Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(7632)

99
875
Medium Cost

mcp-framework

by QuantGeekDev

Sec8

This repository provides a framework for integrating and managing OAuth authentication within a server application, potentially involving HTTP streaming.

Setup Requirements

  • ⚠️Requires Node.js and npm/yarn for development and execution.
  • ⚠️External API keys for services like Claude AI (if enabled via .env.claude-ai) and AWS Cognito (if enabled via .env.example.cognito) may be required.
  • ⚠️Extensive configuration and understanding of OAuth flows and security best practices will be necessary for proper setup and deployment.
Review RequiredView Analysis
The project extensively documents OAuth implementation and includes a 'SECURITY_AUDIT.md', suggesting a strong focus on security. However, without direct code access, deeper analysis for 'eval', obfuscation, or specific network vulnerabilities is not possible. OAuth frameworks are inherently security-critical and require careful implementation.
Updated: 2025-11-18GitHub
99
997
Medium Cost
korotovsky icon

slack-mcp-server

by korotovsky

Sec4

Provides a Model Context Protocol (MCP) interface for AI models to interact with Slack workspaces, enabling features like message fetching, channel management, and user information retrieval.

Setup Requirements

  • ⚠️Requires a Slack authentication token (`SLACK_MCP_XOXP_TOKEN`, `SLACK_MCP_XOXB_TOKEN`, or both `SLACK_MCP_XOXC_TOKEN` and `SLACK_MCP_XOXD_TOKEN`) for Slack API access.
  • ⚠️When using 'sse' or 'http' transports, `SLACK_MCP_API_KEY` must be set for external authentication; otherwise, the server will be unauthenticated and publicly accessible if exposed.
  • ⚠️The `conversations_add_message` tool is disabled by default for safety and must be explicitly enabled via the `SLACK_MCP_ADD_MESSAGE_TOOL` environment variable.
  • ⚠️Using a `SLACK_MCP_XOXB_TOKEN` (Bot token) limits functionality, specifically disabling the `conversations_search_messages` tool and requiring the bot to be invited to channels for access.
Review RequiredView Analysis
1. **Authentication Criticality**: For SSE and HTTP transports, if the `SLACK_MCP_API_KEY` environment variable is not set, the server operates without *any* authentication, making it publicly accessible if exposed. This is a critical vulnerability. 2. **Insecure TLS**: The `SLACK_MCP_SERVER_CA_INSECURE` environment variable, if set to `true`, disables TLS certificate verification, making the server vulnerable to Man-in-the-Middle (MitM) attacks. It is explicitly marked as 'NOT RECOMMENDED'. 3. **Message Posting Disabled by Default**: The `conversations_add_message` tool is disabled by default, which is a good security practice to prevent accidental or malicious posting. It must be explicitly enabled via `SLACK_MCP_ADD_MESSAGE_TOOL`. 4. **TLS Fingerprinting (`uTLS`)**: The `SLACK_MCP_CUSTOM_TLS` option uses `uTLS` to mimic browser TLS fingerprints. While not inherently malicious, this capability could be used to evade network security monitoring in enterprise environments.
Updated: 2025-12-09GitHub
99
880
Medium Cost
robotmcp icon

ros-mcp-server

by robotmcp

Sec7

Connects large language models (LLMs) with ROS/ROS2 robots, enabling natural language control and real-time observation and command execution.

Setup Requirements

  • ⚠️Requires ROS or ROS2 (or access to a ROS-enabled robot) to be installed and running.
  • ⚠️Requires `rosbridge_server` ROS package to be installed and launched on the target robot for WebSocket communication.
  • ⚠️Requires Python 3.10+ and `uv` (or pip 23.0+) for dependency management.
  • ⚠️Manual configuration of LLM client settings (e.g., `settings.json` for Gemini CLI, `claude_desktop_config.json` for Claude Desktop) is necessary, often requiring absolute paths or specific `wsl` commands for Windows environments.
Verified SafeView Analysis
The server uses `subprocess.run` in `ping_ip_and_port` (`utils/network_utils.py`) to execute system `ping` commands. While basic stripping is applied to the IP, if a malicious or unconstrained LLM were to provide crafted input, it could potentially lead to command injection. Additionally, allowing an LLM to specify arbitrary IP addresses and ports for `connect_to_robot` could expose internal network resources if the LLM is compromised or misbehaves. No other obvious critical vulnerabilities like `eval`, `exec`, or hardcoded secrets were found. The use of `websocket-client`, `numpy`, and `opencv-python` for network and image processing is standard, but the handling of large/malformed image data could potentially lead to resource exhaustion.
Updated: 2025-12-14GitHub
99
918
Medium Cost

