Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(7632)

78
338
High Cost
awslabs icon
Sec9

A framework for deploying and running Model Context Protocol (MCP) servers efficiently on AWS Lambda using various invocation methods like API Gateway, Lambda Function URLs, or direct Lambda invokes.

Setup Requirements

  • ⚠️Requires an AWS account and CDK CLI for deployment.
  • ⚠️Requires a separate, pre-built MCP server (Node.js or Python script) that communicates over standard I/O to use the stdio adapter functionality.
  • ⚠️The deployment pipeline requires `PowerUserAccess` IAM permissions for the CodeBuild role, which is broad and should be reviewed for least privilege post-deployment.
Verified SafeView Analysis
The framework itself implements robust input validation for incoming HTTP requests and correctly separates deployer-provided configuration (like the command for stdio servers) from user-provided runtime input. There are no obvious injection vulnerabilities or hardcoded secrets found in the provided code snippets. The extensive use of AWS SDKs and standard Lambda event models leverages AWS's built-in security. The `PowerUserAccess` permission required during pipeline setup is broad but is for deployment, not runtime.
Updated: 2025-12-09GitHub
78
22
Medium Cost
jraylan icon

seamless-agent

by jraylan

Sec9

A VS Code extension that provides interactive tools for AI agents (like GitHub Copilot) to request user confirmation or plan approval, enhancing user control over AI actions.

Setup Requirements

  • ⚠️Requires VS Code 1.104.0+ and GitHub Copilot Chat extension
  • ⚠️Node.js (for Antigravity integration)
Verified SafeView Analysis
The project demonstrates good security practices for a local service: explicit disabling of CORS, binding internal HTTP servers to `127.0.0.1`, using `crypto.randomBytes` for API tokens stored in VS Code's global state, employing `crypto.timingSafeEqual` for token comparison to prevent timing attacks, implementing `MAX_REQUEST_BODY_BYTES` to mitigate large payload attacks, and sanitizing file search queries to prevent directory traversal. Image magic number validation is also a good security measure. The primary communication is local, minimizing external attack surfaces. No `eval` or obvious malicious patterns found. The `mcp_config.json` is a known Antigravity configuration file, and its modification is expected for integration, but its security relies on Antigravity's environment.
Updated: 2025-12-14GitHub
77
310
Low Cost
IBM icon

mcp

by IBM

Sec9

A central registry and collection of Model Context Protocol (MCP) servers and tools designed to enable AI agents to interact with various IBM and third-party resources and applications.

Setup Requirements

  • ⚠️Requires access and accounts for various IBM and third-party services (e.g., IBM MQ, FileNet Content Manager, watsonx.data, DataStax Astra DB, HashiCorp products).
  • ⚠️Many MCP servers require environment variables for authentication and configuration (e.g., API keys, tokens, URLs, usernames, passwords).
  • ⚠️Requires Docker for running several HashiCorp-related MCP servers.
  • ⚠️Requires Node.js runtime environment (or compatible for 'uvx') for servers using 'npx' or 'uvx'.
Verified SafeView Analysis
The repository itself mainly contains documentation (README) and configuration files (mcp.json). It does not contain direct executable application code for a server within its own repository. The security risks are primarily transferred to the individual MCP servers that are referenced and linked. These servers are launched using common package managers (npx, uvx) or Docker, which inherently carry supply chain risks if the source packages or images are compromised. Environment variables for sensitive information (API keys, tokens, passwords) are clearly marked as placeholders, correctly implying they should be provided by the user and not hardcoded. No 'eval', obfuscation, or directly malicious patterns were found in the provided source code.
Updated: 2025-12-11GitHub
76
173
Medium Cost
universal-tool-calling-protocol icon

utcp-mcp

by universal-tool-calling-protocol

Sec3

This project acts as a versatile bridge exposing Universal Tool Calling Protocol (UTCP) tools as Model Context Protocol (MCP) tools, enabling AI agents and other MCP-compatible clients to discover, manage, and execute a wide range of external capabilities including APIs, command-line tools, and inline code execution.

