Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

87
981
High Cost
cgoinglove icon

better-chatbot

by cgoinglove

Sec3

An advanced open-source AI chatbot supporting multiple LLMs, extensive tools (web search, code execution, data visualization, MCP protocol), image generation, and workflow automation for individuals and teams.

Setup Requirements

  • ⚠️Requires at least one API key from a major LLM provider (e.g., OpenAI, Google, Anthropic), which are typically paid services.
  • ⚠️Requires a PostgreSQL database (`POSTGRES_URL` environment variable) for persistent storage.
  • ⚠️Full functionality of custom MCP tools may require setting up and managing external MCP servers.
  • ⚠️File storage needs to be configured (e.g., Vercel Blob, S3) for features like image generation and file ingestion.
Review RequiredView Analysis
The application allows arbitrary JavaScript and Python code execution (via `new Function` for JS and Pyodide for Python) and arbitrary HTTP requests (SSRF risk) based on AI model outputs. While there are attempts at sandboxing for code execution, these are inherently high-risk features that are difficult to secure against all exploits. Connections to external Model Context Protocol (MCP) servers also introduce a vector for interacting with potentially untrusted services. Careful vetting of user input and external server configurations is critical.
Updated: 2025-12-29GitHub
87
14
Medium Cost
greatSumini icon

nanobanana-api-mcp

by greatSumini

Sec5

An MCP server providing image generation and editing capabilities via the Google Gemini API, integrable with various AI coding assistants and IDEs.

Setup Requirements

  • ⚠️Requires a Google API key with access to Gemini models, which needs to be obtained separately.
  • ⚠️Requires Node.js version >= 18.0.0.
Review RequiredView Analysis
The server processes user-provided file paths for image input/output (`path`, `output_path`, `reference_images_path`). While the documentation states 'ABSOLUTE path' and 'Relative paths are NOT accepted', there is no explicit server-side validation in the handlers (e.g., `generate-image.ts`, `edit-image.ts`) to ensure paths are absolute and confined to safe directories. This could lead to path traversal vulnerabilities if a malicious client provides manipulated paths, potentially allowing arbitrary file read/write on the server's filesystem. The Google API key is correctly handled via environment variables or CLI arguments, not hardcoded.
Updated: 2025-11-25GitHub
87
14
High Cost
greynewell icon

mcpbr

by greynewell

Sec7

A benchmark runner for evaluating Model Context Protocol (MCP) servers by comparing LLM agent performance with and without MCP tools on software engineering tasks.

Setup Requirements

  • ⚠️Requires Python 3.11+
  • ⚠️Requires Docker to be running
  • ⚠️Requires ANTHROPIC_API_KEY environment variable (paid API)
  • ⚠️Requires Claude Code CLI (`claude`) to be installed globally via npm
Verified SafeView Analysis
The server's core functionality involves executing user-defined MCP server commands and agent-generated code (patches, PoC exploits) within Docker containers. While Docker provides a layer of isolation, malicious configurations for the 'mcp_server' command or arguments could lead to undesirable actions within the container. The Claude Code CLI is run with '--dangerously-skip-permissions', though it is executed by a non-root user ('mcpbr') inside the container. The project's 'SECURITY.md' acknowledges these risks and advises users to only use trusted MCP servers and be aware of network access within containers.
Updated: 2026-01-18GitHub
87
1403
Low Cost
rulego icon

rulego

by rulego

Sec4

An independent, ready-to-use rule engine service for orchestrating IoT devices, AI models, and general application logic, with automatic MCP tool registration for AI assistants.

Setup Requirements

  • ⚠️Commercial use of the RuleGo-Editor UI requires purchasing authorization.
  • ⚠️Specific Go build tags (e.g., `-tags with_extend,with_ai`) are required to include various extended components and features.
  • ⚠️User authentication is disabled by default, requiring manual configuration to secure the API endpoints.
  • ⚠️The `exec_node` component can execute system commands; it requires careful whitelisting and ensuring necessary tools (like `docker`, `git`) are installed and configured on the host.
Review RequiredView Analysis
The server exposes powerful capabilities like loading Go plugins (.so files), executing system commands via `exec_node` (with a broad whitelist including `docker`, `kubectl`, `git`), and interacting with SSH. These features introduce significant security risks if not managed in a highly trusted and controlled environment, as they could lead to arbitrary code execution or privilege escalation if untrusted input or configurations are used. Potential for injection vulnerabilities (SQL, SSRF) exists if user-controlled input is not rigorously validated in components like `db_client_node` or `rest_api_call_node`. The default configuration disables user authentication, making it insecure by default and requiring manual enablement.
Updated: 2026-01-09GitHub
86
11
Medium Cost
iamyureka icon

ynode

by iamyureka

Sec2

Ynode is an open-source platform for visual workflow automation, allowing users to create, manage, and execute node-based automation workflows.

