, AWS, Tavily) to be set in an `.env` file.
  • ⚠️Local non-Docker deployment requires running both `uvicorn` and `streamlit` in separate terminals.
  • ⚠️Some functionalities require `npx` (Node.js package manager) or `uvx` (Rust/Python package runner) to be installed system-wide.
Review RequiredView Analysis
CRITICAL VULNERABILITIES DETECTED: - Arbitrary Code Execution (ACE) via `eval()`: The `calculate` tool in `examples/openai-agents/mcp/multiple_servers_in_async_with/multiple_servers_in_async_with.py` directly uses `eval(expression)`, which is a severe vulnerability. If user input can reach this function, an attacker can execute arbitrary code on the host system. - Unrestricted External Command Execution: Examples utilize `MCPServerStdio` with `npx` or `uvx` to run external MCP servers (e.g., `@modelcontextprotocol/server-filesystem`, `mcp-server-git`). This introduces significant risks, as it allows the execution of unverified or potentially malicious external packages, especially if arguments can be manipulated by an attacker. - Potential Server-Side Request Forgery (SSRF): In `examples/openai-agents/mcp/sse_example/server.py`, `requests.get(f"{endpoint}/{city}")` is used, where `city` is derived from LLM input. While `wttr.in` is benign, this pattern could be exploited for SSRF if the target URL or input is manipulated to access internal network resources. - JSON Parsing Risks: `json.loads` is used in several places (e.g., `examples/langgraph/Gladiator2/nodes/researcher.py`, `examples/langgraph/Gladiator2/Tools/create_tools.py`). Although safer than `eval`, improper error handling for malformed JSON from untrusted sources could lead to denial of service. - Data Handling: The system processes sensitive employee data and supplier liability contracts. While `PIIProtectionStep` is noted for prompt hardening, comprehensive, system-level access control and sanitization are essential to prevent sensitive information disclosure across all data interactions.
Updated: 2025-11-27GitHub
99
938
High Cost
arabold icon

docs-mcp-server

by arabold

Sec6

The Documentation MCP Server indexes documentation from web sources, local files, and package registries, making it searchable via the Model Context Protocol (MCP) and providing semantic search capabilities to AI coding assistants.

Setup Requirements

  • ⚠️Requires Playwright browser installation (Chromium by default), which downloads significant binaries.
  • ⚠️Requires API keys for embedding providers (e.g., OpenAI, Google, AWS Bedrock) which are paid services.
  • ⚠️Requires Node.js 22.x to run.
Review RequiredView Analysis
The server's core functionality involves processing content from arbitrary, potentially untrusted, web sources. While sandboxing for JavaScript execution (`node:vm` with JSDOM) and Playwright for rendering are used, comments explicitly warn about these not being suitable for arbitrary web pages due to limitations in replicating full browser security and APIs. Network requests to external domains are inherent. Custom HTTP headers can be passed by users, which could be a risk if sensitive information is exposed. Resource interception helps mitigate some risks by aborting non-essential content (images, fonts, media) in Playwright, but the fundamental risk of ingesting potentially malicious external content remains.
Updated: 2026-01-19GitHub
99
955
Medium Cost
jae-jae icon

fetcher-mcp

by jae-jae

Sec7

This MCP server is designed for fetching web page content using a Playwright headless browser, enabling intelligent content extraction, JavaScript execution, and flexible output formats.

Setup Requirements

  • ⚠️Requires Playwright Chromium browser to be installed (typically via `npx playwright install chromium` or the `browser_install` tool)
  • ⚠️Headless browser operations can be resource-intensive (CPU/memory), especially with parallel fetching.
Verified SafeView Analysis
The server includes robust URL protocol validation to prevent requests to disallowed schemes, which is a good security practice. However, the Playwright Chromium browser is launched with `--no-sandbox` argument in `BrowserService`. While often necessary in containerized environments, disabling the browser sandbox reduces isolation from potentially malicious web content, making the host system more vulnerable if the browser itself is compromised. The `browser_install` tool uses `child_process.spawn` with `shell: true` on Windows, which is generally riskier, but the command and arguments are fixed and controlled, mitigating some of this risk. No direct `eval` or hardcoded sensitive secrets were identified.
Updated: 2026-01-14GitHub
99
860
Low Cost
pathintegral-institute icon

mcpm.sh

by pathintegral-institute

Sec8

MCPM is a command-line tool for managing Model Context Protocol (MCP) servers, enabling discovery, installation, execution, sharing, and integration with various MCP clients.

