Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(7632)

83
3
Medium Cost
Hywzy icon
Sec4

An AI-powered Spring Boot server for student management, demonstrating tool-use capabilities with an external large language model.

Setup Requirements

  • ⚠️Requires JDK 17+
  • ⚠️Requires an Alibaba Cloud Dashscope API Key (or a compatible OpenAI-like API) for AI interactions.
  • ⚠️The API key must be replaced in `application.yaml` for the AI functionality to work.
Review RequiredView Analysis
The `application.yaml` file contains a hardcoded API key for an AI service (`spring.ai.openai.api-key`), which is a critical security vulnerability. This key should be managed securely, preferably through environment variables or a secrets management system, and not committed to source control. The `README` also explicitly states that the deepseek api-key needs to be replaced, confirming this issue.
Updated: 2025-12-11GitHub
83
275
High Cost
szeider icon

consult7

by szeider

Sec7

Consult7 enables AI agents to consult large context window models via OpenRouter for analyzing extensive file collections such as codebases and document repositories.

Setup Requirements

  • ⚠️Requires an OpenRouter API Key (Paid service).
  • ⚠️Requires Python 3.11 or higher.
  • ⚠️Input 'files' and 'output_file' parameters must use absolute paths.
Verified SafeView Analysis
The server's core function involves reading and writing files from the local filesystem based on user-provided absolute paths. While this is inherent to its purpose, it means a user (or compromised agent) could instruct the server to read or write to arbitrary files on the system that the running process has permission to access. The code employs some basic path validation (absolute paths, wildcards in filename only) and ignores common sensitive paths like '.git' or 'secrets.py', but does not implement a full sandboxing mechanism. There are no direct uses of 'eval' or obvious command injection vulnerabilities. The API key is passed via CLI and not hardcoded. The primary risk lies in the broad file system access if the server is run with elevated privileges or used carelessly on a system with sensitive files accessible to the user account.
Updated: 2025-12-12GitHub
83
4
Medium Cost
TranChiHuu icon
Sec4

A Model Context Protocol (MCP) server that enables AI assistants to query PostgreSQL and MySQL databases for schema introspection and data retrieval.

Setup Requirements

  • ⚠️Requires Node.js 18+ runtime environment.
  • ⚠️Requires access to an existing PostgreSQL or MySQL database.
  • ⚠️SQL injection vulnerability exists when connecting to MySQL; ensure `tableName` inputs from AI assistants are fully trusted or manually sanitize the code.
Review RequiredView Analysis
CRITICAL SQL Injection Vulnerability: The MySQL `describe_table` tool directly interpolates the `tableName` argument into the SQL query (`DESCRIBE ${tableName}`) without proper escaping (e.g., `mysql.escapeId` or using `connection.execute` with `??` placeholders). This allows a malicious `tableName` (e.g., `users; DROP TABLE sensitive_data;`) to execute arbitrary SQL commands. A similar risk exists for `list_tables` if the database name itself (from `DB_DATABASE` or `connect_database` parameters) could be injected. PostgreSQL queries appear to use parameterized queries correctly where applicable. The server correctly uses environment variables for credentials, mitigating hardcoded secret risks. SSL is supported for connections. However, the direct SQL injection for MySQL is a critical flaw.
Updated: 2025-12-04GitHub
83
4
Low Cost
faalantir icon

mcp-agent-identity

by faalantir

Sec8

Provides cryptographic identity, signing, and verification capabilities for AI agents to ensure attribution and non-repudiation of their actions.

Setup Requirements

  • ⚠️Identity files (`identity.json`) may be stored in temporary directories if the default project path is not writable, leading to non-persistent identities unless `AGENT_IDENTITY_PATH` is explicitly configured.
  • ⚠️Requires a Node.js environment to run the MCP server.
Verified SafeView Analysis
The server uses standard Node.js `crypto` module functions for key generation, signing, and verification (RSA-2048, SHA256). Input to cryptographic operations (signatures, public keys) is sanitized for robustness. No `eval` or obfuscation found. The primary security consideration for local deployments is the storage of private keys in a local `identity.json` file, which the README explicitly warns should not be used in shared environments without proper file permissions. The roadmap indicates future plans for HSM/KMS integration to address this for enterprise use cases.
Updated: 2025-11-30GitHub
83
3
Low Cost
Jaycee1996 icon
Sec8

A Model Context Protocol (MCP) server that provides web scraping, crawling, search, and structured data extraction capabilities using the Firecrawl API.

