Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

100
20409
Medium Cost
activepieces icon

activepieces

by activepieces

Sec9

An all-in-one AI automation platform designed to be extensible, serving as an open-source replacement for Zapier. It enables users to build AI-driven workflows and integrations using a type-safe TypeScript framework, and functions as a comprehensive MCP toolkit for connecting LLMs to various services.

Setup Requirements

  • ⚠️Requires Docker and/or orchestration tools like Docker Compose, Kubernetes (Helm), or cloud providers (AWS ECS with Pulumi) for deployment.
  • ⚠️Requires external PostgreSQL for persistent storage and Redis for queuing in most deployments (SQLite/in-memory options exist for dev/testing).
  • ⚠️Development setup specifically checks for and installs 'bun' for package management, and requires Node.js v18 or v20.
  • ⚠️Optional integrations with S3 for file storage (requires AWS credentials) and SMTP for email notifications (requires SMTP server details).
Verified SafeView Analysis
The project demonstrates strong security practices including dynamic generation of secrets for production deployments (AP_API_KEY, AP_JWT_SECRET, ENCRYPTION_KEY) and the use of `isolated-vm` for sandboxing user-provided code in flow steps, mitigating execution risks. A `SECURITY.md` document outlines a responsible vulnerability disclosure policy. A minor concern is the hardcoded PostgreSQL password in `docker-compose.dev.yml`, though this is specific to a development environment and not intended for production.
Updated: 2026-01-19GitHub
100
18852
High Cost
oraios icon

serena

by oraios

Sec6

AI Agent framework for interacting with code via Language Servers, facilitating automated development tasks and comprehensive code analysis.

Setup Requirements

  • ⚠️Requires `uv` (universal Python package installer/resolver) to run the server.
  • ⚠️Language-specific runtimes are required for their respective language server functionalities (e.g., Node.js for JS/TS, Java JDK for Java, Elixir for Elixir, .NET SDK for F# and C#, Go for Go, Rustup for Rust, Perl for Perl, Zig for Zig, Julia for Julia, Free Pascal Compiler for Pascal). The framework attempts to auto-install language servers, but core runtimes are external prerequisites.
  • ⚠️Initial setup involves manual repository cloning, creation/copying of configuration files (`serena_config.yml`, `project.yml`), and project registration for the AI agent to operate correctly.
Review RequiredView Analysis
The system is designed to allow an AI agent to execute arbitrary shell commands (via `ExecuteShellCommandTool`) and download/run external binaries (language servers via `requests.get` and `subprocess.Popen`). This grants significant privileges and requires strong trust in the AI's directives. While these actions are central to its function as a coding agent, they represent a high-risk capability if the AI is compromised or misbehaves.
Updated: 2026-01-19GitHub
100
8954
High Cost
mcp-use icon

mcp-use

by mcp-use

Sec7

A comprehensive framework for building full-stack Model Context Protocol (MCP) applications, including AI agents, MCP servers with UI widgets, and integrated debugging tools in both Python and TypeScript.

Setup Requirements

  • ⚠️Requires Node.js 20+ (22 recommended) and pnpm 10+ for TypeScript development.
  • ⚠️Requires Python 3.11+ and uv for Python development.
  • ⚠️Utilizes various AI models (OpenAI, Anthropic, Google, Groq) which require API keys (e.g., OPENAI_API_KEY, ANTHROPIC_API_KEY) and incur usage costs.
Verified SafeView Analysis
The framework supports 'Code Mode' which allows executing JavaScript/TypeScript code using Node.js VM-based or E2B cloud sandboxes. The VM-based executor explicitly warns that 'VM isolation is not perfect for untrusted code,' requiring careful validation if code input originates from untrusted sources. Additionally, the framework includes a general-purpose MCP proxy middleware which, if explicitly deployed without strong authentication or request validation, could function as an open CORS proxy, posing a significant security risk. However, this proxy is not enabled by default in a server scaffolded by `create-mcp-use-app`; it is used internally by the Inspector application or if a developer explicitly adds it to their server.
Updated: 2026-01-19GitHub
100
5593
Medium Cost
Klavis-AI icon

klavis

by Klavis-AI

Sec3

Develop and deploy AI agents that interact with a wide array of web services (e.g., Gmail, YouTube, LinkedIn, Supabase, Salesforce, Kubernetes) through a standardized Model Context Protocol (MCP), often orchestrated by an intelligent routing layer like Strata.