Setup Requirements

  • ⚠️Requires Python 3.12 or higher.
  • ⚠️Node.js/npm/npx is required for many npm-based MCP servers and the `inspect` command.
  • ⚠️Internet connectivity is required to fetch server metadata from the MCP registry.
Verified SafeView Analysis
The project uses `subprocess.call` and `subprocess.Popen` extensively to execute external programs like installed MCP servers, `npx` commands (e.g., for `inspector`), and `frpc` for tunneling. While `shlex.split` is used to mitigate shell injection for some commands, the core functionality relies on executing user-defined or registry-sourced commands. The `frpc` binary is downloaded from a HuggingFace CDN with checksum validation, which is a reasonable security measure but still relies on an external dependency and hardcoded checksums. A compromised configuration file (JSON/YAML) could lead to arbitrary command execution. API keys for sharing are generated and stored locally in `auth.json`. Overall, the tool's design emphasizes transparency and user control over what gets executed, making it safe to run as long as the user is vigilant about the origins of installed servers and the integrity of configuration files.
Updated: 2026-01-15GitHub
99
787
High Cost
IvanMurzak icon

Unity-MCP

by IvanMurzak

Sec3

Integrates AI Language Models with the Unity Editor and runtime to automate game development tasks, generate code, debug, and enable AI-driven game mechanics.

Setup Requirements

  • ⚠️Requires the Unity MCP Plugin to be installed within a Unity project.
  • ⚠️The Unity project path cannot contain spaces.
  • ⚠️Requires a compatible MCP Client (e.g., Claude Code, Cursor, GitHub Copilot).
  • ⚠️Running the server locally requires Docker or a .NET 9.0 runtime.
  • ⚠️AI features for LLMs will incur costs depending on the chosen LLM provider (e.g., OpenAI API Key is mentioned for tool validation, implying use for LLM clients).
Review RequiredView Analysis
The server, via the Unity Plugin, exposes a 'script-execute' tool that dynamically compiles and runs C# code using Roslyn. While Roslyn itself is managed, allowing an external AI (potentially controlled by a user) to execute arbitrary C# code within the Unity Editor or a compiled game environment presents a significant security risk. A compromised or maliciously prompted AI could execute harmful code on the system running Unity. There are no clear sandboxing mechanisms mentioned for the dynamically executed code. No hardcoded secrets were found in the provided server-side code snippets; external API keys (like OpenAI's) are expected to be provided via environment variables.
Updated: 2026-01-19GitHub
99
850
Medium Cost
datalayer icon

jupyter-mcp-server

by datalayer

Sec4

This server acts as an MCP (Model Context Protocol) adapter, allowing AI agents to connect, manage, and interact with Jupyter Notebooks in real-time, supporting dual-mode operation as a standalone server or a Jupyter extension.

Setup Requirements

  • ⚠️Requires a running JupyterLab server as a backend.
  • ⚠️Specific `pycrdt` and `datalayer_pycrdt` version pinning (uninstall then install specific versions) is required for real-time collaboration features.
  • ⚠️Python 3.10+ is required.
  • ⚠️Full JupyterLab integration features (e.g., `jupyter-mcp-tools`) require the JupyterLab frontend to be loaded and the `jupyter-mcp-tools` extension to be installed.
Review RequiredView Analysis
The server's core functionality involves executing arbitrary code within a Jupyter kernel, which is a powerful operation inherent to its design. The `execute_code` and `execute_cell` tools allow running Python code and shell commands, making the server a high-privilege endpoint. Additionally, the default `FastMCPWithCORS` configuration sets `allow_origins=["*"]`, which poses a significant Cross-Origin Resource Sharing (CORS) vulnerability if the server is exposed publicly without explicitly restricting allowed origins. There are no obvious signs of obfuscation or hardcoded sensitive secrets within the provided source, but the combination of powerful execution capabilities and a permissive default CORS policy makes it risky for unhardened deployments. Users must configure CORS origins and ensure that only trusted AI agents or clients are permitted to interact with the server.
Updated: 2026-01-17GitHub
99
889
Low Cost
antfu icon

nuxt-mcp-dev

by antfu

Sec6

This server provides development context and real-time insights from Vite/Nuxt applications to AI models via a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️This project is experimental and not ready for production use, as stated by the developer.
  • ⚠️Requires an existing Vite or Nuxt.js project for integration.
  • ⚠️Automatically attempts to modify IDE/editor configuration files (`.cursor`, `.vscode`, `~/.codeium/windsurf`, `.mcp.json`).
Verified SafeView Analysis
The server is explicitly marked as 'Experimental. Not ready for production.' It involves running shell commands (`nuxi add`) which, if arguments (`template`, `name`) are not sufficiently sanitized by the underlying `nuxi` or `citty` CLI tools, could lead to command injection. Additionally, it modifies IDE/editor configuration files (`.cursor/mcp.json`, `.vscode/mcp.json`, `~/.codeium/windsurf/mcp_config.json`, `.mcp.json`) to register the MCP server URL. If an attacker could inject a malicious URL into these configurations, it could redirect the IDE/tool to an attacker-controlled server, leading to information leakage or false context injection for AI models. This is a supply chain risk if untrusted options are passed.
Updated: 2026-01-13GitHub
98
981
Low Cost
jaw9c icon
Sec10

A curated directory for developers to discover, evaluate, and integrate high-quality, official remote Model Context Protocol (MCP) servers into their AI applications and LLM clients.