Setup Requirements

  • ⚠️Requires Python 3.8+, Node.js 18+, or Rust toolchain, depending on the chosen bridge implementation and its specific features.
  • ⚠️Requires a `.utcp_config.json` file for defining tool providers and initial configurations.
  • ⚠️The default Docker setup exposes ports 8776 (Client MCP), 8777 (Proxy MCP), and 8778 (FastAPI web server) on all network interfaces (0.0.0.0), which may require firewall configuration or explicit binding to 127.0.0.1 for local development.
Review RequiredView Analysis
The server explicitly includes 'Code Mode' features in both its TypeScript and Rust implementations, allowing the execution of arbitrary user-provided code (TypeScript/Rhai scripts) with direct access to registered tools. This poses an extremely high security risk, as it enables arbitrary code execution on the host machine if the server is exposed to untrusted inputs or clients without robust sandboxing. Additionally, the Docker setup for the web UI/proxy/client services binds to 0.0.0.0 (all network interfaces) by default, increasing potential exposure.
Updated: 2025-11-27GitHub
76
320
Medium Cost
FreePeak icon

db-mcp-server

by FreePeak

Sec8

This server acts as a unified interface for AI models to interact with multiple databases (MySQL, PostgreSQL, TimescaleDB), enabling AI assistants to execute SQL, manage transactions, explore schemas, and analyze performance.

Setup Requirements

  • ⚠️Docker and Docker Compose are required for simplified setup and running the provided test environments, including TimescaleDB.
  • ⚠️Go 1.18+ is required to build and run the server directly from source.
  • ⚠️Default database credentials found in example configuration files (`config.json`, `config.timescaledb-test.json`, `docker-compose.yml`) are insecure and MUST be changed for any non-test deployment.
  • ⚠️The `wait-for-it.sh` script is used by Docker Compose setups to ensure database readiness before starting the MCP server.
Verified SafeView Analysis
The server's design allows for flexible configuration via environment variables or JSON files, which can be used to securely manage database credentials. However, the provided `docker-compose.yml`, `config.json`, and `config.timescaledb-test.json` files contain hardcoded default/test database passwords (`password`, `password1`, `timescale_password`, etc.). While suitable for a test environment, using these in production would pose a critical security risk. Users must replace these with strong, unique credentials when deploying to non-test environments. The server itself does not appear to use inherently unsafe functions like `eval` or exhibit malicious patterns.
Updated: 2025-12-14GitHub
76
278
Medium Cost
argoproj-labs icon

mcp-for-argocd

by argoproj-labs

Sec8

Enables AI assistants to interact with Argo CD applications through natural language, streamlining DevOps tasks.

Setup Requirements

  • ⚠️Requires an Argo CD instance with API access and an API token for authentication.
  • ⚠️Requires Node.js v18 or higher to run.
  • ⚠️Using `NODE_TLS_REJECT_UNAUTHORIZED=0` to bypass TLS certificate validation for self-signed certificates reduces security and is only recommended for development environments.
  • ⚠️Can be configured for read-only mode via `MCP_READ_ONLY=true` environment variable, otherwise all modification tools are available.
Verified SafeView Analysis
The server uses environment variables (ARGOCD_BASE_URL, ARGOCD_API_TOKEN) for sensitive information, which is a good practice. It supports different transport protocols (stdio, SSE, HTTP Stream), requiring proper network security configuration (e.g., firewalls, access control) by the user. A significant security warning is explicitly mentioned in the README regarding `NODE_TLS_REJECT_UNAUTHORIZED=0` for self-signed certificates, which disables TLS verification and should be used with extreme caution. Input validation for tool parameters is handled using Zod, which helps prevent injection attacks. A `MCP_READ_ONLY` flag exists to disable modification tools, enhancing security for read-only deployments.
Updated: 2025-12-03GitHub
76
47
Low Cost
1xn-labs icon

1xn-vmcp

by 1xn-labs

Sec5

An open-source platform for composing, customizing, and extending multiple Model Context Protocol (MCP) servers into a single logical, virtual MCP server, enabling fine-grained context engineering for AI workflows and agents.