Setup Requirements

  • ⚠️Requires a Firecrawl API Key for cloud usage, obtainable from firecrawl.dev.
  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️For self-hosted instances, interactive web actions (e.g., click, write, executeJavascript) are enabled by default, which could be exploited by untrusted prompts if not carefully managed.
Verified SafeView Analysis
The server implements a 'SAFE_MODE' for cloud deployments, disabling potentially dangerous interactive web actions (e.g., JavaScript execution, clicks) during scraping, which significantly enhances security. For self-hosted instances, these interactive actions are enabled by default and should be used with caution, as malicious prompts could exploit them. API keys are handled via environment variables or request headers, preventing hardcoded secrets. No direct 'eval' or unsanitized shell execution was found in the provided source code.
Updated: 2025-12-01GitHub
83
3
Low Cost

code-sage

by faxioman

Sec6

A backend service for a code-related application, likely a development tool or an AI-powered code assistant.

Setup Requirements

  • ⚠️Rust toolchain (rustup) required
  • ⚠️Cargo build system required
Review RequiredView Analysis
Rust's memory safety provides a baseline security level, reducing common vulnerability classes like buffer overflows. As a server application, it will inherently expose network interfaces. Without access to the source code or a README, specific security features, input validation, authentication, authorization, or potential attack surfaces cannot be assessed. No direct 'eval' or obfuscation is indicated by the file list.
Updated: 2025-11-18GitHub
83
322
Medium Cost
f2c-ai icon

f2c-mcp

by f2c-ai

Sec8

A Model Context Protocol server for Figma Design to Code, enabling AI tools to convert Figma designs into production-ready frontend code.

Setup Requirements

  • ⚠️Requires a Figma personal access token for API authentication.
  • ⚠️Requires Node.js (>=16.0.0) environment to run.
  • ⚠️Network access to Figma and F2C APIs is necessary.
Verified SafeView Analysis
The server allows the Figma personal access token (`personalToken`) to be passed and updated via HTTP request headers. While this offers flexibility for IDE integration, in a multi-client or shared server deployment scenario, one client could potentially overwrite another's token. However, this server is primarily designed for local or personal IDE integration, where this behavior is likely intended and less of a direct threat. No 'eval' or other obvious malicious patterns were found. Relies on external Figma and F2C APIs, so security is also dependent on those third-party services.
Updated: 2025-11-27GitHub
83
3
Low Cost
vibepush-dev icon

vibepush

by vibepush-dev

Sec5

VibePush is an AI-managed deployment platform that enables AI agents to deploy, monitor, and fix applications on self-hosted VPS servers using natural language, leveraging the MCP protocol.

Setup Requirements

  • ⚠️Project is in early validation stage; MVP implementation is not yet complete, so it's not ready to be deployed or run.
  • ⚠️Requires a VPS for installation.
  • ⚠️Relies on K3s (lightweight Kubernetes) for underlying container orchestration.
  • ⚠️Requires an MCP-compatible AI agent (e.g., Claude, with planned support for ChatGPT, Gemini, etc.) to issue commands.
Review RequiredView Analysis
The provided 'source code' consists solely of the project's README.md file, which explicitly states the project is in 'early validation stage' and the 'MVP implementation' is not yet complete. There is no executable code available for a security audit to check for 'eval', obfuscation, hardcoded secrets, network risks, or malicious patterns. Security cannot be assessed at this time.
Updated: 2025-12-05GitHub
83
627
High Cost
rusiaaman icon

wcgw

by rusiaaman

Sec4

Empowering chat applications to code, build, and run on the local machine using an MCP server with tightly integrated shell and code editing tools.

Setup Requirements

  • ⚠️Requires 'uv' package manager to be installed.
  • ⚠️Requires either 'OPENAI_API_KEY' or 'ANTHROPIC_API_KEY' environment variable for local CLI usage.
  • ⚠️Windows users must run the server within WSL.
  • ⚠️The 'screen' utility is used for terminal multiplexing (optional but recommended for features like attaching to the AI's terminal).
Review RequiredView Analysis
The server's core functionality grants significant control over the local filesystem and shell, posing an inherent high risk if the LLM acts maliciously or unexpectedly. The 'BashCommand' tool, which executes arbitrary shell commands, is explicitly warned about in the README due to potential data loss. A critical security concern is that the 'code_writer' mode, designed for restricted operation, currently only instructs the LLM about allowed commands but does not enforce these restrictions in code (except when the allowed command list is empty, which disables the tool). This discrepancy between prompt and actual enforcement can mislead users into believing operations are more secure than they are. File modification tools ('FileWriteOrEdit', 'FileEdit', 'WriteIfEmpty') allow writing to any path the agent has permissions for, though 'read-before-overwrite' protections help prevent accidental overwrites. No hardcoded secrets or direct network ports are exposed by the server itself, relying on environment variables for API keys and an MCP client for communication.
Updated: 2025-12-13GitHub
83
4
High Cost
M507 icon
Sec2

An AI-powered Security Operations Center (SOC) agent designed to automate incident response, case management, threat intelligence lookups, EDR actions, and SIEM investigations.