mcp-server-mysql

by benborla

Sec6

A backend server application for a Modular Control Platform (MCP) or Microservice Control Plane, likely built with Node.js/TypeScript and integrating with MySQL, potentially featuring AI/LLM evaluation capabilities.

Setup Requirements

  • ⚠️Requires a running MySQL database instance.
  • ⚠️Requires Node.js and pnpm for local development.
  • ⚠️Potentially requires an LLM API key (e.g., Claude) if LLM integration is active.
Review RequiredView Analysis
The presence of 'evals.ts' indicates potential dynamic code execution, which poses a significant security risk if not rigorously sandboxed and input-validated. As a server application, it also faces inherent network exposure and requires secure handling of database credentials.
Updated: 2025-11-18GitHub
99
1023
Medium Cost
joey-zhou icon
Sec3

Provides powerful backend support and an intuitive management interface for smart hardware devices (ESP32), incorporating conversational AI, IoT control, and an administrative platform.

Setup Requirements

  • ⚠️Requires API keys for various third-party AI services (LLM, STT, TTS providers) which are typically paid.
  • ⚠️Requires a MySQL database and Redis for caching and session management.
  • ⚠️The Vosk STT model needs to be downloaded and placed in the 'models/vosk-model' directory manually.
  • ⚠️Requires Java Development Kit (JDK) 21+ due to the use of Virtual Threads.
Review RequiredView Analysis
The WebSocket handler (`WebSocketHandler.java`) has a commented-out token validation check, meaning devices can connect without authentication. This is a critical vulnerability, allowing any device to spoof an ID and interact with the server. Additionally, `setAllowedOrigins("*")` is used for WebSocket, which is overly permissive for a production environment. Device IDs (`device-id`) are obtained from headers or URI parameters; if not properly validated, this could lead to unauthorized device state manipulation. Secrets (API keys, credentials) are stored in `SysConfig` and injected via `@Value` from configuration files/environment variables, which is good practice, but their handling in the database and security in transit remain critical. Potential for directory traversal exists if `deviceId` or `roleId` are unsanitized in file path construction, though common values like MAC addresses mitigate this to some extent. Overall, the lack of robust authentication for core communication channels poses significant security risks.
Updated: 2025-12-13GitHub
99
850
Medium Cost
mongodb-js icon

mongodb-mcp-server

by mongodb-js

Sec8

Enabling AI assistants to interact with MongoDB Atlas and local deployments through natural language, providing data context and management capabilities.

Setup Requirements

  • ⚠️Docker Desktop must be running for Atlas Local tools to function (e.g., creating/connecting to local deployments).
  • ⚠️MongoDB Atlas API credentials (Client ID and Secret) are required for Atlas management tools (e.g., creating clusters, managing users, inspecting resources).
  • ⚠️A VoyageAI API Key is required for vector search operations that involve text-to-embedding conversion.
  • ⚠️Node.js v20 or later is required to run the server.
Verified SafeView Analysis
The server exposes powerful database and Atlas management tools (create, update, delete operations, IP access list modifications). These operations are protected by a user confirmation mechanism and can be selectively disabled via configuration (`readOnly`, `disabledTools`). Sensitive data is redacted in logs. Untrusted data in tool responses is wrapped with clear warnings to prevent LLMs from executing embedded instructions. HTTP transport explicitly logs warnings when binding to public network interfaces and includes basic header validation. It employs secure password generation for temporary Atlas database users. The use of the Model Context Protocol (MCP) means external AI models will interact with these tools, so careful configuration of access controls and enabled tools is crucial.
Updated: 2025-12-11GitHub
99
1063
High Cost

elevenlabs-mcp

by elevenlabs

Sec8

An official ElevenLabs Model Context Protocol (MCP) server that enables AI clients (e.g., Claude Desktop, Cursor) to interact with ElevenLabs Text-to-Speech, voice cloning, transcription, and audio processing APIs.

