Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

97
511
High Cost
neiltron icon

apple-health-mcp

by neiltron

Sec9

Query and analyze personal Apple Health data using SQL for health insights and automated reports.

Setup Requirements

  • ⚠️Requires Apple Health data exported as CSV files using the 'Simple Health Export CSV' iOS app.
  • ⚠️The `HEALTH_DATA_DIR` environment variable must be set to the path of the unzipped health export directory.
  • ⚠️Requires Node.js (or Bun) installed for `npx` execution.
Verified SafeView Analysis
The server uses an in-memory DuckDB instance and explicitly forbids DML/DDL operations ('drop', 'delete', 'truncate', 'insert', 'update', 'create table', 'alter') in the 'health_query' tool, allowing only SELECT statements. It processes local CSV files from a user-defined directory (`HEALTH_DATA_DIR`). The primary security considerations revolve around ensuring the `HEALTH_DATA_DIR` is trusted (as malicious CSV content could theoretically lead to resource exhaustion) and the robustness of the SQL query validation, which is a keyword-based check. Given it's designed as an internal MCP server for local data, these measures provide a high level of safety against typical external threats.
Updated: 2026-01-16GitHub
97
425
Medium Cost
archestra-ai icon

archestra

by archestra-ai

Sec9

A platform for securely deploying, orchestrating, and managing Model Context Protocol (MCP) servers and their AI-powered tools within an enterprise environment.

Setup Requirements

  • ⚠️Requires Kubernetes for full orchestration of local MCP servers.
  • ⚠️Requires Docker, Node.js 20, or Python 3.12+ for custom MCP server development.
  • ⚠️External LLM API keys (e.g., OpenAI, Anthropic) are required for core chat and AI functionalities.
  • ⚠️HashiCorp Vault setup is necessary for advanced Bring-Your-Own-Secrets (BYOS) management in enterprise deployments.
Verified SafeView Analysis
The Archestra platform demonstrates a strong commitment to security through features like non-root user execution for MCP servers, minimal Alpine Linux base images, robust Role-Based Access Control (RBAC), Single Sign-On (SSO) integration, comprehensive secrets management (including HashiCorp Vault support), and advanced policy enforcement against prompt injections and data exfiltration (e.g., Trusted Data Policies, Dual LLM sub-agents). The codebase also uses a linter rule to prevent `noExplicitAny`, contributing to code quality. While `node -e` is used to execute the base server script, this is a controlled deployment mechanism for a known script and not a vector for arbitrary user code execution.
Updated: 2026-01-19GitHub
96
310
High Cost
microsoft icon
Sec8

Connects AI agents to Power BI semantic models to enable natural language interaction for building, modifying, and managing data models.

Setup Requirements

  • ⚠️Requires GitHub Copilot (which typically implies a paid subscription) and GitHub Copilot Chat extensions.
  • ⚠️Requires Visual Studio Code for the recommended installation path.
  • ⚠️Connecting to a Semantic Model in a Fabric workspace may not work in all tenants due to ongoing client ID rollout for authentication.
Verified SafeView Analysis
The server explicitly states that it uses Azure Identity SDK for secure credential handling and does not store tokens directly. It offers `--readonly` mode and confirmation prompts for operations. However, the README provides strong warnings about the inherent risks when connecting AI agents, including potential for unintended changes, exposure of sensitive information by LLMs, and the need for user backups and adherence to least-privilege RBAC. The actual executable code was not provided for a full audit, so this score is based on documented claims and warnings. Users are responsible for their client LLM's security and compliance.
Updated: 2026-01-12GitHub
96
296
Low Cost
19-84 icon
Sec8

Archiving and providing AI-optimized access to Reddit-like platform data via a PostgreSQL-backed system and a RESTful API.

Setup Requirements

  • ⚠️Requires a PostgreSQL database to store archive data.
  • ⚠️Requires Docker and Docker Compose for full stack deployment (recommended for ease of setup).
  • ⚠️Python 3.10 or newer is required to run the application.
  • ⚠️The 'uv' Python package installer/manager is recommended for local development dependencies.
  • ⚠️External command-line tools like `zstandard` (for .zst files) and `7zip` (for .7z files) may be needed for importing specific archive formats.
Verified SafeView Analysis
The project implements rate limiting, CSRF protection, and parameterized queries for SQL injection prevention within its API. Input validation regex whitelists are used to sanitize user input. Docker containers for core services are configured with read-only filesystems. Wildcard CORS is explicitly enabled for the public archive API. Peripheral 'tools' use 'sudo docker exec psql' which requires elevated Docker privileges but is not part of the continuously running server. The 'POSTGRES_PASSWORD' in `docker-compose.yml` defaults to 'CHANGE_THIS_PASSWORD' and requires user modification for security.
Updated: 2026-01-19GitHub
96
337
Low Cost
bitbonsai icon

mcp-obsidian

by bitbonsai

Sec9

Provides a secure, universal AI bridge for Obsidian vaults, enabling MCP-compatible AI assistants to read, write, and manage notes.