Verified SafeView Analysis
The provided source code consists solely of documentation (README, CONTRIBUTING, CODE_OF_CONDUCT) and does not contain any executable server logic. There are no 'eval' calls, obfuscated code, or hardcoded secrets within the repository's files. The repository itself is a static list of external MCP servers and poses no direct execution-time security risks. It does, however, highlight that some listed external MCP servers use 'Open' authentication, which implies a lower security profile for those *external* services, but this is clearly indicated.
Updated: 2026-01-08GitHub
98
735
Low Cost
higress-group icon

himarket

by higress-group

Sec8

An enterprise AI open platform for unified management and distribution of AI resources including LLMs, MCP Servers, and Agents.

Setup Requirements

  • ⚠️Requires JDK 17, Node.js 18+, Maven 3.6+, and MySQL 8.0+ for local setup.
  • ⚠️Database connection parameters (DB_HOST, DB_PORT, DB_NAME, DB_USERNAME, DB_PASSWORD) must be configured.
  • ⚠️Local backend startup requires specific Java 17 `--add-opens` arguments.
Verified SafeView Analysis
The project uses `@Encrypted` annotations for sensitive configuration fields (e.g., API keys, passwords) in backend models, ensuring they are encrypted in the database. JWT is used for authentication with role-based access control (`@AdminAuth`, `@DeveloperAuth`). Database interactions are handled via JPA, which protects against common SQL injection vulnerabilities. Critical credentials and database settings are externalized using environment variables or Java system properties, preventing hardcoding. The frontend handles authentication tokens via local storage and includes logic for redirecting on 401/403 errors. OpenAPI spec parsing uses `js-yaml` and `JSON.parse` which, if fed untrusted external specs, could potentially be a vector for YAML/JSON parsing attacks, though in an admin panel context for internal APIs, the risk is typically lower due to assumed trust. Overall, robust security practices are in place.
Updated: 2026-01-15GitHub
98
1085
Medium Cost
zinja-coder icon

jadx-ai-mcp

by zinja-coder

Sec8

Integrates an LLM with JADX decompiler to analyze Android APKs, uncover vulnerabilities, and assist in reverse engineering through a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires Java 11+, Python 3.10+, and JADX 1.5.1+.
  • ⚠️Requires `uv` for dependency management and running the server.
  • ⚠️Requires manual configuration within the LLM client (e.g., Claude Desktop) to register the MCP server with absolute paths.
Verified SafeView Analysis
The server runs as a JADX plugin and binds strictly to localhost (127.0.0.1), significantly limiting network attack surface. It relies on OS-level user isolation for security, with no built-in authentication for the local HTTP API. The DebugRoutes utilize Java reflection to access private GUI components, which can be fragile to JADX internal changes and poses a minor risk if an attacker could manipulate the reflection calls (though contained by local binding). Refactoring routes apply user-intended changes to the decompiled project model. Overall, for its intended local, user-controlled operation, it is reasonably secure.
Updated: 2026-01-08GitHub
98
616
Medium Cost
googleapis icon

gcloud-mcp

by googleapis

Sec7

Enables AI assistants to interact with the Google Cloud environment using the gcloud CLI for natural language cloud management and workflow automation.

Setup Requirements

  • ⚠️Requires Node.js version 20 or higher.
  • ⚠️Requires the gcloud CLI to be installed and authenticated with appropriate permissions.
  • ⚠️Custom configuration file paths must be absolute.
Verified SafeView Analysis
The server's core functionality is to execute `gcloud` CLI commands, which is inherently a high-privilege operation. The project mitigates this risk by enforcing a default denylist of 'unsafe' commands (e.g., interactive sessions, arbitrary inputs) and providing configurable allow/deny lists for users to implement the principle of least privilege. Command execution uses `child_process.spawn` with an array of arguments, which is safer than direct shell injection. No hardcoded secrets were found. The primary remaining risk is sophisticated prompt injection bypassing denylists to execute unintended `gcloud` commands, or misconfiguration by the user.
Updated: 2026-01-13GitHub
PreviousPage 10 of 760Next