Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

35
1
Low Cost
jesselumarie icon

mcp-icon-test-server

by jesselumarie

Sec7

This server is designed to test icon support for various Model Context Protocol (MCP) entities (server, tools, resources, prompts) within the MCP Inspector.

Setup Requirements

  • ⚠️Requires Node.js version 18 or higher.
  • ⚠️Requires `npm install` and `npm run build` to be executed before running the server.
Verified SafeView Analysis
The server uses `cors` with `origin: '*'`, which means it accepts requests from any domain. While acceptable for a test server, in a production environment, this would be a significant security risk allowing Cross-Origin Resource Sharing from any source. No obvious hardcoded secrets or malicious patterns like 'eval' were found. Session IDs are generated using `randomUUID()`, providing reasonable isolation for a test setup.
Updated: 2025-11-25GitHub
35
1
Low Cost
dseditor icon

Comfy-MCP

by dseditor

Sec7

Automates text-to-image generation using ComfyUI workflows, enabling seamless integration with MCP-compatible AI agents like Claude and Gemini.

Setup Requirements

  • ⚠️Requires an existing ComfyUI installation with Python embedded environment.
  • ⚠️Needs a pre-configured Text-to-Image (T2I) workflow JSON file for ComfyUI (e.g., `image_z_image_turbo.json`) with specified prompt and output node IDs.
  • ⚠️Auto-update features for Claude Code, Claude Desktop, or Gemini CLI require these respective clients to be pre-installed on the system.
Verified SafeView Analysis
The server uses `subprocess.run` to install Python packages and to interact with external AI CLI tools (e.g., `claude mcp add-json`). It also directly modifies configuration files for other AI applications (Claude Desktop, Gemini CLI) in user directories. While these actions are intended for integration and setup, they involve broad system interaction and modifying external application settings, which could be a concern if the source is not fully trusted or its implications are not understood. The `shell=True` for Claude CLI commands on Windows adds a minor, but controlled, risk.
Updated: 2025-12-14GitHub
35
1
Low Cost
Sec8

Provides contextual guidelines and templates to the Codex AI assistant to ensure adherence to project conventions, reduce hallucinations, and enforce architectural patterns for Flutter development.

Setup Requirements

  • ⚠️Requires Node.js and npm to install dependencies.
  • ⚠️Manual replacement of `$PATH_TO_REPO` in `~/.codex/config.toml` is required for local setup.
  • ⚠️If using `npx` from GitHub Packages, `npm auth` with a `GITHUB_TOKEN` (read:packages permission) is required to access private packages.
Verified SafeView Analysis
The server's entry point (`flutter-codex-guard.mjs`) is not provided, limiting a full security audit. However, the existing code and README suggest it serves static markdown files and built-in templates. The core `@modelcontextprotocol/sdk` dependency handles the server aspects. There are no obvious signs of 'eval', malicious network patterns, or hardcoded secrets in the visible code. The configuration explicitly uses 'node' or 'npx' commands, which are standard for running Node.js applications. A potential risk could exist if the '.mjs' file processes arbitrary user input without sanitization or exposes unintended file system access, but this cannot be verified from the truncated source.
Updated: 2025-11-25GitHub
35
7
High Cost
NullNet-ai icon

wallguard

by NullNet-ai

Sec2

WallGuard is a centralized management system designed to monitor system state, network activity, and provide secure remote access for agents deployed on firewalls and other network-facing devices.

Setup Requirements

  • ⚠️Requires a separate 'datastore' service (https://github.com/NullNet-ai/datastore) to be installed and running.
  • ⚠️Requires Rust (latest stable edition) and specific development packages (libpcap-dev, protobuf-compiler, libprotobuf-dev) to build.
  • ⚠️The agent component of WallGuard must be run with root/Administrator privileges.
Review RequiredView Analysis
CRITICAL VULNERABILITY: The `execute_cli_command` function in `control_channel/commands/execute_cli_command.rs` directly executes commands and arguments received from connected agents. Since the WallGuard agent runs with root/Administrator privileges, a compromised agent or malicious client could achieve arbitrary command execution, leading to full system compromise. CRITICAL VULNERABILITY: The `AcceptAllVerifier` in `http_proxy/proxy/request.rs` disables TLS certificate validation for the HTTP proxy, making it vulnerable to Man-in-the-Middle (MITM) attacks for UI remote access. The `@TODO` comment acknowledges this, but it remains an active risk. SECURITY RISK: The `generate_keypair` function in `utilities/ssh.rs` creates temporary files for SSH private keys in `/tmp`. While it attempts to delete them, there is a window of opportunity for local attackers to access these keys. PRIVACY RISK: The `TODO.md` mentions capturing and sending clipboard data during Remote Desktop sessions. Without explicit user consent and robust safeguards, this poses a significant privacy risk.
Updated: 2026-01-16GitHub
35
4
Low Cost
crypto-ninja icon