Setup Requirements

  • ⚠️Requires Node.js runtime (v18.0.0 or later).
  • ⚠️Requires an absolute path to your Obsidian vault directory.
  • ⚠️ChatGPT Desktop integration is limited to Enterprise, Education, or Team subscriptions.
Verified SafeView Analysis
The server demonstrates a strong focus on security, crucial for interacting with personal knowledge bases. It explicitly prevents path traversal with `resolvePath` checks, filters access to sensitive directories like `.obsidian`, `.git`, and `node_modules` via `PathFilter`, and whitelists file extensions (`.md`, `.markdown`, `.txt`). Frontmatter input is validated to prevent dangerous YAML structures (functions, symbols) and ensure data integrity. Destructive operations like `delete_note` require explicit confirmation. Communication occurs over stdio, limiting network exposure. The `README` and `SECURITY.md` are thorough in outlining security measures and best practices. No `eval` or unsafe command execution patterns were found. This server is designed for safe operation within its defined scope.
Updated: 2026-01-12GitHub
96
269
High Cost
m1rl0k icon
Sec7

Self-improving code search and context engine for IDEs and AI agents, providing hybrid semantic/lexical search, symbol graph navigation, and persistent memory.

Setup Requirements

  • ⚠️Requires Docker and Docker Compose for local stack deployment.
  • ⚠️Requires Python 3.8+ with `requests`, `urllib3`, `charset_normalizer` installed for client scripts.
  • ⚠️Optional LLM models (e.g., Llama.cpp .gguf, GLM, OpenAI) may require significant computational resources (GPU, RAM) or API keys.
  • ⚠️Kubernetes cluster (1.19+) and `kubectl` are required for Kubernetes deployment.
Review RequiredView Analysis
The system extensively uses `subprocess.run` and `subprocess.Popen` for internal orchestration (e.g., Git commands, Python scripts, Docker operations). This introduces a potential risk of shell injection if user inputs (e.g., file paths, queries) are not rigorously sanitized. While environment variables are used for secrets (e.g., `GITHUB_TOKEN`, `OPENAI_API_KEY`), default passwords like 'contextengine' for Neo4j exist in development configurations. Network communication between services (MCP, Qdrant, Llama.cpp) is managed, but exposed ports require network segmentation in production. The `ctxce` CLI, driven by the VS Code extension, also represents a potential attack surface.
Updated: 2026-01-19GitHub
96
371
Medium Cost
Sec8

A TypeScript SDK for building multi-provider AI agents that chain LLM reasoning with external tools and orchestrate multi-agent workflows.

Setup Requirements

  • ⚠️Requires API keys for LLM providers (e.g., OpenAI, Anthropic, Mistral), which are often paid services.
  • ⚠️Requires external MCP (Multi-Provider Component) servers to be running for tool integration, as demonstrated in the 'Hello World' example (e.g., 'http://localhost:8001/mcp').
  • ⚠️Requires a Node.js/TypeScript development environment.
Verified SafeView Analysis
The SDK relies on environment variables for API keys, which is a good practice. It connects to various external LLM providers and can connect to user-defined MCP server URLs. While the SDK itself doesn't show obvious vulnerabilities like 'eval' or obfuscation, the overall security depends on the secure management of API keys, the trustworthiness of the connected LLM providers, and the security of any custom MCP servers integrated.
Updated: 2025-11-18GitHub
96
525
Medium Cost
vercel icon
Sec6

This MCP server provides Next.js development tools for AI coding agents, including runtime diagnostics, automated upgrades, Cache Components setup, browser testing, and documentation search.

Setup Requirements

  • ⚠️Requires Node.js v20.9+.
  • ⚠️Requires Next.js 16+ for runtime diagnostics via `nextjs_index` and `nextjs_call` tools.
  • ⚠️`browser_eval` tool automatically installs `@playwright/mcp` globally using `npm`, which may conflict with other package managers or global install policies.
  • ⚠️The `upgrade_nextjs_16` tool's codemod requires a clean Git working directory and must be run from individual Next.js app directories in a monorepo, not the monorepo root.
Verified SafeView Analysis
The `browser_eval` tool, specifically its `evaluate` action, allows executing arbitrary JavaScript code within a browser context. While this is an intended feature for browser automation, it poses a significant security risk if the input script (the `script` argument) is not strictly controlled and validated by the calling AI agent or user. An attacker could potentially craft malicious JavaScript to exfiltrate data, perform unwanted actions, or exploit browser vulnerabilities. Additionally, the server uses `execSync` and `spawn` to run shell commands (e.g., `npm install -g @playwright/mcp`, `ss`, `netstat`). While the arguments for package installation are fixed, the `ss` and `netstat` commands construct parts of their arguments from internally derived PIDs. A theoretical risk exists if the PID derivation or the underlying `find-process` library could be manipulated, potentially leading to command injection. However, this is a less direct risk than the `browser_eval`'s `evaluate` action. No hardcoded secrets or direct obfuscation were found. Telemetry collection is opt-out and clearly documented.
Updated: 2026-01-08GitHub
96
342
High Cost
Shashankss1205 icon

CodeGraphContext

by Shashankss1205

Sec9

An AI pair programmer that provides real-time, accurate, context-aware assistance by indexing and analyzing codebases (local projects and dependencies) using a graph database, facilitating code understanding, writing, and refactoring across multiple programming languages.