Setup Requirements

  • ⚠️Requires Node.js 18+ and pnpm for development and deployment.
  • ⚠️Built-in 'ifElse' node is vulnerable to Remote Code Execution (RCE) due to `new Function()` evaluating user input directly in the main process, making it unsafe for untrusted users.
  • ⚠️Many integration nodes (e.g., OpenAI, Telegram) require external API keys, some of which may incur costs from third-party services.
Review RequiredView Analysis
CRITICAL VULNERABILITY: The 'ifElse' built-in node (packages/ynode-core/src/nodes/ifElse.ts) uses `new Function()` to evaluate user-provided `config.condition`. This allows for arbitrary JavaScript code execution (Remote Code Execution - RCE) within the main Node.js process if a malicious user can control the 'condition' configuration of an 'ifElse' node. Although custom nodes leverage `isolated-vm` for sandboxing, this core built-in node does not. Other components include strong authentication (Argon2, JWT), credential encryption (AES-256-GCM), rate limiting, and network access controls for custom nodes, but the `new Function` vulnerability is paramount.
Updated: 2026-01-18GitHub
86
554
High Cost
spences10 icon
Sec9

Guides LLM-driven sequential problem-solving by breaking down complex problems into manageable steps and providing confidence-scored recommendations for MCP tool usage at each stage.

Setup Requirements

  • ⚠️Requires an MCP client to interact with it.
  • ⚠️Does not automatically discover available MCP tools; they must be explicitly provided in the 'available_mcp_tools' parameter by the client calling this tool.
  • ⚠️Requires Node.js to be installed on the host system to run via npx.
Verified SafeView Analysis
The server primarily operates via standard I/O (stdio) and does not appear to open direct network ports. No usage of 'eval' or obvious hardcoded secrets were found in the provided source code. The 'Tool discovery not implemented' note indicates that external tool listing is client-driven, reducing potential attack surface from auto-discovery. The project relies on `npx` for execution, requiring Node.js, which implies the general risks associated with running Node.js applications; however, the code itself appears well-behaved.
Updated: 2026-01-15GitHub
86
452
Medium Cost
Wh0am123 icon

MCP-Kali-Server

by Wh0am123

Sec1

Enabling AI-driven offensive security testing by bridging AI agents to a Kali Linux terminal for command execution.

Setup Requirements

  • ⚠️Requires a Kali Linux environment where the `kali_server.py` component can run, due to its reliance on specific penetration testing tools (e.g., nmap, gobuster, Metasploit, etc.).
  • ⚠️Requires an external MCP Client (e.g., Claude Desktop, 5ire) to connect to and utilize the functionality provided by `mcp_server.py`.
  • ⚠️The `kali_server.py` backend expects various Kali Linux penetration testing tools to be installed and available in the system's PATH (e.g., nmap, gobuster, dirb, nikto, metasploit, hydra, john, wpscan, enum4linux) for its API endpoints to function correctly.
Review RequiredView Analysis
The backend component, `kali_server.py`, which the `mcp_server.py` (the 'MCP Server' client) connects to, uses `subprocess.Popen(command, shell=True)` with user-supplied input from API requests (e.g., target, URL, additional_args) without sufficient sanitization. This creates severe command injection vulnerabilities across all tool-specific endpoints (nmap, gobuster, dirb, nikto, sqlmap, hydra, john, wpscan, enum4linux) and especially the generic `/api/command` endpoint. An attacker or an unconstrained AI could execute arbitrary commands on the host Kali machine, potentially leading to system compromise. Running `kali_server.py` with `--ip 0.0.0.0` (as explicitly warned in the README) would expose these critical vulnerabilities over the network. There are no mechanisms for input validation beyond checking for parameter presence.
Updated: 2026-01-19GitHub
86
9
Low Cost
templetwo icon

temple-bridge

by templetwo

Sec9

An MCP server that bridges local AI capabilities (back-to-the-basics) with governance protocols (threshold-protocols) to create a unified, sovereign AI agent operating entirely on a local machine.

Setup Requirements

  • ⚠️Requires Apple Silicon Mac (M1/M2/M3 or later) for optimal performance with MLX models.
  • ⚠️Requires LM Studio v0.3.17+ to be installed and configured for MCP (Model Context Protocol).
  • ⚠️Requires cloning three separate Git repositories (`temple-bridge`, `back-to-the-basics`, `threshold-protocols`) and setting `TEMPLE_BASICS_PATH` and `TEMPLE_THRESHOLD_PATH` environment variables to their respective local paths.
  • ⚠️Requires `uv` Python package manager for installation and execution, not `pip` directly.
  • ⚠️Requires manual copying of `SYSTEM_PROMPT.md` content into LM Studio's system prompt field or saving as a preset for each new chat session.
Verified SafeView Analysis
The server implements robust security measures including an explicit allowlist for `btb_execute_command` (e.g., `pytest`, `python`, `ls`), path sandboxing to prevent traversal outside designated repositories for file operations (`btb_read_file`, `btb_list_directory`), and mandatory human approval gates for critical actions (`btb_execute_command`) via LM Studio. No `eval` or `exec` statements are used, and sensitive repository paths are retrieved via environment variables, not hardcoded. The primary security risk lies in the commands allowed on the allowlist, which are controlled by human oversight.
Updated: 2026-01-17GitHub
86
2601
High Cost
Jpisnice icon
Sec7

Provides AI assistants with comprehensive access to shadcn/ui v4 components, blocks, demos, and metadata across multiple frameworks (React, Svelte, Vue, React Native) for UI development and code generation.

