Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(7632)

80
263
Medium Cost
metorial icon

metorial-index

by metorial

Sec8

Indexes and categorizes open-source Model Context Protocol (MCP) servers by scraping their GitHub repositories, fetching READMEs, and leveraging AI to generate descriptions and categories for a comprehensive catalog.

Setup Requirements

  • ⚠️Requires Bun runtime
  • ⚠️Requires GITHUB_TOKEN environment variable
  • ⚠️Requires OPENAI_API_KEY environment variable (Paid service)
  • ⚠️Wipes and recreates database on each run (`prisma db push --force-reset`)
Verified SafeView Analysis
The server uses environment variables for sensitive API keys (GitHub, OpenAI) and handles network requests with a custom utility. It fetches public source code (READMEs, manifest files) from GitHub and an external MCP containers index. While it uses AI to generate content (descriptions, skills, categories) based on external data, the output is structured (JSON schema validation) which limits arbitrary code injection back into its core logic. The generated `getLaunchParams` is code intended for *other* MCP runtimes, not executed by this indexing server itself. Potential risk if internal prompt construction is vulnerable to prompt injection from untrusted README content, but output is constrained to data formats.
Updated: 2025-12-14GitHub
80
218
Medium Cost
fcakyon icon
Sec8

This repository provides a comprehensive toolkit and configuration for developing and utilizing Claude Code plugins, including skills, commands, hooks, subagents, and MCP servers to extend AI capabilities for coding and development tasks.

Setup Requirements

  • ⚠️Requires installation of multiple external tools (jq, gh, ruff, prettier, npm) beyond Claude Code itself.
  • ⚠️API keys for various external services (e.g., Tavily, Anthropic, GitHub) are required for full functionality.
  • ⚠️A manual symlink `ln -s CLAUDE.md AGENTS.md` is required post-installation for cross-tool compatibility.
Verified SafeView Analysis
The project demonstrates high security awareness through explicit documentation (CLAUDE.md guidelines, hook-linter.sh checks for unquoted variables and hardcoded paths) and implemented patterns (atomic file updates, validation hooks for dangerous commands/writes, GitHub URL blocking for Tavily). While it involves executing user-local scripts and connecting to external services via MCP, the design emphasizes validation, least privilege, and secure practices. No direct hardcoded secrets or malicious patterns were found in the provided snippets. The inherent risks of running arbitrary scripts are acknowledged and mitigated by internal validation mechanisms.
Updated: 2025-12-13GitHub
80
148
Medium Cost
pydantic icon

mcp-run-python

by pydantic

Sec8

MCP server to securely run untrusted Python code in a sandboxed WebAssembly environment, typically as a tool for AI agents.

Setup Requirements

  • ⚠️Requires Deno to be installed on the host machine.
  • ⚠️Requires Python 3.10 or higher for the `mcp-run-python` host package.
  • ⚠️Initial setup (loading Pyodide, installing dependencies) can incur a noticeable startup cost and network bandwidth.
Verified SafeView Analysis
The server's core function is to execute arbitrary Python code. This is achieved within a robust sandbox provided by Pyodide (WebAssembly) running on Deno. Deno's explicit permission model is used to limit file system access (read-only for execution, write for dependency installation to `./node_modules` only). Importantly, `process.env` is polyfilled to be an empty object within the sandbox, preventing secrets leakage or environment tampering by executed code. The main point of caution is the `--allow-net` flag which is enabled by default when running the server via the CLI (`mcp-run-python` command) but is configurable (`--disable-networking`). The `code_sandbox` helper in the Python library defaults to `allow_networking=False`, offering a more secure default for programmatic use.
Updated: 2025-12-11GitHub
79
367
High Cost
graphlit icon
Sec8

The Model Context Protocol (MCP) Server integrates with the Graphlit Platform to provide an LLM-enabled knowledge API, enabling ingestion, search, retrieval, RAG, and publishing of content from various data connectors for MCP clients.

Setup Requirements

  • ⚠️Requires Node.js 18.x or higher.
  • ⚠️Requires an active account on the Graphlit Platform with API access.
  • ⚠️Many tools require specific API keys/tokens configured as environment variables (e.g., SLACK_BOT_TOKEN, NOTION_API_KEY) for their respective data connectors.
Verified SafeView Analysis
The server primarily relies on environment variables for sensitive credentials (Graphlit API keys, various connector tokens, etc.), which is good practice. The server uses a StdioServerTransport, meaning it communicates over standard I/O rather than opening a network port, reducing external attack surface. However, the 'ingestFile' tool uses 'fs.readFileSync' which could pose a risk if the 'filePath' parameter is controlled by an untrusted or malicious MCP client, potentially allowing arbitrary file reads from the server's filesystem. This risk is mitigated by the implied trusted relationship with MCP clients in the typical deployment model.
Updated: 2025-12-05GitHub
79
154
High Cost
cookjohn icon

zotero-mcp

by cookjohn

Sec8

Integrates Zotero, a leading reference management tool, with AI assistants through the Model Context Protocol (MCP) to enable intelligent search, retrieval, and analysis of academic literature and annotations.