Setup Requirements

  • ⚠️Requires Python 3.10-3.13 and 'uv' for installation and dependency management.
  • ⚠️Executing custom Python tools involves running user-provided code in a sandboxed environment, which carries inherent security risks if the code's origin is untrusted.
  • ⚠️The sandbox implementation for Python tools (using `prctl`) may be specific to Linux environments, potentially affecting security posture or functionality on other operating systems.
Review RequiredView Analysis
The server includes functionality to execute user-defined Python code as custom tools, utilizing `exec` and `subprocess.run` within a sandboxed environment. While attempts are made to limit globals, locals, and dangerous module imports (e.g., `os`, `sys`, `subprocess`), sandbox escapes are an inherent risk when executing arbitrary code from potentially untrusted sources. This risk applies if a user imports or manually configures a malicious custom Python tool or imports a compromised collection. Network risks include the ability to connect to arbitrary external MCP servers and OAuth providers as configured by the user, which could be misused if pointing to malicious endpoints. Hardcoded secrets are generally avoided in favor of environment variables, with a dummy token for local development. OAuth flows appear to follow standard practices (PKCE, state management).
Updated: 2025-12-13GitHub
75
90
Medium Cost
igrigorik icon

AgentBoard

by igrigorik

Sec7

Enhances web browsing with AI-driven automation, allowing LLMs to interact with web pages, extract content, and execute custom tools.

Setup Requirements

  • ⚠️Requires API keys for OpenAI, Anthropic, or Google (paid services), configured within the extension's settings.
  • ⚠️Requires a Chromium-based browser (Chrome, Edge, Brave, etc.) to run as an extension.
  • ⚠️Optional: Requires external MCP (Model Context Protocol) servers to be running and accessible for remote tools.
Verified SafeView Analysis
The system is designed to execute user-provided JavaScript (WebMCP tools) directly in the browser's main world, bypassing Content Security Policy (CSP) for powerful functionality. While this is intentional and uses secure injection methods (e.g., Blob URLs, Trusted Types where available), a malicious user script, if installed, could perform arbitrary actions on visited pages (e.g., data exfiltration, DOM manipulation). The `fetch_url` system tool can access any URL from the background service worker, which, if unconstrained by the LLM's safety mechanisms, could be coerced into server-side request forgery (SSRF). The `new Function()` call in `script-parser.ts` is used for parsing metadata objects from user scripts, which is a known risk, but it's applied to a strictly formatted section and not arbitrary code. Overall, the architecture shows careful security considerations for an extension of this nature, but the ultimate safety relies heavily on the user's vigilance regarding the scripts they enable.
Updated: 2025-12-14GitHub
75
118
Low Cost
cursor icon

mcp-servers

by cursor

Sec7

Provides a curated collection of Model Context Protocol (MCP) server configurations to enable AI agents to interact with various developer tools and services.

Setup Requirements

  • ⚠️Requires Node.js/npm for 'npx' commands or Docker for 'docker run' commands, depending on the specific MCP server chosen. Some may implicitly require Python for 'uvx' commands.
  • ⚠️Many servers necessitate API keys, personal access tokens, or other credentials (e.g., GITHUB_PERSONAL_ACCESS_TOKEN, STRIPE_SECRET_KEY) to be configured as environment variables or directly within their respective server.json config headers.
  • ⚠️Some servers require specific user-provided instance URLs or organization names (e.g., GitLab, Azure DevOps, Pipedream) as part of their run command or URL configuration.
Verified SafeView Analysis
The repository itself is a collection of JSON configurations and a README generation script, which are safe. The primary security considerations arise from executing the defined MCP servers, many of which use 'npx' to run external npm packages or 'docker run' to execute Docker images. While the '-y' flag with 'npx' bypasses prompts, the repository is a curated list, implying some level of vetting. Users must ensure the trustworthiness of the third-party MCP server packages/images they choose to run. Many servers require sensitive API keys or tokens, which are expected to be provided via environment variables, mitigating hardcoded secret risks in the repository itself, but shifting that responsibility to the user's environment setup.
Updated: 2025-11-24GitHub
75
294
High Cost
pab1it0 icon
Sec9