Setup Requirements

  • ⚠️Requires a GitHub Personal Access Token (PAT) for higher API rate limits (5,000 requests/hour vs. 60 without) to ensure reliable performance.
  • ⚠️Requires Node.js version 18 or higher.
  • ⚠️Framework selection is crucial for accessing the correct component library (React, Svelte, Vue, React Native); it defaults to React and must be specified via `--framework` CLI argument or `FRAMEWORK` environment variable.
Verified SafeView Analysis
The server uses `new Function()` to parse external theme presets fetched from a hardcoded GitHub URL. While the source is controlled, this is a known security risk if the remote `tweakcn` repository is compromised, allowing for arbitrary code execution on the server. Otherwise, GitHub API keys are handled securely via environment variables or CLI arguments.
Updated: 2025-12-29GitHub
86
10
Medium Cost
patriciomartinns icon

mcp-pdf-reader

by patriciomartinns

Sec9

Exposes local PDFs for reading, semantic search, chunking, and table extraction to MCP-compatible agents or via a CLI.

Setup Requirements

  • ⚠️Requires Python 3.14+.
  • ⚠️The first semantic search (search_pdf) on a new document or model will trigger a SentenceTransformers model download and embedding generation, which can cause a delay.
  • ⚠️Strongly recommends 'uv' for installation and execution, though standard Python tools might also work.
Verified SafeView Analysis
The server implements strong security measures, notably sandboxing PDF paths to a configurable base directory (defaults to CWD) and strictly validating file extensions to '.pdf'. It does not use 'eval' or other dangerous dynamic code execution. Network activity is limited to downloading SentenceTransformer models from Hugging Face for semantic search. `subprocess.run` is used only in development/testing scripts (`scripts/check.py`) and not in the server's runtime logic, with appropriate security comments (`nosec`). Memory usage is controlled via document and index caching limits.
Updated: 2025-11-27GitHub
85
8
Low Cost
eugenepyvovarov icon

MCPbundler

by eugenepyvovarov

Sec6

Manages and runs Agent Skills and Model Context Protocol (MCP) servers locally on macOS, providing a unified endpoint for various AI clients and automation workflows.

Setup Requirements

  • ⚠️Requires macOS and Xcode (for building/development, not just running).
  • ⚠️Headless mode requires an active project with at least one server configured via the GUI to function correctly.
  • ⚠️Local STDIO servers allow users to specify arbitrary executable paths (`execPath`), which can lead to unintended command execution if not carefully configured with trusted binaries.
Verified SafeView Analysis
The MCP Bundler itself is open-source and appears to have undergone a hygiene process to remove licensing/wallet gating and secrets. However, its core functionality involves running user-defined local STDIO servers, which means it will execute arbitrary commands specified by the user in the `execPath` and `args` fields. This introduces a significant risk of arbitrary code execution if misconfigured or if untrusted server definitions are imported. The `fetch_temp_file` tool is validated to limit file access to `/tmp` or `/var/folders` and enforce size limits, mitigating some local file access risks. OAuth flows and marketplace integrations involve network requests to external services, which are standard but rely on the security of those external endpoints. The hardcoded client origin `https://mcp-bundler.maketry.xyz` is a minor concern, as a compromise of this domain could potentially enable phishing or MITM attacks against the application's own communication. Users must exercise caution when configuring and importing server definitions.
Updated: 2026-01-19GitHub
85
6
High Cost
automateyournetwork icon

VibeGraphics

by automateyournetwork

Sec9

Generates theme-driven, AI-powered infographics and micro-animations from GitHub repository content (README, source code).

Setup Requirements

  • ⚠️Requires a Google Gemini API Key (paid service) configured as an environment variable.
  • ⚠️Requires internet access to GitHub and Google AI (Gemini, nano banana, Veo) endpoints.
  • ⚠️Relies on Python 3 and specific libraries (google-genai, fastmcp, requests) which are managed by the provided `run.sh` script and virtual environment setup.
Verified SafeView Analysis
The server securely handles GitHub repository URLs by normalizing them before constructing API requests, mitigating direct arbitrary URL injection. Google Gemini API keys are retrieved from environment variables, avoiding hardcoding. Output files are written to a dedicated, UUID-named directory, reducing file system risks. No 'eval' or direct arbitrary command execution from user input is observed. Risks primarily stem from dependencies (requests, google-genai) or the inherent nature of AI model output (e.g., hallucinations).
Updated: 2025-11-28GitHub
PreviousPage 19 of 760Next