Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

85
133
Low Cost
agentfront icon

frontmcp

by agentfront

Sec9

The CodeCall plugin provides AgentScript-based meta-tools for orchestrating MCP tools, enabling programmatic discovery, description, execution, and invocation of server capabilities within a sandboxed JavaScript environment.

Setup Requirements

  • ⚠️Requires Node.js >= 22.0.0.
  • ⚠️Uses Yarn and Corepack (run `corepack enable` once).
  • ⚠️TypeScript projects require specific `tsconfig.json` options for decorators (`experimentalDecorators: true`, `emitDecoratorMetadata: true`).
  • ⚠️Utilizes `@huggingface/transformers` for local embedding generation for tool search, which may involve an initial download of model weights.
Verified SafeView Analysis
The CodeCall plugin allows execution of user-provided AgentScript (JavaScript) in a sandboxed VM (`enclave-vm`). While inherently risky, the project implements strong security measures: 1. Sandboxing: Scripts run in `enclave-vm`, preventing direct access to Node.js internals like `process` or `require`. 2. Malicious Pattern Detection: Explicitly blocks use of `eval`, `Function` constructor, and dynamic `import` statements within the VM. 3. Self-Reference Guard: Prevents `codecall` meta-tools (like `codecall:execute`) from calling themselves, mitigating recursive attacks. 4. Tool Access Control: Configurable blacklists/whitelists restrict which tools can be invoked from within AgentScript. 5. Output Sanitization: Limits output size and removes stack traces to prevent data leakage and excessive payload sizes. 6. Script Size Limits: Scripts are constrained by length to prevent resource exhaustion. These comprehensive controls significantly mitigate the risks associated with executing untrusted code, making it reasonably safe for its intended purpose.
Updated: 2026-01-19GitHub
85
7
Low Cost
Strom-Capital icon

mcp-server-db2i

by Strom-Capital

Sec9

Enables AI assistants to query and inspect IBM DB2 for i databases using the Model Context Protocol (MCP) via stdio or HTTP.

Setup Requirements

  • ⚠️Requires Java Runtime Environment (JRE) 11 or higher for the JDBC driver.
  • ⚠️Requires Node.js 20.6 or higher for proper `--env-file` support.
  • ⚠️Requires access to an IBM i system with DB2 for i (V7R3+).
Verified SafeView Analysis
The server demonstrates a strong focus on security. All SQL queries are validated using both AST parsing and regex patterns to ensure they are read-only (SELECT statements only) and block dangerous operations (DML, DDL, DCL, system commands like QCMDEXC). Sensitive credentials are handled via environment variables with a strong recommendation for file-based Docker secrets. The HTTP transport includes OAuth-style token authentication with `timingSafeEqual` to prevent timing attacks, IP-based rate limiting for authentication attempts, and explicit warnings/configuration for TLS/HTTPS. Logging redacts sensitive information like passwords. Resource limits (max sessions, query result limits) are configurable to prevent abuse.
Updated: 2026-01-18GitHub
85
452
Medium Cost
PV-Bhat icon
Sec9

Provides metacognitive oversight and self-improvement capabilities for AI agents using Chain-Pattern Interrupts (CPI) to prevent reasoning lock-in and over-engineering.

Setup Requirements

  • ⚠️Requires Node.js >=20.
  • ⚠️Requires API keys for external LLM providers (e.g., Gemini, OpenAI, Anthropic, OpenRouter), which typically involve costs.
  • ⚠️Relies on external LLM API connectivity; performance and availability depend on the chosen provider.
Verified SafeView Analysis
The server uses environment variables for API keys and `npm audit` for dependency vulnerability checks. CLI installers handle sensitive files with secure permissions (0o600). Dynamic imports for LLM clients are used, and `execa` is utilized for spawning processes, which is generally safe for CLI commands. The HTTP transport uses CORS, defaulting to '*' origin, which is common for plug-and-play MCP servers but should be restricted in production for sensitive endpoints. No 'eval' or obvious malicious patterns found.
Updated: 2026-01-14GitHub
85
556
High Cost
mark3labs icon
Sec9

Provides secure and controlled access to the local filesystem via the Model Context Protocol (MCP) for AI agents and other applications.

