Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(6642)

100
1289
Low Cost
mcp-router icon

mcp-router

by mcp-router

Sec3

A desktop application for managing Model Context Protocol (MCP) servers, supporting local and remote connections, context management, and integration with AI tools.

Setup Requirements

  • ⚠️Requires Node.js >= 20.0.0 and pnpm >= 8.0.0 for development/building.
  • ⚠️The Electron app installation is platform-specific (Windows/macOS installer via releases page).
  • ⚠️User-defined 'hooks' in workflows utilize `vm.Script.runInContext`, which, despite sandboxing efforts, carries inherent security risks due to arbitrary code execution capabilities if exploited.
Review RequiredView Analysis
The application uses `vm.Script.runInContext` for executing user-defined 'hooks' in workflows. While attempts at sandboxing are present (using `vm.createContext`), `eval`-like mechanisms are inherently high-risk and can be vulnerable to bypasses if the sandbox is not perfectly isolated, potentially leading to arbitrary code execution. Additionally, a PostHog analytics API key is hardcoded in `posthog-service.ts`, which, while not a critical access credential, is a secret in plain text that is transmitted externally, contradicting the README's privacy statement about credentials never being transmitted externally. User-provided bearer tokens and API keys for MCP servers are stated to be stored locally and not transmitted externally without explicit configuration.
Updated: 2025-12-02GitHub
100
19378
Medium Cost
activepieces icon

activepieces

by activepieces

Sec3

An open-source, extensible AI automation platform designed as a Zapier alternative, supporting low-code/no-code workflows and integration with Large Language Models (LLMs) through a type-safe TypeScript framework.

Setup Requirements

  • ⚠️Requires Docker for production deployment, or Node.js v18/v20 and Bun for local development.
  • ⚠️Production deployments (e.g., via Pulumi) require an AWS account, configured Route 53 for custom domains, and familiarity with AWS ECS Fargate, RDS (PostgreSQL), and ElastiCache (Redis).
  • ⚠️CRITICAL: The default `AP_EXECUTION_MODE` in Pulumi deployment is `UNSANDBOXED`, enabling arbitrary code execution in user flows. For secure operation, it MUST be explicitly set to `SANDBOX_CODE_ONLY` or `SANDBOX_PROCESS`.
  • ⚠️A hardcoded `POSTGRES_PASSWORD` exists in `docker-compose.dev.yml`; this should be replaced with a secure environment variable for any shared development setup.
Review RequiredView Analysis
The project uses Docker for deployment and provides development scripts. Critical security concerns include: 1. Hardcoded password `A79Vm5D4p2VQHOp2gd5` in `docker-compose.dev.yml` for PostgreSQL, which is a major vulnerability in any shared or exposed development environment. 2. The `tools/scripts/utils/piece-script-utils.ts` script executes `bun install` within the worker environment when loading pieces. If the `AP_EXECUTION_MODE` is set to `UNSANDBOXED` (which is the default in the `deploy/pulumi/index.ts` for AWS deployments), this allows for **arbitrary code execution (RCE)** from malicious or compromised piece packages during runtime. Even in `SANDBOX_CODE_ONLY` mode, arbitrary JavaScript can run within the `isolated-vm` sandbox, which still poses a risk if not carefully managed. 3. The default `AP_EXECUTION_MODE` of `UNSANDBOXED` in the Pulumi deployment is a severe misconfiguration for production, as it removes critical isolation for user-provided code in flows. 4. Sensitive information like `AP_API_KEY`, `AP_JWT_SECRET`, and `ENCRYPTION_KEY` are meant to be loaded from environment variables and `deploy.sh` generates them securely. However, the hardcoded dev password indicates a lack of consistent security practice.
Updated: 2025-12-06GitHub
100
16842
High Cost
oraios icon

serena

by oraios

Sec7

Provides a multi-language Code Analysis and Interaction server for AI Agents using the Language Server Protocol (LSP), enabling agents to understand, navigate, and modify codebases.