Setup Requirements

  • ⚠️Requires Klavis API Key for hosted services and simplified OAuth flows.
  • ⚠️Requires specific API keys and/or OAuth setup for each integrated third-party service (e.g., OpenAI, Google, Spotify, Supabase, LinkedIn, Tavily).
  • ⚠️Docker is required for self-hosting individual MCP servers.
  • ⚠️Some operations (e.g., creating Supabase projects) require explicit cost confirmation from the user/LLM.
  • ⚠️Specific OAuth scopes/permissions must be configured for full functionality for certain integrations (e.g., LinkedIn `w_member_social`).
Review RequiredView Analysis
The project includes multiple MCP servers that execute arbitrary system commands (e.g., `kubectl`, `helm`, general shell commands via `local/terminal`) or direct SQL queries (`supabase_execute_sql`) based on user or LLM input. While some attempts at input validation and sandboxing are present (`local/terminal`'s `SecurityConfig`), these mechanisms are inherently difficult to secure completely against sophisticated injection attacks. This poses significant shell and SQL injection risks if not deployed in highly controlled and sandboxed environments. Access tokens and API keys are generally handled via environment variables or `x-auth-data` headers, which is good practice, but the privilege escalation potential of the command execution tools remains a critical concern. Exposed HTTP/SSE endpoints for local servers also present a network risk if not properly firewalled.
Updated: 2026-01-16GitHub
100
2022
Low Cost
lemonade-sdk icon

lemonade

by lemonade-sdk

Sec7

Lemonade Server is a high-performance C++ HTTP server providing local OpenAI-compatible API endpoints for various AI inference tasks including large language models (LLMs), embeddings, reranking, and audio transcription, with a focus on AMD Ryzen AI hardware acceleration.

Setup Requirements

  • ⚠️NPU models specifically require AMD Ryzen AI 300- and 400-series processors with XDNA2 NPUs running Windows 11.
  • ⚠️A working internet connection is required for initial setup to automatically download `ryzenai-server` (for NPU models) and other backend binaries/models from GitHub and Hugging Face releases.
  • ⚠️Building from source requires CMake 3.28+, a C++17 compatible compiler, Git, and platform-specific dependencies (e.g., Visual Studio on Windows, `build-essential` on Linux, Xcode on macOS).
Verified SafeView Analysis
The server binds to `localhost` by default, which is safe; however, if configured to bind to `0.0.0.0`, it would expose the API externally. The API lacks authentication by default if the `LEMONADE_API_KEY` environment variable is not set, posing a risk if exposed. Cross-Origin Resource Sharing (CORS) is enabled for all origins (`*`), a common practice for local development but a potential vulnerability for externally-exposed servers. It automatically downloads model backends and LLM models from trusted GitHub and Hugging Face repositories, which can introduce supply chain risks if these sources are compromised, though it utilizes version pinning and explicit URLs. On Windows, the build incorporates Control Flow Guard, ASLR, and DEP. Linux builds are headless-only and use permissively licensed dependencies.
Updated: 2026-01-19GitHub
100
1661
High Cost
jamubc icon
Sec8

A Model Context Protocol (MCP) server that enables AI assistants to interact with the Google Gemini CLI for comprehensive code and file analysis, structured edit suggestions, and creative brainstorming.