Setup Requirements

  • ⚠️Requires an ElevenLabs API Key (paid service after free tier credits are consumed).
  • ⚠️Requires `uv` Python package manager to be installed and accessible via `uvx` (or its absolute path).
  • ⚠️Windows users must enable 'Developer Mode' in Claude Desktop to use the MCP server.
Verified SafeView Analysis
The server uses environment variables for API keys, which is a standard secure practice. It handles file outputs configurable via `ELEVENLABS_MCP_BASE_PATH` (defaulting to `~/Desktop`), which could involve local disk writes but is for expected outputs and not arbitrary code execution. No obvious 'eval' or obfuscation risks are present. It primarily acts as an API wrapper.
Updated: 2025-11-17GitHub
99
826
High Cost
splx-ai icon

agentic-radar

by splx-ai

Sec3

A legal support chatbot capable of web search, employee database queries, JIRA interaction, and generating/retrieving supplier liability documents for companies.

Setup Requirements

  • ⚠️Requires Python 3.11.
  • ⚠️Potential Rust dependency issues during `pip install`, requiring manual Rust installation.
  • ⚠️Requires numerous API keys for paid services (OpenAI, Pinecone, Azure, Jira, AWS, Tavily) to be set in an `.env` file.
  • ⚠️Local non-Docker deployment requires running both `uvicorn` and `streamlit` in separate terminals.
  • ⚠️Some functionalities require `npx` (Node.js package manager) or `uvx` (Rust/Python package runner) to be installed system-wide.
Review RequiredView Analysis
CRITICAL VULNERABILITIES DETECTED: - Arbitrary Code Execution (ACE) via `eval()`: The `calculate` tool in `examples/openai-agents/mcp/multiple_servers_in_async_with/multiple_servers_in_async_with.py` directly uses `eval(expression)`, which is a severe vulnerability. If user input can reach this function, an attacker can execute arbitrary code on the host system. - Unrestricted External Command Execution: Examples utilize `MCPServerStdio` with `npx` or `uvx` to run external MCP servers (e.g., `@modelcontextprotocol/server-filesystem`, `mcp-server-git`). This introduces significant risks, as it allows the execution of unverified or potentially malicious external packages, especially if arguments can be manipulated by an attacker. - Potential Server-Side Request Forgery (SSRF): In `examples/openai-agents/mcp/sse_example/server.py`, `requests.get(f"{endpoint}/{city}")` is used, where `city` is derived from LLM input. While `wttr.in` is benign, this pattern could be exploited for SSRF if the target URL or input is manipulated to access internal network resources. - JSON Parsing Risks: `json.loads` is used in several places (e.g., `examples/langgraph/Gladiator2/nodes/researcher.py`, `examples/langgraph/Gladiator2/Tools/create_tools.py`). Although safer than `eval`, improper error handling for malformed JSON from untrusted sources could lead to denial of service. - Data Handling: The system processes sensitive employee data and supplier liability contracts. While `PIIProtectionStep` is noted for prompt hardening, comprehensive, system-level access control and sanitization are essential to prevent sensitive information disclosure across all data interactions.
Updated: 2025-11-27GitHub
99
998
High Cost
taylorwilsdon icon

google_workspace_mcp

by taylorwilsdon

Sec9

Provides natural language control over Google Workspace services (Gmail, Calendar, Drive, Docs, Sheets, Slides, Forms, Tasks, Chat, Custom Search) through MCP clients and AI assistants.

