Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

34
4
Medium Cost

An AI-powered platform for Bible study and translation assistance, leveraging a multi-agent system to aggregate and query diverse translation resources via a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires Cloudflare Workers AI, KV Namespace, and R2 Bucket bindings to be configured in the Cloudflare environment.
  • ⚠️Requires a Cloudflare AI Search index (`translation-helps-search`) to be provisioned and populated, typically by a dedicated Indexer Worker.
  • ⚠️Designed for deployment on Cloudflare Pages/Workers; local setup for full production-like functionality, including AI and storage bindings, is complex.
Verified SafeView Analysis
The codebase demonstrates strong security practices including extensive input validation (Zod, `parseParams`), environment variable usage for secrets, circuit breakers and timeouts for external API calls, and consistent error handling. Cross-Origin Resource Sharing (CORS) is broadly enabled (`Access-Control-Allow-Origin: '*'`), which is a design choice suitable for public APIs but requires careful consideration in restricted contexts. No 'eval' or obvious obfuscation detected.
Updated: 2025-12-13GitHub
34
4
Medium Cost
aj-geddes icon

sailor

by aj-geddes

Sec8

AI-powered generation, validation, rendering, and manipulation of Mermaid diagrams for documentation, design, and analysis tasks.

Setup Requirements

  • ⚠️Requires Docker Desktop for local setup and Claude Desktop integration (for building and running Docker images).
  • ⚠️Requires an OpenAI or Anthropic API key for AI-powered diagram generation features (these are paid services).
  • ⚠️Manual configuration of `claude_desktop_config.json` is necessary for Claude Desktop integration.
  • ⚠️The `SECRET_KEY` environment variable for Flask must be set to a secure, random value in production; the server will raise an error if the default is used.
Verified SafeView Analysis
The project demonstrates strong security awareness: explicit SECRET_KEY validation for production, dynamic CORS configuration, `flask_limiter` for API rate limiting, `flask_talisman` for security headers, input sanitization of Mermaid code, and filtering of sensitive data (API keys) in Sentry logs. Docker containers run as non-root users with resource limits and read-only mounts. The use of Playwright's `--no-sandbox` flag is noted but is a common practice for headless browsers in well-isolated containerized environments.
Updated: 2025-12-07GitHub
34
3
Low Cost
portel-dev icon

photons

by portel-dev

Sec9

A comprehensive demonstration MCP server showcasing various functionalities of the Photon runtime, including basic data handling, streaming responses, progress reporting, in-memory state management, and interactive UI elements. It serves as a reference for developers building new photons.

Setup Requirements

  • ⚠️Requires Photon CLI to be installed globally (npm install -g @portel/photon) to run by name, or locally to run by file path.
Verified SafeView Analysis
The kitchen-sink photon itself is designed as a demonstration and does not directly expose significant security vulnerabilities like 'eval' or direct filesystem access. It uses the @portel/photon-core library for io.emit functions and PhotonMCP inheritance, implying a secure execution environment provided by the 'photon' CLI. Constructor parameters are placeholders or defaults intended to be overridden, and no network calls are initiated directly by this specific photon. It's considered safe for its intended purpose as a learning and demonstration tool.
Updated: 2026-01-12GitHub
34
3
Low Cost
faxioman icon

code-sage

by faxioman

Sec9

A high-performance MCP server for semantic code search, analyzing codebases using AST-based chunking and providing hybrid keyword and vector embeddings search capabilities for AI clients.

Setup Requirements

  • ⚠️Requires Rust 1.70+ to build.
  • ⚠️If using the 'builtin' embedding provider, a 79MB model (nomic-embed-text-v1.5) will be downloaded on first use.
  • ⚠️Using OpenAI embedding provider requires an 'OPENAI_API_KEY' and incurs usage costs.
  • ⚠️Using Ollama embedding provider requires a local Ollama server running and the specified model pulled.
  • ⚠️GPU acceleration ('metal' or 'cuda' features) requires platform-specific builds.
Verified SafeView Analysis
The project uses standard and well-audited libraries for networking (reqwest), file system access (tokio::fs, ignore), and hashing (sha2, md5). Environment variables are used for sensitive information like API keys, preventing hardcoding. Input path validation is present. Regex patterns for ignore files are escaped to prevent injection. The llama.cpp backend explicitly voids logs to prevent interference, a good practice for structured output. No obvious `eval` or dynamic code execution from user input was found.
Updated: 2026-01-19GitHub
34
3
Medium Cost
dunialabs icon

mcp-servers

by dunialabs

Sec9

Integrates Notion with Model Context Protocol to manage pages, databases, blocks, comments, and search functionality for Notion workspaces.