Setup Requirements

  • ⚠️Requires `uv` (Python package manager/installer) to be installed and in PATH for running the server.
  • ⚠️Requires project-specific YAML configuration files (`serena_config.yml` and `.serena/project.yml`) for each codebase it interacts with.
  • ⚠️Requires pre-installation of language-specific runtime dependencies (e.g., Node.js for TypeScript, Java JDK for Java/Kotlin/Scala, Go for Go, Rustup for Rust, Nix for Nix, Elixir/Next LS for Elixir, etc.) for each language server used.
  • ⚠️Some language servers have platform restrictions (e.g., Elixir's Next LS and Nixd language server typically do not support Windows).
Review RequiredView Analysis
The system is designed to interact with various external language servers and execute shell commands (`ExecuteShellCommandTool`). While this functionality is core to its operation, it inherently introduces risks. An AI agent using this server could potentially execute arbitrary commands on the host system if not properly constrained or monitored. There are no obvious hardcoded credentials or hidden malicious patterns in the truncated source code, and process management is handled with common utilities like `subprocess` and `psutil`.
Updated: 2025-12-06GitHub
100
8458
High Cost
mcp-use icon

mcp-use

by mcp-use

Sec6

A full-stack framework for building Model Context Protocol (MCP) servers, MCP clients, and AI agents in both Python and TypeScript, supporting interactive UI widgets and robust debugging.

Setup Requirements

  • ⚠️Requires Node.js 20+ and Python 3.11+ for full development experience.
  • ⚠️Requires external API keys (e.g., OpenAI, Anthropic, E2B) for most agent functionalities, incurring usage costs.
  • ⚠️The VM-based code executor is Node.js specific; non-Node.js environments (like Deno) will require an E2B API key for code execution.
Verified SafeView Analysis
The framework allows AI agents to generate and execute code within sandboxed environments (Node.js `vm` module or E2B remote sandboxes). While safeguards like `vm.Script.runInNewContext` and external sandboxes (E2B) are used, `vm` isolation is explicitly noted as 'not perfect for untrusted code'. Running AI-generated code, even sandboxed, carries inherent risks. Content Security Policies (CSP) are applied to UI widgets to mitigate XSS, and DNS rebinding protection is available for production deployments. The CLI includes input validation to prevent path traversal and protected directory name usage during project scaffolding. No hardcoded secrets were found; environment variables are used for sensitive configurations.
Updated: 2025-12-06GitHub
100
5495
High Cost
Klavis-AI icon

klavis

by Klavis-AI

Sec8

Creates an AI agent that uses Klavis Strata to interact with Gmail and YouTube through MCP, demonstrating how to summarize a YouTube video and email the summary.

Setup Requirements

  • ⚠️Requires a Klavis API Key (available from klavis.io)
  • ⚠️Requires an OpenAI API Key (available from platform.openai.com)
  • ⚠️The email address 'golden-kpop@example.com' in the example code must be replaced with your actual email address
  • ⚠️Will open a browser window for OAuth authorization with Gmail and YouTube on first use
Verified SafeView Analysis
The example code itself primarily delegates credential handling and OAuth flows to the Klavis platform and standard libraries (LangChain, OpenAI SDK). It uses environment variables (KLAVIS_API_KEY, OPENAI_API_KEY) for authentication, which is standard practice for development but requires secure management in production. OAuth for integrated services (Gmail, YouTube) is handled by the Klavis platform, abstracting away complex, sensitive flows from the example application. The underlying MCP servers within the monorepo generally show good practices for secret handling (ContextVars, base64-decoded `x-auth-data` headers) and API interaction. No direct 'eval' or obvious malicious patterns were found in the provided code snippets.
Updated: 2025-12-06GitHub
100
1822
Low Cost
lemonade-sdk icon

lemonade

by lemonade-sdk

Sec8

The Lemonade C++ Server provides a lightweight, high-performance HTTP API for local Large Language Model (LLM) inference and model management, leveraging hardware accelerators like AMD Ryzen AI NPU, integrated GPUs, and discrete GPUs.

Setup Requirements

  • ⚠️Requires a C++ development environment (e.g., Visual Studio 2019+ on Windows, build-essential on Linux, Xcode tools on macOS) and CMake to build from source.
  • ⚠️Initial setup requires an active internet connection to download build dependencies, `ryzenai-server`, `llama.cpp` binaries, `whisper.cpp` binaries, and LLM models from GitHub/Hugging Face.
  • ⚠️Optimal performance, especially for NPU acceleration with Ryzen AI, depends on having up-to-date and compatible GPU/NPU drivers installed on the host system.
Verified SafeView Analysis
The server utilizes `system()` calls for external tool checks (e.g., `where flm`, `vulkaninfo`) and for installing/extracting binaries (e.g., `unzip`, PowerShell `Expand-Archive`). While the commands and paths are largely constructed internally or derived from trusted sources (GitHub/Hugging Face releases), and some user input is validated (e.g., custom llama-server args), any interaction with external processes carries inherent risk. The HTTP server defaults to binding on `localhost`, which mitigates the impact of its permissive CORS policy (`Access-Control-Allow-Origin: *`). Single-instance protection is implemented via system-wide mutexes or file locks.
Updated: 2025-12-05GitHub
100
1661
High Cost
jamubc icon
Sec8

A Model Context Protocol (MCP) server that enables AI assistants to interact with the Google Gemini CLI for comprehensive code and file analysis, structured edit suggestions, and creative brainstorming.