Setup Requirements

  • ⚠️Requires a Google Cloud Project with OAuth 2.0 credentials (Desktop Application type recommended) and specific Google Workspace APIs enabled.
  • ⚠️Custom Search tools require additional `GOOGLE_PSE_API_KEY` and `GOOGLE_PSE_ENGINE_ID` environment variables.
  • ⚠️For local HTTP development, `OAUTHLIB_INSECURE_TRANSPORT=1` must be set, which is insecure for production.
  • ⚠️Single-user mode is incompatible with stateless mode, requiring careful configuration for multi-user or containerized deployments.
Verified SafeView Analysis
The server utilizes Google OAuth 2.0/2.1 with standard libraries (google-auth-oauthlib) and FastMCP's GoogleProvider for robust authentication. Credentials are sourced from environment variables, .env files, or client_secret.json, with clear documentation and a SECURITY.md warning against committing secrets to source control. The AuthInfoMiddleware is implemented to verify bearer tokens, enhancing security for multi-user environments. For Kubernetes deployments, the Helm chart enforces good security practices like running as a non-root user (UID 1000) and dropping Linux capabilities. Stateless mode is available for containerized environments to prevent disk writes of credentials. While `OAUTHLIB_INSECURE_TRANSPORT` is noted for development, which is a known risk, the overall design prioritizes secure handling of Google API interactions. Single-user mode may load any available credentials, which is convenient but less secure in shared environments.
Updated: 2025-12-14GitHub
99
844
Medium Cost
arabold icon

docs-mcp-server

by arabold

Sec9

Indexes documentation from various sources (web, local files, package registries) to make it semantically searchable via the Model Context Protocol (MCP) for AI coding assistants.

Setup Requirements

  • ⚠️Requires Playwright browsers to be installed locally (Chromium, via `npx playwright install` or similar).
  • ⚠️Requires API keys for external embedding services (e.g., OPENAI_API_KEY for OpenAI, GOOGLE_API_KEY/GOOGLE_PROJECT_ID for Google, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY/BEDROCK_AWS_REGION for AWS Bedrock) which may incur costs.
Verified SafeView Analysis
The server employs several security practices: it leverages a sandboxed Node.js `vm` environment (JSDOM) to execute JavaScript from scraped pages (`HtmlJsExecutorMiddleware`), mitigating risks associated with untrusted code. External API keys for embedding services (OpenAI, Google, AWS) and authentication configurations are managed via environment variables (`process.env`), preventing hardcoded secrets. Playwright middleware includes resource type filtering and request caching, reducing exposure to non-essential external content. No `eval` or blatant malicious patterns were found. Given its scraping nature, the sandboxing and careful external resource handling contribute to a high security posture.
Updated: 2025-12-14GitHub
99
923
High Cost
jae-jae icon

fetcher-mcp

by jae-jae

Sec9

Fetch web page content using a Playwright headless browser, capable of handling dynamic JavaScript, intelligent content extraction, and parallel URL processing.

Setup Requirements

  • ⚠️Requires Playwright Chromium browser binary installation (`npx playwright install chromium`) when not using Docker, or if not pre-installed by the Docker image.
  • ⚠️Requires Node.js and npm for local execution.
  • ⚠️Playwright requires specific system dependencies for browsers on some operating systems (e.g., Linux), which can be installed using the `browser_install` tool with the `withDeps` parameter.
Verified SafeView Analysis
The server implements strong URL protocol validation (`http:` and `https:` only) to prevent Server-Side Request Forgery (SSRF) attacks. Execution of `playwright install` is via `child_process.spawn` with controlled arguments, mitigating command injection risks. The core functionality involves browsing arbitrary external URLs, which inherently carries a risk of encountering malicious web content (e.g., browser exploits), but Playwright operates in a sandboxed environment to mitigate this.
Updated: 2025-11-24GitHub
99
991
High Cost
tavily-ai icon

tavily-mcp

by tavily-ai

Sec9

Provides an MCP server wrapper for the Tavily API, enabling real-time web search, data extraction, website crawling, and site mapping functionalities for AI models.

Setup Requirements

  • ⚠️Requires a Tavily API Key (can be obtained from tavily.com, typically a paid service after a free tier).
  • ⚠️Requires Node.js v20 or higher to run locally.
Verified SafeView Analysis
The server correctly loads the Tavily API key from an environment variable, preventing hardcoding. It uses `axios` for external API calls, a standard and secure HTTP client. No direct usage of `eval` or dangerous `child_process` methods was found. The primary security considerations would revolve around the security of the Tavily API itself and the nature of the URLs provided by the user to the extract/crawl/map tools, which is outside the direct control of this server's codebase.
Updated: 2025-12-12GitHub
PreviousPage 10 of 636Next