Setup Requirements

  • ⚠️Requires Node.js v16.0.0 or higher
  • ⚠️Requires Google Gemini CLI installed and configured separately (including API key setup)
  • ⚠️Primarily designed and tested for Claude Desktop or Claude Code MCP clients
Verified SafeView Analysis
The server executes external commands via `child_process.spawn`. It correctly sets `shell: false` in `commandExecutor.ts`, significantly mitigating shell injection risks by treating arguments as distinct elements rather than a single shell command string. User-provided prompts are handled with care, including wrapping potentially problematic characters (like '@') in quotes before passing them to the Gemini CLI. No direct `eval` calls or obfuscation were found. There are no hardcoded secrets; API keys are expected to be configured with the Google Gemini CLI itself. The explicit 'sandbox' mode leverages Gemini's built-in safety features. Logging of command executions is a good practice for auditing. The primary security considerations shift to the underlying Gemini CLI and the permissions it operates with.
Updated: 2025-11-25GitHub
100
1147
Medium Cost
hashicorp icon
Sec8

Provides seamless integration with Terraform Registry APIs and HCP Terraform/Terraform Enterprise APIs, enabling AI assistants/LLMs to generate high-quality Terraform code and automate IaC workflows.

Setup Requirements

  • ⚠️Requires Docker to run in a containerized environment.
  • ⚠️Requires an AI assistant/LLM that supports the Model Context Protocol (MCP).
  • ⚠️HCP Terraform/Terraform Enterprise API token (TFE_TOKEN) is required for accessing private registries or TFE/TFC management features.
Verified SafeView Analysis
The server implements CORS, rate limiting, and explicit gating for destructive Terraform operations (ENABLE_TF_OPERATIONS). It warns against using TFE_SKIP_TLS_VERIFY in production and against untrusted MCP clients/LLMs due to potential data exposure. Sensitive variables like TFE_TOKEN are handled securely, preventing their exposure in logs or query parameters. It is currently intended for local use only, and careful configuration of allowed origins is critical for HTTP transport.
Updated: 2026-01-16GitHub
100
3561
Medium Cost
exa-labs icon

exa-mcp-server

by exa-labs

Sec9

Provides AI assistants and coding agents with real-time web search, code context, and deep research capabilities via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires an EXA_API_KEY from dashboard.exa.ai/api-keys to function.
  • ⚠️Designed to be used with an MCP-compatible AI client (e.g., Cursor, Claude Desktop, Claude Code, Codex).
  • ⚠️Deep research tools ('deep_researcher_start', 'deep_researcher_check') require the client agent to poll for results, implementing an asynchronous workflow.
  • ⚠️Vercel free tier deployments may experience function timeouts (10s limit) for longer operations, especially deep research tasks.
Verified SafeView Analysis
The server demonstrates strong security practices. It uses Zod for robust input validation for all tool parameters. API keys are securely handled, preferring explicit configuration or environment variables, and are not hardcoded. All external HTTP requests to Exa AI are made via axios with configured timeouts (25-30 seconds) and comprehensive error handling, distinguishing between Axios-specific and generic errors. There is no usage of 'eval' or other inherently dangerous functions, and the codebase is clear and follows standard practices. The primary network risk is reliance on the external Exa AI API, which is a standard part of its functionality.
Updated: 2026-01-15GitHub
100
2167
Low Cost
sparfenyuk icon

mcp-proxy

by sparfenyuk

Sec8

Acts as a transparent proxy for Model Context Protocol (MCP) servers, allowing switching between stdio, Server-Sent Events (SSE), and Streamable HTTP transports.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Installation recommended via `uv` or `pipx`.
  • ⚠️If acting as an SSE to stdio proxy, the security of the setup depends on the trustworthiness of the commands configured for the local stdio MCP server(s).
Verified SafeView Analysis
The mcp-proxy itself appears well-engineered, utilizing standard and reputable libraries (uvicorn, Starlette, httpx) and implementing good practices such as masking sensitive headers (e.g., Authorization) in logs. It correctly handles SSL verification. The primary security consideration arises from its 'SSE to stdio' mode, where it executes arbitrary commands provided by the user to spawn local MCP servers. While `shlex.split` is used when parsing command strings from named server definitions to mitigate simple shell injection, users are ultimately responsible for ensuring the commands they configure are safe and non-malicious.
Updated: 2026-01-15GitHub
100
3293
Medium Cost
cloudflare icon
Sec8

Centralized platform for Cloudflare's Model Context Protocol (MCP) servers, enabling AI clients to interact with diverse Cloudflare services using natural language for configuration, data analysis, and task automation.