Setup Requirements

  • ⚠️Requires Node.js v16.0.0 or higher
  • ⚠️Requires Google Gemini CLI installed and configured separately (including API key setup)
  • ⚠️Primarily designed and tested for Claude Desktop or Claude Code MCP clients
Verified SafeView Analysis
The server executes external commands via `child_process.spawn`. It correctly sets `shell: false` in `commandExecutor.ts`, significantly mitigating shell injection risks by treating arguments as distinct elements rather than a single shell command string. User-provided prompts are handled with care, including wrapping potentially problematic characters (like '@') in quotes before passing them to the Gemini CLI. No direct `eval` calls or obfuscation were found. There are no hardcoded secrets; API keys are expected to be configured with the Google Gemini CLI itself. The explicit 'sandbox' mode leverages Gemini's built-in safety features. Logging of command executions is a good practice for auditing. The primary security considerations shift to the underlying Gemini CLI and the permissions it operates with.
Updated: 2025-11-25GitHub
100
1086
Medium Cost
hashicorp icon
Sec8

The Terraform MCP Server provides seamless integration with Terraform Registry APIs and HCP Terraform/Terraform Enterprise, enabling AI assistants (LLMs) to generate high-quality Terraform code and automate IaC workflows.

Setup Requirements

  • ⚠️Requires Docker to be installed and running.
  • ⚠️Requires an AI assistant (LLM) that supports the Model Context Protocol (MCP) to interact with the server.
  • ⚠️Full functionality, especially with HCP Terraform/Terraform Enterprise, requires a valid TFE_TOKEN and TFE_ADDRESS to be configured (typically via environment variables).
Verified SafeView Analysis
The project implements good security practices including CORS configuration with allowed origins, TLS support for HTTP transport (required for non-localhost), and clear warnings against using with untrusted clients/LLMs. Sensitive values like TFE_TOKEN are expected via environment variables and are explicitly prevented from being passed via URL query parameters. Rate limiting is also implemented. The default Docker base image uses 'scratch' for a smaller attack surface. Some tools are marked as 'destructive' but require explicit enablement via `ENABLE_TF_OPERATIONS` environment variable and user confirmation for critical actions, but the overall security relies on the calling LLM's adherence to these confirmations.
Updated: 2025-12-05GitHub
100
3346
High Cost
exa-labs icon

exa-mcp-server

by exa-labs

Sec9

Provides AI agents with real-time web search, code context, and deep research capabilities via the Exa AI platform to enhance coding and information retrieval tasks.

Setup Requirements

  • ⚠️Requires an Exa AI API Key, which must be obtained from dashboard.exa.ai/api-keys and provided via environment variable (EXA_API_KEY) or configuration.
  • ⚠️Most tools (e.g., deep_search_exa, crawling_exa, company_research_exa, linkedin_search_exa, deep_researcher_start, deep_researcher_check) are disabled by default and must be explicitly enabled using the `tools` parameter in the server configuration.
  • ⚠️The deep research workflow (`deep_researcher_start` followed by `deep_researcher_check`) requires a multi-turn, polling interaction pattern where the AI agent must repeatedly call `deep_researcher_check` until the task status is 'completed'.
Verified SafeView Analysis
The server correctly handles the Exa AI API key, prioritizing a configuration parameter over an environment variable, and uses secure `axios` calls with timeouts for external API interactions. There is no usage of `eval` or intentional obfuscation. The main security consideration is the secure management of the `EXA_API_KEY` by the user, as the server itself does not introduce direct vulnerabilities.
Updated: 2025-12-05GitHub
100
2046
Low Cost
sparfenyuk icon