Setup Requirements

  • ⚠️Requires explicit specification of allowed directories at startup for security.
  • ⚠️If not using Docker, requires a Go development environment for installation or compilation.
  • ⚠️When using Docker with host filesystem interaction, proper volume mounting is necessary.
Verified SafeView Analysis
The server implements robust path validation including absolute path resolution, explicit allowed directories, and comprehensive symlink resolution with security checks to prevent directory traversal attacks. All file operations leverage this validation. The 'modify_file' tool uses regex, which could theoretically be vulnerable to ReDoS if patterns are untrusted, but this is mitigated by the overall path restrictions. No hardcoded secrets or arbitrary code execution mechanisms ('eval') were found. The server operates with the privileges of its running user, which is standard for local tools.
Updated: 2025-11-24GitHub
85
8
Low Cost
coseto6125 icon
Sec8

Compares prices for products across multiple Taiwanese e-commerce platforms.

Setup Requirements

  • ⚠️Requires Python 3.13 or newer.
  • ⚠️Requires specific configuration for LLM clients (Claude, Gemini, ChatGPT, Perplexity AI) to integrate the MCP server.
  • ⚠️Installation of `never-primp` and its underlying Rust extensions (`never-jscore`, `regex-rs`) might introduce compilation dependencies on certain systems.
Verified SafeView Analysis
The project relies on web scraping techniques (using `never-primp` for impersonated HTTP requests), which are inherently susceptible to upstream website changes. No critical vulnerabilities like `eval`, hardcoded secrets, or direct command injection patterns were identified in the provided source code. The commented-out `playwright` dependency, if activated, would increase resource usage but isn't a direct security risk.
Updated: 2025-12-08GitHub
85
8
Low Cost
eznix86 icon

mcp-gateway

by eznix86

Sec4

Aggregates multiple Model Context Protocol (MCP) servers into a single gateway, providing unified search, description, and invocation for their tools, primarily to mitigate context window limits for AI clients.

Setup Requirements

  • ⚠️Requires Bun runtime to be installed (not Node.js).
  • ⚠️Mandatory `config.json` setup (e.g., `~/.config/mcp-gateway/config.json`) defining upstream MCP servers to connect to.
  • ⚠️Relies on other MCP servers (local or remote) to provide actual tools; the gateway itself only offers discovery and invocation tools.
Review RequiredView Analysis
The gateway's 'local' server configuration allows direct execution of arbitrary commands defined in the `command` field of `config.json`. If an attacker can modify this configuration file, they can achieve arbitrary code execution on the host machine. This poses a significant security risk if the configuration is not absolutely trusted and secured from modification.
Updated: 2026-01-18GitHub
85
7
Low Cost
akshayaggarwal99 icon

amp

by akshayaggarwal99

Sec8

Provides a persistent, structured memory (Short-Term, Long-Term, and Graph) for AI agents, mimicking a hippocampus for continuous learning and recall.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Requires `uv` or `pip` for installation.
  • ⚠️FastEmbed model (BAAI/bge-small-en-v1.5) is downloaded locally on first run.
  • ⚠️Local LLM features (entity extraction, summarization) require a locally running Ollama server with a compatible model (default: gemma3:4b).
Verified SafeView Analysis
The server primarily operates locally, minimizing external network attack surface. It uses `json.loads` for metadata which, if not carefully handled in subsequent processing, could be a vector for injection. However, `sqlite-utils` parameterizes inputs, reducing direct SQL injection risk. No hardcoded secrets or direct `eval` on untrusted input were observed. The default LLM and embedding models run locally via Ollama and FastEmbed, reducing reliance on third-party APIs for core functionality. Data is stored in a SQLite database in the user's home directory.
Updated: 2025-12-13GitHub
84
195
Medium Cost
mihaelamj icon

cupertino

by mihaelamj

Sec8

Cupertino is an Apple Documentation Crawler & MCP Server that provides accurate, up-to-date Apple API documentation and sample code to AI agents and developers for offline and AI-assisted development.