Setup Requirements

  • ⚠️Requires Zotero 7.0+ installed and running.
  • ⚠️Requires Node.js 18.0+ for AI client integrations (e.g., for 'npx mcp-remote' command used by some clients like Claude Desktop).
  • ⚠️Manual plugin installation (downloading .xpi) and AI client JSON configuration are required.
Verified SafeView Analysis
The server runs as a Zotero plugin, leveraging Zotero's internal APIs and environment, which provides some sandboxing. By default, it listens only on the local loopback interface (127.0.0.1:23120), limiting external network attack surface. No explicit 'eval', 'exec', or hardcoded secrets were found in the provided code. Input from AI clients is parsed as JSON-RPC requests and arguments are dispatched to specific handlers. While this structure generally enhances security, it relies on the robustness of Zotero's underlying APIs to prevent injection or unexpected behavior from crafted input. File system access for PDF and attachment processing relies on Zotero's `attachment.getFilePath()` and `IOUtils.read()` which are expected to operate within defined Zotero data paths, mitigating arbitrary file access risks.
Updated: 2025-12-03GitHub
79
345
Medium Cost
nwiizo icon

tfmcp

by nwiizo

Sec9

A CLI tool enabling LLMs to interact with and manage Terraform infrastructure through the Model Context Protocol (MCP), offering advanced analysis and security features.

Setup Requirements

  • ⚠️Terraform CLI must be installed and available in PATH.
  • ⚠️Requires Rust (version 1.84.0 is specified in rust-toolchain.toml, requiring a compatible toolchain).
  • ⚠️Network access is required for `terraform init` (provider downloads) and Terraform Registry API calls.
  • ⚠️Dangerous operations (apply/destroy) are disabled by default and require explicit environment variable opt-in (`TFMCP_ALLOW_DANGEROUS_OPS=true` for apply, `TFMCP_DELETE_ENABLED=true` for destroy).
Verified SafeView Analysis
The project features robust security controls. Dangerous operations ('apply', 'destroy') are disabled by default and require explicit opt-in via `TFMCP_ALLOW_DANGEROUS_OPS=true` and `TFMCP_DELETE_ENABLED=true` respectively. Auto-approve for these operations also requires `TFMCP_ALLOW_AUTO_APPROVE=true`. It blocks common production/sensitive file patterns (`prod*`, `secret*`) and implements audit logging (`~/.tfmcp/audit.log` by default) for all operations, including user and command details. Resource count can be limited by `TFMCP_MAX_RESOURCES`. No 'eval' or obvious obfuscation detected. Network interactions are confined to the Terraform Registry API using `reqwest` and standard Terraform CLI processes. All security features are well-documented.
Updated: 2025-11-25GitHub
79
345
High Cost
mcpdotdirect icon

evm-mcp-server

by mcpdotdirect

Sec9

Enables AI agents to interact with 60+ EVM-compatible blockchains, perform transactions, query data, and interact with smart contracts via a unified Model Context Protocol (MCP) interface.

Setup Requirements

  • ⚠️Requires EVM_PRIVATE_KEY or EVM_MNEMONIC environment variable for write operations (token transfers, contract writes, message signing).
  • ⚠️Requires ETHERSCAN_API_KEY environment variable for automatic ABI fetching from block explorers.
  • ⚠️Requires Bun 1.0.0+ or Node.js 20.0.0+.
Verified SafeView Analysis
Sensitive credentials (EVM_PRIVATE_KEY, EVM_MNEMONIC, ETHERSCAN_API_KEY) are correctly handled via environment variables and are never exposed as tool arguments. The server sets an input payload limit (10MB) for basic DoS prevention. Write operations are guarded by explicit AI-guided prompts emphasizing user confirmation and security checks. The HTTP server listens on 0.0.0.0 by default, which is common for backend services but requires external security measures (e.g., HTTPS, firewall) in production. No 'eval' or malicious obfuscation patterns were detected in the provided source code.
Updated: 2025-11-26GitHub
79
300
Medium Cost
SonarSource icon

sonarqube-mcp-server

by SonarSource

Sec9

The SonarQube MCP Server enables seamless integration with SonarQube Server or Cloud for code quality and security, supporting direct analysis of code snippets within an agent context.