mcp-proxy

by sparfenyuk

Sec6

The mcp-proxy allows switching between MCP server transports, primarily enabling communication between stdio and SSE/StreamableHTTP endpoints.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Installation via `uv` or `pipx` is recommended.
  • ⚠️For 'SSE to stdio' mode, exposing on non-localhost (`--host 0.0.0.0`) or using `--allow-origin='*'` without proper authentication (e.g., OAuth2 with `--client-id`, `--client-secret`, `--token-url`) creates significant security risks by allowing remote command execution.
  • ⚠️Requires an external MCP server or client to proxy for meaningful functionality.
Verified SafeView Analysis
The server's 'SSE to stdio' mode allows arbitrary local commands to be executed via a network endpoint. If the `--host` is set to `0.0.0.0` or a public IP, and authentication (OAuth2) is not configured, or `--allow-origin='*'` is used, this could allow unauthenticated users on the network to execute arbitrary commands on the host system where `mcp-proxy` is running. While `shlex.split` is used for command parsing, preventing basic shell injection, the core functionality allows specifying any executable. Care must be taken to secure network exposure and command inputs.
Updated: 2025-12-02GitHub
100
3175
High Cost
cloudflare icon
Sec7

Enable Large Language Models (LLMs) to interact with and automate tasks across various Cloudflare services through a standardized Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires a Cloudflare account for deployment and API access.
  • ⚠️Requires `wrangler` CLI for deployment and local development.
  • ⚠️Setting up OAuth involves creating Cloudflare API tokens with specific scopes, KV namespaces, and secrets.
  • ⚠️Some advanced features may require a paid Cloudflare Workers plan.
  • ⚠️Local development for external contributors requires setting `DEV_DISABLE_OAUTH=true` and providing a `DEV_CLOUDFLARE_API_TOKEN` (global API token with broad permissions, which is sensitive) or setting up OAuth credentials.
  • ⚠️The project is a monorepo; each 'server' (app) is a distinct deployable unit, and there is no single command to run 'this server' (the entire monorepo) as a monolithic application.
Review RequiredView Analysis
The repository is a monorepo containing multiple distinct MCP servers, each leveraging Cloudflare services. Authentication is handled via Cloudflare OAuth or API tokens, with granular scopes defined per server to limit access. Sensitive credentials like `MCP_COOKIE_ENCRYPTION_KEY`, `CLOUDFLARE_CLIENT_ID`, and `CLOUDFLARE_CLIENT_SECRET` are expected to be provided via environment variables, not hardcoded. Logging and error tracking (via Sentry and Analytics Engine) are integrated for observability. A significant security consideration is the `apps/sandbox-container` server, which is explicitly designed to allow arbitrary code execution (`exec`) and file system operations within its environment. While this is its intended function as a sandbox, it introduces an inherent risk if not deployed and managed with robust isolation (e.g., secure containerization) and strict access controls. An LLM interacting with this tool could potentially be prompted to perform harmful actions within the sandboxed environment. The documentation indicates per-user Durable Object instances for containers and a user blocklist mechanism, which improves isolation and access control. However, the presence of direct `child_process.exec` calls in a server component requires careful consideration of the execution environment's isolation from the host system.
Updated: 2025-12-02GitHub
100
10371
Medium Cost
ruvnet icon

claude-flow

by ruvnet

Sec6

Orchestrates AI agents (Claude) for development workflows, including code generation, testing, analysis, research, and project migration, with MLOps capabilities.

Setup Requirements

  • ⚠️Requires Node.js (>=14.0.0) and npm for core system and CLI.
  • ⚠️Requires Python (3.x) with ML libraries (e.g., pandas, numpy, scikit-learn, torch) for MLE-STAR agents.
  • ⚠️Requires Claude Code CLI (`claude`) to be installed and configured with an Anthropic API Key (Paid service).
  • ⚠️Requires GitHub CLI (`gh`) for GitHub integration features.
  • ⚠️Utilizes SQLite database, often requiring specific `better-sqlite3` native bindings.
  • ⚠️Relies heavily on environment variables (e.g., `ANTHROPIC_API_KEY`, `CLAUDE_FLOW_ENV`, `GITHUB_TOKEN`).
Review RequiredView Analysis
Architecturally includes security features like authentication, permissions, and audit trails. However, default configurations (e.g., hardcoded admin/service credentials in `auth-service.ts`, default unconfigured JWT_SECRET, potential for unsafe `subprocess.run` calls in Python agents) are insecure for production without explicit hardening. CORS policies might be too permissive by default in API routes.
Updated: 2025-12-04GitHub
PreviousPage 2 of 554Next