Setup Requirements

  • ⚠️Requires macOS 15 (Sequoia) or later.
  • ⚠️Requires ~2-3 GB of disk space for full documentation databases.
  • ⚠️Installation via `install.sh` requires `sudo` access.
Verified SafeView Analysis
The installation script (`install.sh`) requires `sudo` access to install the binary to `/usr/local/bin`, which is a standard practice for system-wide CLI tools. The tool fetches content from external sources like Apple Developer (`developer.apple.com`), Swift.org (`swift.org`), and GitHub (`github.com`). It uses `WKWebView` for web crawling, which provides a degree of sandboxing. Sample code fetching can clone a specific GitHub repository (`mihaelamj/cupertino-sample-code`); trust in this mirror repository is assumed. SQLite databases are used for indexing, with operations appearing to use parameterized queries, mitigating SQL injection risks. No obvious `eval` or direct code execution from untrusted input/remote content is evident. Environment variables for API tokens (`GITHUB_TOKEN`) are used, not hardcoded secrets. Overall, the security posture is reasonable for its function, with inherent risks of network fetches and system installation being transparently handled.
Updated: 2025-12-31GitHub
84
5
Medium Cost
olibuijr icon

iceland-news-mcp

by olibuijr

Sec3

An MCP server that fetches and provides structured access to the latest Icelandic news from various RSS sources, integrated with a voice-activated AI assistant for news summaries and search.

Setup Requirements

  • ⚠️Requires multiple services to set up: a Node.js MCP server, a Python Whisper STT service, and a SvelteKit web UI.
  • ⚠️Requires a Google API Key for Gemini Live API, which is a paid service (though a free tier may be available). The key is exposed client-side.
  • ⚠️The Python Whisper STT service is designed for GPU (CUDA) for fast inference; performance will be significantly degraded on CPU.
  • ⚠️The web UI and its API proxy hardcode a specific local IP address (`http://192.168.8.191`) for the Whisper STT service, requiring manual adjustment if the service runs elsewhere.
Review RequiredView Analysis
A critical security flaw exists where the `GOOGLE_API_KEY` is fetched by the client-side SvelteKit app via a server endpoint (`/api/google/api-key`). This directly exposes the API key to the browser, making it vulnerable to interception and misuse. Additionally, the Whisper STT service listens on `0.0.0.0` and enables CORS for all origins (`*`), exposing it widely on the local network without restriction. Hardcoded local IP addresses for the Whisper service within the web UI (`http://192.168.8.191:7000` and `:7050`) make deployment brittle and suggest network configuration assumptions. No `eval` or direct system command injection vulnerabilities were found in the provided server-side code.
Updated: 2025-12-03GitHub
84
457
Low Cost
dbt-labs icon

dbt-mcp

by dbt-labs

Sec3

Provides a Model Context Protocol (MCP) server that exposes various dbt-related functionalities (CLI, Semantic Layer, Discovery, Admin API, Code Generation, LSP) as tools for AI agents to interact with dbt projects in Core, Fusion, and Platform environments.