Enables AI assistants to query and analyze Prometheus metrics through a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires an accessible Prometheus server.
  • ⚠️Requires an MCP-compatible client (e.g., Claude Desktop, VS Code, Cursor).
  • ⚠️Relies heavily on Docker for straightforward deployment.
  • ⚠️Requires Python 3.10 or higher for local development/execution.
Verified SafeView Analysis
Authentication credentials (username/password or bearer token) are handled via environment variables and marked as secrets in the MCP server configuration. The server supports disabling SSL verification for Prometheus connections (`PROMETHEUS_URL_SSL_VERIFY`), which is insecure and explicitly warned against for production. Docker images are designed to run as a non-root user (`app`) and expose port 8080. No 'eval' or malicious code patterns were identified. Structured logging is used for better observability.
Updated: 2025-11-22GitHub
74
310
Medium Cost
Tiberriver256 icon

mcp-server-azure-devops

by Tiberriver256

Sec9

This server provides an AI agent with tools to interact with Azure DevOps services, including searching code, wikis, and work items, managing pull requests, retrieving project details, and handling pipeline operations.

Setup Requirements

  • ⚠️Requires an Azure DevOps organization and project with appropriate permissions for read/write operations (e.g., creating pull requests, updating work items, accessing repositories).
  • ⚠️Authentication is configured via environment variables (e.g., AZURE_DEVOPS_PAT for Personal Access Token, or Azure CLI login / Managed Identity / Service Principal for Azure Identity methods).
  • ⚠️Some search features (e.g., Code Search) require the respective Azure DevOps extensions to be installed in the target organization.
Verified SafeView Analysis
The server handles sensitive information (Azure DevOps credentials) via environment variables, which is a standard and secure practice. It integrates with Azure SDKs (@azure/identity, azure-devops-node-api) for authentication, which provides robust security features. Error handling for API calls is comprehensive, mitigating risks from malformed responses or external API issues. The `create_branch.sh` script is a local utility and not part of the server's runtime exposed to external requests. While shell scripts always carry a minimal risk of injection, the direct use of `$1` with `git checkout -b` is generally robust for branch names. No 'eval' or direct arbitrary code execution on user input was identified within the server's core logic. The hardcoded Azure DevOps resource ID is a public identifier, not a secret.
Updated: 2025-12-02GitHub
74
84
Medium Cost
penpot icon

penpot-mcp

by penpot

Sec3

The Penpot MCP server integrates LLMs with the Penpot Plugin API to enable AI agents to perform data queries, transformations, and creations within Penpot design files.

Setup Requirements

  • ⚠️Requires Node.js v22+.
  • ⚠️Manual steps in Penpot UI are needed to load the plugin and connect to the MCP server.
  • ⚠️Chromium-based browsers may require explicit permission for Private Network Access (PNA) to localhost, or disabling security features (e.g., Brave Shields).
Verified SafeView Analysis
The primary security risk is the 'execute_code' tool, which explicitly allows arbitrary JavaScript code execution within the Penpot plugin's sandboxed environment. While this is the intended functionality for an LLM agent, it introduces a significant risk of malicious code execution or privilege escalation if the LLM's output is compromised (e.g., via prompt injection) or if the server itself is exposed beyond 'localhost'. The REPL server also offers this functionality via a web interface. Currently, connections (HTTP/SSE on port 4401, WebSocket on port 4402, REPL on port 4403) are restricted to 'localhost', mitigating external network attacks. However, a compromised local machine could still exploit this capability.
Updated: 2025-12-12GitHub
PreviousPage 24 of 636Next