Setup Requirements

  • ⚠️Requires a Notion Internal Integration Token or OAuth Access Token with appropriate permissions.
  • ⚠️Notion pages/databases must be explicitly shared with the integration for the server to access them.
  • ⚠️Requires a Node.js (>=18.0.0) or Docker runtime environment.
Verified SafeView Analysis
Uses environment variables for the Notion API token, which is a good practice for sensitive credentials. Input validation is implemented using Zod schemas, ensuring parameters conform to expected types and constraints. The server interacts with the official Notion API over HTTPS. No direct use of `eval` or other dynamic code execution methods was found. Comprehensive error handling is in place to prevent sensitive information leakage. All logs are directed to stderr to avoid interfering with the MCP protocol on stdout.
Updated: 2026-01-15GitHub
34
2
High Cost
justoneapi icon

justoneapi-mcp

by justoneapi

Sec8

MCP server to expose JustOneAPI's Chinese social media and news search capabilities to AI assistants, returning raw upstream JSON responses.

Setup Requirements

  • ⚠️Requires a paid JustOneAPI token for full functionality.
  • ⚠️Requires Node.js >= 18.0.0.
  • ⚠️Manual configuration of the MCP client (e.g., Claude Desktop JSON config file) is necessary.
Verified SafeView Analysis
The server passes the `JUSTONEAPI_TOKEN` as a query parameter, which is less secure than header-based authentication as it can be logged by proxies or web servers. However, the code explicitly encodes the token, masks it in debug logs, and validates its presence. No `eval` or obvious malicious patterns were found in the provided source code.
Updated: 2026-01-19GitHub
34
3
High Cost
workato-devs icon

dewy-resort

by workato-devs

Sec8

A comprehensive hotel management system integrating with external services (Salesforce, Stripe, Twilio, Home Assistant) and an AI conversational agent (AWS Bedrock) for managing bookings, guest services, maintenance, and billing.

Setup Requirements

  • ⚠️Requires a Workato account and the Workato CLI for deployment and management of integration recipes.
  • ⚠️Requires an AWS account with configured Cognito User Pool, Identity Pool, and access to AWS Bedrock models for AI conversational features and authentication.
  • ⚠️Requires Salesforce and Stripe accounts with API credentials for core CRM and payment processing functionalities.
  • ⚠️Relies on numerous environment variables for configuring all integrated services and features (Workato, Salesforce, Stripe, AWS, Okta, Home Assistant, Twilio, database settings).
  • ⚠️Requires local SQLite database initialization via a setup script.
Verified SafeView Analysis
The project uses environment variables for sensitive data (API keys, tokens) rather than hardcoding. Authentication is delegated to external providers (Okta/Cognito). Extensive use of JSON parsing for configurations and inter-process communication is noted, which is safe when data sources are controlled. A configurable 'DISABLE_SSL_VERIFICATION' flag exists for fetch utilities; if enabled in production, it poses a significant man-in-the-middle attack risk. Default manager credentials are hardcoded in `hotel-db-server.ts` if not overridden by environment variables, which is acceptable for development but a concern for production.
Updated: 2026-01-19GitHub
34
4
Low Cost
MarimerLLC icon

csla-mcp

by MarimerLLC

Sec9

Provides a knowledge base and semantic search capabilities for AI coding assistants to generate .NET C# applications using the CSLA .NET framework.

Setup Requirements

  • ⚠️Requires Azure OpenAI API Key and Endpoint (Paid service).
  • ⚠️Requires a deployed Azure OpenAI embedding model (e.g., `text-embedding-3-large`) in your Azure OpenAI resource.
  • ⚠️Docker is required to build and run the server image locally.
Verified SafeView Analysis
The server emphasizes security best practices by utilizing environment variables for sensitive Azure OpenAI API keys, explicitly warning against insecure client-side identity flow (`FlowSecurityPrincipalFromClient = true`), and implementing robust checks to block path traversal attacks in file access operations for the `Fetch` tool. The Docker build process uses `set -euo pipefail` for shell script robustness. No 'eval' or other highly dynamic code execution without clear justification is apparent in the provided source.
Updated: 2026-01-18GitHub
34
3
High Cost
201Harsh icon

Varon-AI

by 201Harsh

Sec8

A multi-agent AI system designed to coordinate specialized AI tools for complex real-world task execution and automation, including coding, research, scraping, and content generation.