Setup Requirements

  • ⚠️Requires Python 3.12+ for the default FalkorDB Lite embedded database. Earlier Python versions will necessitate an external Neo4j setup.
  • ⚠️An external Neo4j database is required if FalkorDB Lite is not used or explicitly configured via environment variables (NEO4J_URI, NEO4J_USERNAME, NEO4J_PASSWORD).
  • ⚠️Language-specific executables (e.g., 'npm', 'go', 'gem', 'pkg-config') must be available in the system PATH for accurate dependency resolution for respective languages.
  • ⚠️Installing 'falkordblite' is recommended for a zero-config embedded database experience.
Verified SafeView Analysis
The server's primary communication method is via stdin/stdout, which limits direct network exposure. It includes robust checks to prevent arbitrary write operations when executing Cypher queries, by filtering forbidden keywords after stripping string literals. While `subprocess.run` is used for language-specific package discovery (e.g., `npm`, `go list`), these calls are generally well-defined with `shell=False`, reducing the risk of command injection.
Updated: 2026-01-16GitHub
96
342
Medium Cost
CodeGraphContext icon

CodeGraphContext

by CodeGraphContext

Sec8

This MCP Server acts as an expert AI pair programmer's backend, providing real-time, accurate code analysis, indexing, and relationship information from a local codebase to assist with understanding, writing, and refactoring code.

Setup Requirements

  • ⚠️Requires Neo4j database (configured via NEO4J_URI, NEO4J_USERNAME, NEO4J_PASSWORD env vars) or Python 3.12+ for embedded FalkorDB Lite.
  • ⚠️Relies on Tree-sitter parsers for various languages; initial setup may involve compiling or downloading these.
  • ⚠️Dependency indexing for some languages (e.g., Go, Ruby, JavaScript/TypeScript, C/C++) requires their respective CLI tools (`go`, `gem`, `npm`, `pkg-config`) to be installed and accessible in the environment.
Verified SafeView Analysis
The server includes robust input validation and keyword filtering for Cypher queries to prevent arbitrary database modifications. It utilizes `subprocess.run` for package path discovery (`npm`, `gem`, `go`, `pkg-config`), which, while standard for this functionality, always carries an inherent risk if inputs were to be maliciously crafted (though package names are generally controlled). No hardcoded secrets or obvious malicious patterns were found; database credentials are expected via environment variables.
Updated: 2026-01-16GitHub
95
258
Low Cost
elusznik icon
Sec8

This server enables LLM agents to execute Python code in a highly secure, isolated container environment, facilitating complex multi-tool orchestration and data analysis with minimal LLM context token usage.

Setup Requirements

  • ⚠️Requires Podman or Docker (rootless configuration is the default and recommended).
  • ⚠️Requires Python 3.11+ (Python 3.14-slim is the default container image).
  • ⚠️Requires `uv` or `pip` for dependency management (`uv` recommended for installation).
  • ⚠️Pydantic >= 2.12.0 is needed for Python 3.14+ to avoid `TypeError: _eval_type() got an unexpected keyword argument 'prefer_fwd_module'`.
Verified SafeView Analysis
The server executes user-provided Python code using `eval(compile(code, ...), ...)` within a highly restricted, rootless container sandbox. This sandbox enforces strict isolation: no network, read-only rootfs, all capabilities dropped, no new privileges, unprivileged user (65534:65534), and resource limits (memory, PIDs, CPU, timeout). All MCP traffic is mediated by the host, providing an audit trail and preventing direct access to the host or external networks. While `eval` is used, it is the core function of the isolated sandbox, not a direct vulnerability in this hardened setup. The project's history explicitly details lessons from failed insecure prototypes, indicating a strong architectural commitment to security.
Updated: 2025-12-05GitHub
95
223
Medium Cost
AIDotNet icon

Windows-MCP.Net

by AIDotNet

Sec3

Enabling AI assistants to automate tasks and interact with the Windows desktop environment.

Setup Requirements

  • ⚠️Requires Windows Operating System
  • ⚠️Requires .NET 10.0 Runtime or higher
  • ⚠️Requires appropriate Windows administrative permissions to perform desktop automation operations
Review RequiredView Analysis
The server grants broad access to Windows desktop operations, including PowerShell execution, file system manipulation, and UI control. While intended for AI automation, this poses significant security risks if the AI agent or server itself is compromised or misused, potentially leading to data loss, system compromise, or unauthorized actions. There is no visible sandboxing or fine-grained permission control for AI actions described, and the tool requires appropriate Windows permissions (potentially administrative) to function, making it a high-risk component if its inputs are not strictly controlled.
Updated: 2025-11-27GitHub
PreviousPage 13 of 760Next