Setup Requirements

  • ⚠️Requires a SonarQube API token (SONARQUBE_TOKEN env var).
  • ⚠️Requires an OCI-compatible container runtime (e.g., Docker) for easiest setup.
  • ⚠️Connecting to SonarQube Cloud requires the SONARQUBE_ORG environment variable.
  • ⚠️Requires SonarQube Server 2025.1 or higher (2025.4 Enterprise or higher for Dependency Risks tool).
Verified SafeView Analysis
The server demonstrates strong security practices for network communication, including explicit handling of authentication modes (TOKEN, OAUTH - though OAUTH is not yet implemented), session management with TTL, and robust CORS/DNS rebinding protection via `McpSecurityFilter`. It correctly leverages environment variables for sensitive configurations like `SONARQUBE_TOKEN`. Warnings are logged for less secure configurations (e.g., binding to all interfaces, using HTTP without TLS). A minor concern is the default `httpsKeystorePassword` being 'sonarlint', which is weak and should be explicitly changed by the user in production deployments.
Updated: 2025-12-11GitHub
79
178
Medium Cost
speakeasy-api icon

gram

by speakeasy-api

Sec7

Gram is a platform for building, deploying, and managing AI tools and agents, with support for prompt templating and various integrations, built on the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Docker and Docker Compose for local server setup.
  • ⚠️A full local deployment involves multiple services: PostgreSQL, Redis, Temporal, Grafana, Tempo, Alloy, Prometheus, ClickHouse, and MCP Registry.
  • ⚠️Development or contribution requires Go, Node.js/TypeScript, and associated tooling.
Verified SafeView Analysis
The `compose.yml` for local development contains hardcoded credentials for Redis (`xi9XILbY`), ClickHouse (`gram:gram`), and MCP Registry (`ffb75d70bdacadee50324c5f93b04e5674b1df37b4e234e603e5c08500eb0740`). These should be replaced with environment variables and securely managed for any production deployment. The core functionality involves executing user-provided code (JavaScript/TypeScript and Python functions), which is an inherently high-risk operation. While the project includes a `guardian` module and structured internal APIs, effective sandboxing and isolation of arbitrary code execution are critical and complex, and their full robustness cannot be assessed from the truncated code.
Updated: 2025-12-13GitHub
79
7
Medium Cost

frc-rag-mcpserver

by ramalamadingdong

Sec7

Provides RAG-based access to WPILib documentation for FRC robotics programming via a Model Context Protocol (MCP) server, specifically for GitHub Copilot.

Setup Requirements

  • ⚠️Requires connectivity to an external, pre-hosted server (http://97.139.150.106:3000/), which may experience downtime or performance variability.
  • ⚠️Requires specific VS Code user-level configuration by creating or modifying `mcp.json` in the user's config folder with an exact server name 'WPILibRag'.
  • ⚠️Requires a `.github/copilot-instructions.md` file in the project root with mandatory instructions to direct GitHub Copilot to use the MCP tool for WPILib-related queries.
Verified SafeView Analysis
The setup involves configuring VS Code to connect to a remotely hosted, third-party MCP server (http://97.139.150.106:3000/). While the client-side configuration itself (mcp.json, copilot-instructions.md) doesn't introduce direct local code execution risks from the provided files, trusting the external server for data retrieval and potential future capabilities carries inherent risks. The server's source code is not provided in this repository, meaning its internal workings for RAG and data handling are not transparent or auditable by the user.
Updated: 2025-11-17GitHub
79
445
Low Cost
smithery-ai icon

cli

by smithery-ai

Sec6

The Smithery CLI installs, manages, develops, and runs Model Context Protocol (MCP) servers, acting as a client-agnostic tool for AI client integration.

Setup Requirements

  • ⚠️Requires NodeJS version 20 or above.
  • ⚠️Smithery API Key is required for some operations (e.g., remote server installation, tunneling, searching the registry).
  • ⚠️May require `uv` (for Python MCP servers) or `bun` (for Bun MCP servers) runtime installations if a specific installed server needs them.
  • ⚠️Requires trust in the Smithery registry and server authors for code execution via installed MCP servers.
Verified SafeView Analysis
The CLI's core functionality involves executing arbitrary code bundles and commands sourced from the Smithery registry. This includes spawning child processes, downloading and extracting packages (using `@anthropic-ai/mcpb`), and running them locally. While this is the intended design, it introduces a significant supply chain risk: users must implicitly trust the Smithery registry and the authors of the MCP servers they install. A compromised registry or a malicious server package could lead to arbitrary code execution on the user's machine. Network requests to the registry and for tunnel creation (via ngrok) also present standard network-based attack vectors. API keys are handled, implying sensitive data management.
Updated: 2025-12-05GitHub
79
333
Medium Cost
PV-Bhat icon
Sec7

Provides a plug-and-play AI meta-mentor layer for LLM agents, offering metacognitive questioning to prevent over-engineering, reasoning lock-in, and misalignment.

Setup Requirements

  • ⚠️Requires Node.js >=20
  • ⚠️Requires at least one paid API key for an LLM provider (Gemini, OpenAI, Anthropic, or OpenRouter)
  • ⚠️Default HTTP transport CORS is '*' (all origins), requiring manual restriction for production deployments
  • ⚠️The 'vibe_learn' functionality is marked as deprecated and will be removed in a future version
Verified SafeView Analysis
The server makes API calls to third-party LLM providers, which involves sending potentially sensitive agent context. While API keys are managed securely via environment variables and `.env` files with restricted permissions, the default CORS `*` for HTTP transport could expose the service to unauthorized access if not properly configured in a production environment. The server itself does not execute arbitrary code or access local files beyond its configuration and log files.
Updated: 2025-12-02GitHub
PreviousPage 23 of 636Next