github-mcp-server

by crypto-ninja

Sec9

Comprehensive GitHub workflow automation for AI-powered development teams, including actions monitoring, PR management, intelligent code search, and complete file management.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Requires Deno to be installed and accessible on the system's PATH for code execution features.
  • ⚠️Some notification-related tools (e.g., `github_list_notifications`) explicitly require a GitHub User Access Token (UAT), and will not work with GitHub App installation tokens.
  • ⚠️The `github_create_release` tool may fall back to requiring a Personal Access Token (PAT) if a GitHub App token does not have sufficient permissions for release creation and Git tag operations.
Verified SafeView Analysis
The server implements robust security measures, especially for its Deno-based code execution sandbox. It explicitly blocks dangerous APIs (e.g., `eval`, `Deno.run`, file write operations), prevents prototype pollution, and restricts dynamic global object access. Local file operations enforce workspace root constraints and prevent path traversal. Authentication is handled via environment variables (GITHUB_TOKEN) or GitHub App configuration, and specific write operations like `github_str_replace` and `github_delete_file` require unique matches and SHAs respectively for safety. No obvious hardcoded secrets were found.
Updated: 2026-01-09GitHub
35
5
Medium Cost
tomschell icon

personal-kg-mcp

by tomschell

Sec8

A personal knowledge graph system for developers to automatically capture decisions, progress, insights, and questions within multi-agent workflows, preserving context and reasoning.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid) if high-quality semantic embeddings are desired; otherwise, it falls back to local bag-of-words.
  • ⚠️Requires a GitHub Personal Access Token for GitHub integration features.
  • ⚠️Requires Git and GitHub CLI tools to be installed and authenticated for GitHub integration features.
  • ⚠️Requires restarting the MCP client (e.g., Cursor, Claude Desktop) after configuration changes for tools to become available.
Verified SafeView Analysis
The server uses `execSync` for Git and GitHub CLI commands, which, while justified and validated with internal arguments, presents an elevated risk compared to in-process logic. Reliance on external CLI tools and API keys for GitHub/OpenAI means their security is a dependency. File I/O operations are confined to a configured base directory, and `zod` is extensively used for input validation, mitigating common file system and input-related vulnerabilities. No direct `eval` of user input or hardcoded secrets were found; sensitive data like API keys are loaded from environment variables.
Updated: 2026-01-19GitHub
35
2
Medium Cost
Cosmostima icon

MUSTer_MCP

by Cosmostima

Sec8

Automate interactions with M.U.S.T. (Macau University of Science and Technology) campus systems like Moodle and Wemust for tasks such as retrieving class schedules, listing courses, checking assignments and deadlines, downloading course materials, and opening authenticated web pages.

Setup Requirements

  • ⚠️Requires Python 3.12+.
  • ⚠️Requires a locally available Chrome browser and its corresponding Chromedriver for Selenium to function.
  • ⚠️Requires `MUSTER_USERNAME` and `MUSTER_PASSWORD` to be set as environment variables.
Verified SafeView Analysis
No 'eval' or code obfuscation found. Credentials (`MUSTER_USERNAME`, `MUSTER_PASSWORD`) are properly handled via environment variables. The `open_URL_with_authorization` tool opens a headed browser window, which inherently exposes the user to content from the provided URL. The `download_resource` tool downloads files to the local filesystem. These are inherent features of the tool's functionality and carry typical web interaction and file download risks.
Updated: 2025-12-13GitHub
35
6
Medium Cost
openshift-assisted icon

assisted-service-mcp

by openshift-assisted

Sec9

Serves as an MCP (Model Context Protocol) intermediary, providing tools to interact with and manage OpenShift clusters via the Red Hat Assisted Installer API.

Setup Requirements

  • ⚠️Requires Python 3.13 or later.
  • ⚠️Requires 'uv' for dependency management and execution.
  • ⚠️Requires a Red Hat OpenShift Cluster Manager (OCM) offline token for authentication, which must be obtained from cloud.redhat.com/openshift/token and provided via environment variable or request header.
Verified SafeView Analysis
The server explicitly implements a `SensitiveFormatter` to redact sensitive information (pull secrets, SSH keys, vSphere credentials) from logs, which is a strong security practice. API endpoints are configurable via environment variables, and authentication relies on external OCM offline tokens. No 'eval' or other obviously malicious patterns were found. The primary risk involves proper handling and provisioning of the OCM offline token outside the server's control.
Updated: 2026-01-17GitHub
35
5
Medium Cost
bobmatnyc icon

mcp-ticketer

by bobmatnyc

Sec7

MCP Ticketer is a universal ticket management interface for AI agents, enabling them to perform CRUD operations, manage hierarchy, conduct analysis, and integrate with various project management platforms (Linear, GitHub, Jira, Asana, AITrackdown). It aims to streamline workflows and maintain project health for AI-driven development.