Setup Requirements

  • ⚠️Requires Google Gemini API Keys (VARON_AI_API_KEY, VARON_AI_TEAM_API_KEY), which are usage-based.
  • ⚠️Requires a MongoDB instance for data storage.
  • ⚠️Requires a SerpAPI Key for web search capabilities (used by HydraSearch and ViperCart).
  • ⚠️Requires SMTP credentials (SMTP_USER, SMTP_PASSWORD) for email verification during user registration.
  • ⚠️Requires Google OAuth Client ID and Secret for the 'Continue with Google' authentication feature.
Verified SafeView Analysis
The application demonstrates several good security practices, including the use of environment variables for sensitive API keys (Gemini, JWT secret, Google OAuth), secure password hashing with bcrypt, and JWTs for session management configured with `httpOnly`, `secure`, and `samesite: none` flags for cookies. Rate limiting is applied to authentication endpoints to mitigate brute-force attacks, and `express-validator` provides basic input validation. The tool execution mechanism via `@modelcontextprotocol/sdk` relies on a predefined set of tools with structured parameters, minimizing the risk of arbitrary code execution. A minor concern is the hardcoded sender email address (`endgamingai2@gmail.com`) for nodemailer within `server/controllers/user.controller.js`, which ideally should be configured via an environment variable.
Updated: 2026-01-10GitHub
34
3
High Cost
monitoringartist icon

logicmonitor-mcp-server

by monitoringartist

Sec9

Enables AI assistants to interact with a LogicMonitor monitoring tool.

Setup Requirements

  • ⚠️Requires LogicMonitor company name (LM_COMPANY) and API Bearer Token (LM_BEARER_TOKEN) to be set as environment variables for LogicMonitor API access.
  • ⚠️For network transports (SSE/HTTP), unauthenticated access is allowed by default if OAuth or a static MCP Bearer Token are not configured.
  • ⚠️Requires Node.js 18+ and a build step (`npm run build`) if not using npx or Docker images.
Verified SafeView Analysis
Comprehensive input sanitization (XSS, SQLi for filter/names), sensitive data redaction in logs, robust JWT validation with audience binding, and CSRF protection are implemented. Explicit warnings are provided for production secret management. CORS defaults to allow all origins if `ALLOWED_ORIGINS` is not configured, which needs careful production setup.
Updated: 2026-01-19GitHub
34
4
Low Cost
Sec2

Orchestrates Bio-OS workflows and Docker image builds via an MCP server, integrating with Dockstore for workflow discovery and a reranker for search relevance.

Setup Requirements

  • ⚠️Requires `uv` (Python package manager) for local installation.
  • ⚠️Requires `Cromwell` (WDL workflow execution engine), typically installed via `brew install cromwell` (macOS).
  • ⚠️Requires `MIRACLE_ACCESS_KEY` and `MIRACLE_SECRET_KEY` environment variables or explicit parameters for Bio-OS interactions.
  • ⚠️Tightly coupled to 'Miracle Cloud' internal infrastructure (`dockstore.miracle.ac.cn`, `bio-top.miracle.ac.cn`, and internal IP addresses for reranking/Docker build services), making it non-portable outside this specific environment.
Review RequiredView Analysis
A critical security vulnerability exists in `src/bioos_mcp/tools/dockstore_search.py` where a full `ory_kratos_session` cookie is hardcoded in the `self.headers` dictionary. This cookie likely grants authenticated access to `dockstore.miracle.ac.cn` and could lead to unauthorized access or data exposure. Additionally, the server relies on hardcoded internal IP addresses (`http://10.22.17.85:10802/rerank`, `http://10.20.16.38:3001/build`) for backend services, which poses a risk if these services are not properly secured or if the network environment is not trusted. While credentials (`MIRACLE_ACCESS_KEY`, `MIRACLE_SECRET_KEY`) are generally handled via environment variables, the hardcoded session cookie is a severe oversight.
Updated: 2026-01-14GitHub
34
3
High Cost
babelcloud icon

gbox-mcp-server

by babelcloud

Sec8

Enable AI agents to automate Android devices, Linux environments, and browser sessions.

Setup Requirements

  • ⚠️Requires GBOX_API_KEY from gbox.ai/dashboard or a prior `gbox login` CLI setup.
  • ⚠️Requires Node.js (v18.17.0, v20.3.0, or >=v21.0.0).
  • ⚠️Local Android device control (physical devices) might require `scrcpy` installation, which the server attempts to manage.
Verified SafeView Analysis
The server uses JWT for authentication, which is a standard and secure approach. Remote shell execution (`adb_shell` tool) and device control (`gbox-sdk`) are core functionalities and inherently involve executing commands on remote (potentially sandboxed) environments. Local `execSync` and `spawn` calls are primarily for managing the `scrcpy` tool for local device interaction, an expected setup step. No direct `eval` or obvious hardcoded secrets were found.
Updated: 2025-11-29GitHub
PreviousPage 152 of 760Next