Setup Requirements

  • ⚠️Requires `uv` and `Task` to be installed for local development and examples.
  • ⚠️Relies heavily on environment variables (e.g., `DBT_HOST`, `DBT_TOKEN`, `DBT_PROD_ENV_ID`, `OPENAI_API_KEY`) for dbt Platform connectivity and LLM authentication.
  • ⚠️The `dbt_path` setting, which defaults to 'dbt', expects the dbt CLI executable to be available in the system's PATH or a specific location. Custom LSP binaries also require detection or a specified path.
Review RequiredView Analysis
The server directly invokes external dbt CLI commands (`subprocess.Popen` in `src/dbt_mcp/dbt_cli/tools.py` and `src/dbt_mcp/dbt_codegen/tools.py`) and passes arguments originating from LLM output (e.g., `selector`, `vars`, `sql_query`). There is no explicit sanitization or strict validation of these string arguments to prevent shell or SQL injection before they are passed to the underlying `dbt` binary. While arguments are generally passed as a list to `Popen` (safer than `shell=True`), a sophisticated LLM could craft inputs that exploit the way `dbt` or the shell interprets these arguments, leading to arbitrary command execution or data manipulation (especially via the `dbt show` tool which runs arbitrary SQL). This lack of robust input sanitization for external process execution represents a significant security risk when integrating with potentially untrusted or adversarial LLMs.
Updated: 2026-01-16GitHub
84
268
Medium Cost
oracle icon

mcp

by oracle

Sec3

This repository provides a collection of Model Context Protocol (MCP) servers to enable AI agents to interact with and manage various Oracle Cloud Infrastructure (OCI) services, Oracle Database, and MySQL databases through natural language.

Setup Requirements

  • ⚠️Requires OCI CLI configuration (~/.oci/config) with appropriate credentials for OCI-specific tools.
  • ⚠️Requires Java Development Kit (JDK) 17+ for Java-based servers.
  • ⚠️Requires Python 3.13+ for most Python-based OCI servers (Python 3.11 for oci-pricing, 3.12 for MySQL).
Review RequiredView Analysis
Multiple servers (oci-api-mcp-server, oci-compute-instance-agent-mcp-server) directly enable remote command execution on the host or target OCI instances. Database servers (mysql-mcp-server, dbtools-mcp-server, oracle-db-mcp-java-toolkit) allow direct SQL execution or generation, which relies heavily on the safety of the generated SQL or underlying database procedures. The oracle-db-mcp-java-toolkit has potential for arbitrary file access via 'filePath' in its log analysis tools. While oci-api-mcp-server includes a denylist and audit logging, denylists are inherently imperfect. Many OCI-specific tools grant high-privilege actions (e.g., creating/deleting resources, generating authentication tokens). These functionalities introduce significant risks if not strictly controlled by OCI IAM policies and careful LLM prompting, or if the LLM itself is compromised or misconfigured. No direct 'eval' or intentional obfuscation was found.
Updated: 2026-01-16GitHub
83
454
Low Cost
director-run icon

director

by director-run

Sec6

Provides a local-first gateway for AI agents to manage and execute MCP playbooks, enabling tool orchestration, unified OAuth, and client integrations.

Setup Requirements

  • ⚠️Requires a PostgreSQL database for persistence.
  • ⚠️Requires Bun (Node.js >=22.0.0) runtime environment, also uses npx/uvx for stdio servers.
  • ⚠️Critical security flags `DANGEROUSLY_ALLOW_ARBITRARY_STDIO_SERVERS` and `DANGEROUSLY_ALLOW_INSECURE_HTTP_SERVERS` must remain `false` (default) in production or shared environments due to severe risks.
Review RequiredView Analysis
The server includes flags (`DANGEROUSLY_ALLOW_ARBITRARY_STDIO_SERVERS`, `DANGEROUSLY_ALLOW_INSECURE_HTTP_SERVERS`) that, if enabled, allow arbitrary command execution and insecure HTTP connections, posing significant security risks in multi-tenant or production environments. Development `docker-compose.yml` files contain hardcoded PostgreSQL passwords ('travel-china-spend-nothing'). The registry enrichment process can dynamically execute code from external Git repositories via `stdio` clients if `DANGEROUSLY_ENRICH_TOOLS_DURING_SEED` is enabled, which is a supply chain risk. Robust OAuth and API key management are implemented with encryption and rate limiting.
Updated: 2026-01-08GitHub
PreviousPage 20 of 760Next