Setup Requirements

  • ⚠️Requires extensive API keys and configuration for multiple integrated security platforms (SIEM, EDR, Case Management, CTI, Engineering).
  • ⚠️Requires a Python 3.x environment with dependencies (e.g., requests, fastapi, uvicorn, pydantic, marked.js).
  • ⚠️The use of `eval()` in the rules engine for executing rule conditions and actions presents a critical security risk, allowing arbitrary code execution if rule definitions are compromised or untrusted.
  • ⚠️Relies on a `cursor-agent` binary or dependency for certain code execution functionalities, as indicated by `cursor_agent.py`.
Review RequiredView Analysis
CRITICAL: The `RulesEngine` (`src/mcp/rules_engine.py`) uses `eval()` to process rule `trigger` and `action` strings. If an attacker can manipulate these rule definitions (e.g., through compromised configuration files or an unauthenticated API that allows rule modification), this allows for arbitrary code execution on the server. This is a severe vulnerability. Additionally, the HTTP clients (e.g., `iris_http.py`, `elastic_http.py`) expose a `verify_ssl` parameter which defaults to `True` but is explicitly set to `False` in the `config.json` example and can be configured as `False`. Running with `verify_ssl=False` in production makes the application vulnerable to Man-in-the-Middle (MITM) attacks. The system relies heavily on API keys/tokens for numerous integrations (SIEM, EDR, Case Management, CTI, Engineering). Compromise of these credentials could lead to significant security breaches or unauthorized actions in integrated security tools. Secure management of these secrets is paramount.
Updated: 2025-12-05GitHub
83
3
High Cost
2dogsandanerd icon

DAUT

by 2dogsandanerd

Sec4

An AI-powered tool for automatically generating and updating documentation for codebases, supporting multiple languages and exposing RAG capabilities via an MCP server.

Setup Requirements

  • ⚠️Requires Python 3.9+ to run.
  • ⚠️Requires Ollama to be running and accessible (default: http://localhost:11434) for AI generation and embeddings.
  • ⚠️Requires ChromaDB to be running and accessible (default: localhost:8000) for vector storage.
  • ⚠️The MCP server's default API key ('secret-token-123') is insecure and *must* be changed via the 'MCP_API_KEY' environment variable.
Review RequiredView Analysis
The MCP server defaults to a hardcoded insecure API key ('secret-token-123') if the 'MCP_API_KEY' environment variable is not explicitly set, making it vulnerable by default. It also binds to '0.0.0.0', making it publicly accessible. Users *must* change the API key to a strong, unique value and configure network access appropriately. However, directory traversal for file content access is prevented.
Updated: 2025-12-14GitHub
82
812
Medium Cost
Azure-Samples icon

AI-Gateway

by Azure-Samples

Sec7

Provides a playground and lab environment to experiment with the Model Context Protocol (MCP) using Azure API Management to enable plug-and-play AI tools for Large Language Models (LLMs).

Setup Requirements

  • ⚠️Requires Python 3.12+.
  • ⚠️Requires an Azure Subscription with Contributor + RBAC Administrator or Owner roles.
  • ⚠️Requires Azure CLI installed and signed into an Azure subscription.
  • ⚠️Extensive Azure infrastructure setup (Azure API Management, Azure OpenAI, Azure AD app registrations, Managed Identities) is required and managed via Bicep in labs.
Verified SafeView Analysis
The MCP servers themselves (Starlette/FastMCP apps) do not appear to have direct code injection vulnerabilities with 'eval' or 'subprocess.run' on user input. They rely on environment variables for sensitive Azure AD/APIM configuration. Network calls are made using 'httpx' to a configured 'APIM_GATEWAY_URL'. The 'shared/utils.py' module uses 'subprocess.run(command, shell=True)' for executing Azure CLI commands. While this function is used in the context of deployment/cleanup scripts within Jupyter notebooks (labs), if it were exposed to arbitrary user input in a production server, it would be a critical command injection vulnerability. However, it is not part of the core runtime of the MCP tools themselves. The security of the overall solution heavily depends on the correct configuration of Azure API Management, Azure AD, and the underlying cloud resources, which is external to the MCP server code itself but central to the project's purpose.
Updated: 2025-12-02GitHub
PreviousPage 20 of 636Next