Setup Requirements

  • ⚠️Requires environment variables (e.g., LINEAR_API_KEY, GITHUB_TOKEN, JIRA_ACCESS_TOKEN, JIRA_ACCESS_USER) for specific adapter configurations.
  • ⚠️Full analysis features (e.g., `ticket_analyze` actions) require additional dependencies: `scikit-learn`, `rapidfuzz`, `numpy` (`pip install mcp-ticketer[analysis]`).
  • ⚠️Requires Python 3.11+ due to use of `tomllib`.
  • ⚠️Some comprehensive operations, like `ticket_analyze(action='cleanup_report', summary_only=False)`, can generate very large responses (40,000+ tokens) which may exceed model context limits, despite internal token estimation and warnings.
Verified SafeView Analysis
The system is generally robust, employing Pydantic for input validation, environment variables for sensitive credentials (which are also masked in logs), and parameterized SQL queries to prevent injection. However, specific operations warrant caution: - **Path Traversal**: The `ticket_hierarchy` and `attachment` tools accept `file_path` or `project_path` arguments directly. If an AI agent's input for these paths is unsanitized and controlled by a malicious actor, it could lead to arbitrary local file access, reading, or overwriting on the host system where the MCP server is running (e.g., via `file_path='/etc/passwd'`). Similarly, `os.chdir(project_path)` in the server's main entry point, if `project_path` is untrusted, could set the working directory to a malicious location. - **Information Disclosure**: While credentials are handled via environment variables and configuration files (like `.env.local`), and masked in logs, a user misconfiguring by committing `.env.local` to a public repository would expose secrets.
Updated: 2026-01-17GitHub
35
5
Medium Cost

Enables LLMs to interact with GitHub for automated Pull Request analysis, issue management, and release tracking, along with public IP information retrieval.

Setup Requirements

  • ⚠️Requires Python 3.12+.
  • ⚠️Requires a GitHub Personal Access Token with `repo` scope.
  • ⚠️Requires `uv` (or `uvx`) for execution.
Verified SafeView Analysis
The server retrieves the GitHub Personal Access Token from environment variables, which is a good practice. It uses the `requests` library with defined timeouts, and error handling logs exceptions. No dangerous functions like `eval` or obfuscation are present. The primary security consideration is the broad `repo` scope required for the GitHub token, granting extensive repository access. Users must understand these permissions. Exposing the server via HTTP (`MCP_ENABLE_REMOTE=true`) to public networks without additional security layers (e.g., HTTPS, firewall rules, API key for the MCP server) would be a significant risk, which is a deployment concern rather than a code vulnerability.
Updated: 2026-01-19GitHub
35
1
Medium Cost
Sec7

An MCP server for Frida that leverages the native Frida CLI to provide full Java/ObjC API access for mobile application security analysis and reverse engineering, bypassing limitations of Frida's Python/Node.js bindings.

Setup Requirements

  • ⚠️Requires Python 3.10+
  • ⚠️Requires Frida CLI tools installed (`pip install frida-tools`)
  • ⚠️Requires `frida-server` running on the target device
Verified SafeView Analysis
The core functionality of this server involves executing arbitrary JavaScript code and commands on a target device via `subprocess` calls to the Frida CLI. Inputs like `target` (process name/PID) and `script` are passed directly to `frida` CLI arguments (`-n`, `-p`, `-e`). While this is the intended purpose of the tool for security analysis and reverse engineering, it represents a significant security risk if the MCP server itself is exposed to untrusted input. An attacker gaining control of the input parameters could execute arbitrary code on the target device. However, given that MCP servers are typically deployed in trusted, local environments by security experts, this is considered a feature rather than a flaw in its intended use. There are no obvious hardcoded credentials or malicious patterns in the Python code itself, beyond its powerful capabilities.
Updated: 2025-11-26GitHub
35
5
Medium Cost
Sec9

This server provides type-safe, performant access to legal data from CourtListener for advanced legal research and case analysis applications.

Setup Requirements

  • ⚠️CourtListener API Access: This server acts as a proxy for the CourtListener API. Access to the underlying CourtListener API (which provides the legal data) requires specific credentials or an API key, configured via environment variables.
  • ⚠️LLM Integration Required for Smart Search: The 'smart_search' tool, an advanced feature, leverages an external Large Language Model (LLM) that must be provided by the connecting MCP client. Without client-side LLM integration, this tool cannot function.
  • ⚠️Extensive Environment Variable Configuration: The server's advanced features (e.g., authentication, rate limiting, audit logging, circuit breakers) are highly configurable via a wide array of environment variables, requiring careful setup for full functionality.
Verified SafeView Analysis
The server implements comprehensive security features including input sanitization (protecting against XSS, SQL injection, code execution), API key and OIDC authentication, per-client rate limiting, and detailed audit logging. Sensitive fields are redacted in logs. The codebase is well-structured TypeScript with no visible obfuscation. Default CORS is set to '*', but the configuration schema indicates this is configurable for production hardening. Test files explicitly include checks for various injection attacks.
Updated: 2026-01-14GitHub
PreviousPage 142 of 760Next