Setup Requirements

  • ⚠️Requires a Cloudflare account. Local development can use either Cloudflare OAuth client ID/secret or a global Cloudflare API token. Production deployment relies on securely configured Cloudflare API tokens/OAuth credentials.
  • ⚠️Requires creating and configuring a KV namespace named 'OAUTH_KV' for OAuth state management.
  • ⚠️Some advanced features exposed by the MCP servers may require a paid Cloudflare Workers plan.
  • ⚠️Each server application within the monorepo requires specific Cloudflare Workers bindings (e.g., Durable Objects, KV, R2, AI, Analytics Engine) to be configured via 'wrangler' for deployment.
Verified SafeView Analysis
The project uses standard Cloudflare OAuth for authentication and properly manages secrets via environment variables, demonstrating good security practices. Input validation is extensively handled with 'zod'. The 'apps/sandbox-container' application offers shell execution and file system interactions; while this is a critical security capability, it is designed as a specialized development/evaluation tool with an implied need for controlled, isolated environments. This specific use case is justified for a sandbox but requires stringent deployment and isolation considerations. No obvious malicious patterns or obfuscation were found.
Updated: 2026-01-15GitHub
100
1693
High Cost
ravitemer icon

mcphub.nvim

by ravitemer

Sec2

Integrates Model Context Protocol (MCP) servers with Neovim to enable AI agent interaction for tools, resources, and prompts within the editing workflow.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0.0 for the mcp-hub backend.
  • ⚠️Requires `mcp-hub` binary installation (globally via npm, locally bundled, or custom path).
  • ⚠️Requires `plenary.nvim` Neovim plugin.
  • ⚠️Potential high token usage due to large file reads, LSP diagnostics, and verbose prompt contexts sent to LLMs.
  • ⚠️Using function-based auto-approval for critical tools (like file system operations) is highly recommended over boolean auto-approval to mitigate risks.
Review RequiredView Analysis
CRITICAL: The server exposes highly dangerous built-in tools callable by LLMs, including `execute_command` (arbitrary shell command execution), `execute_lua` (arbitrary Lua code execution within Neovim), and `loadstring` (arbitrary Lua expression evaluation). If an LLM or user input is compromised (e.g., via prompt injection) or misaligned, these tools could be exploited to execute malicious code or commands on the user's system with Neovim's permissions. The 'auto_approve' feature, if enabled, further bypasses user confirmation for these operations, significantly increasing the risk. While intended for powerful automation, these capabilities represent a severe security vulnerability. The `SECURITY.md` outlines general considerations but does not specifically address the inherent risks of these built-in powerful execution tools being directly exposed to LLMs.
Updated: 2026-01-18GitHub
100
12409
Low Cost
ruvnet icon

claude-flow

by ruvnet

Sec9

AI Agent Orchestration and Development Platform for Claude Code

Setup Requirements

  • ⚠️Requires Node.js >= 20.0.0 or Bun >= 1.0.
  • ⚠️Requires global installation of @anthropic-ai/claude-code CLI.
  • ⚠️ANTHROPIC_API_KEY is mandatory for interaction with Claude models (paid service).
  • ⚠️Full RuVector capabilities (advanced vector database) require a running PostgreSQL instance, ideally the ruvnet/ruvector-postgres Docker image.
  • ⚠️Default MCP server port (3000) might be in use by other services.
  • ⚠️Docker knowledge may be required for managing the RuVector PostgreSQL database for full features.
Verified SafeView Analysis
The project demonstrates a very strong focus on security, incorporating multiple layers of protection. This includes comprehensive input validation (Zod-based), robust path traversal prevention, and command sandboxing with allowlisted commands to prevent injection attacks. Credential handling utilizes bcrypt for password hashing and generates cryptographically secure API keys. A dedicated AI-powered system (AIDefence) is in place for real-time threat detection, including prompt injection, jailbreak attempts, and PII scanning. The project also claims active CVE monitoring and remediation. While no system is entirely impervious, the explicit and multi-faceted security measures outlined in the documentation and confirmed by code structure suggest a high level of security design.
Updated: 2026-01-18GitHub
PreviousPage 2 of 760Next