Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(7632)

71
64
Medium Cost
Agentic-Web-Interfaces icon

concierge

by Agentic-Web-Interfaces

Sec4

Concierge is a declarative framework enabling LLMs to interact with and navigate web services through agentic workflows.

Setup Requirements

  • ⚠️Requires OpenAI API Key (paid) for client interaction, provided as a command-line argument to the chat client.
  • ⚠️Requires a PostgreSQL database instance for persistent state management, as configured in `configs/default.yaml`.
  • ⚠️Requires Python 3.9 or higher.
Review RequiredView Analysis
The FastAPI server (`src/concierge/serving/api.py`) uses `CORSMiddleware` with `allow_origins=["*"]`, `allow_methods=["*"]`, and `allow_headers=["*"]` by default. This effectively disables CORS protection and is a critical security vulnerability for any internet-facing deployment. The `HTTPRequestHandler` (`src/concierge/serving/http.py`) also directly exposes raw exception messages in 500 responses (`self.wfile.write(str(e).encode())`), which can lead to information leakage. Database credentials are sourced from a configuration file (`configs/default.yaml`), where the password can be a blank string, posing a risk if not securely configured in production.
Updated: 2025-12-12GitHub
71
80
Medium Cost
magentic icon
Sec8

Provides coding agents with full browser context from recorded user flows for debugging and regression testing.

Setup Requirements

  • ⚠️Requires the FlowLens Chrome extension to record and capture browser flows.
  • ⚠️Requires Python 3.10 or newer.
  • ⚠️A `FLOWLENS_MCP_TOKEN` environment variable is required to access shareable (remote) flows.
Verified SafeView Analysis
The server makes external network calls to the FlowLens API (flowlens-api.magentic.ai) and downloads recordings from URLs provided by this API. While the server itself does not contain obvious vulnerabilities like 'eval' or command injection based on user input, a compromise of the FlowLens API or manipulation of the provided video/RRWEB URLs could lead to the download of malicious files. However, these downloaded files (WEBM, JSON) are processed internally (e.g., for screenshots, DOM snapshots) and not directly executed, mitigating immediate execution risks. Authentication relies on a `FLOWLENS_MCP_TOKEN` which is expected to be provided via environment variables, a standard and secure practice to avoid hardcoding secrets.
Updated: 2025-12-07GitHub
71
152
Medium Cost
keyboard-dev icon

keyboard-local

by keyboard-dev

Sec9

Enables AI clients to execute real-world tasks through connected third-party tools (APIs, CLIs, SDKs) with human approval, leveraging a secure GitHub Codespace environment.

Setup Requirements

  • ⚠️Requires `git clone --recursive` to fetch submodules.
  • ⚠️Requires a Node.js/npm environment for both the Electron desktop client and the MCP server.
  • ⚠️Relies on GitHub Codespaces for the secure execution environment of AI-generated code.
  • ⚠️Users must connect and configure their own third-party API keys and credentials for desired tools (e.g., Gmail, Slack, Stripe).
Verified SafeView Analysis
The architecture described in the README emphasizes security through human approval workflows and execution within the user's own GitHub Codespace. This design aims to prevent the Keyboard server from directly accessing sensitive API keys, as they are managed within the user's secure environment. The user reviews and approves the generated code before execution, providing a critical control point. The disclaimer also places responsibility on the user for code review and connecting trusted applications. Without the actual JavaScript/TypeScript code for the `approver-client` and `keyboard-mcp` components, a deeper code-level security audit (e.g., checking for `eval` usage, obfuscation, or specific vulnerabilities) cannot be performed. The score reflects the strong security claims and architectural design rather than a direct code audit.
Updated: 2025-11-28GitHub
71
222
Medium Cost
strands-agents icon

mcp-server

by strands-agents

Sec9

Provides a Model Context Protocol (MCP) server for AI agents to search and retrieve curated documentation for the Strands Agents framework, facilitating AI coding assistance.

Setup Requirements

  • ⚠️Requires 'uv' for installation and command execution.
  • ⚠️Requires Python 3.10 or newer.
  • ⚠️Using the MCP Inspector for testing requires Node.js and npx.
Verified SafeView Analysis
The server explicitly validates URLs passed to `fetch_doc` to ensure they start with `https://strandsagents.com`, which significantly mitigates Server-Side Request Forgery (SSRF) risks. No `eval` or similar dangerous functions were found. The HTML cleaning uses standard library functions and regex to strip tags and unescape content, reducing XSS concerns if content were ever rendered directly. Overall, the security posture appears robust for its intended function.
Updated: 2025-11-21GitHub
71
221
Low Cost
aws-samples icon
Sec8

Demonstrates a stateful Model Context Protocol (MCP) server implementation using Python and FastMCP, deployed on AWS ECS Fargate, providing a simple echo functionality.

Setup Requirements

  • ⚠️Requires Python 3.12 or higher.
  • ⚠️Requires Podman (or Docker) for building container images.
  • ⚠️Requires AWS CLI and AWS SAM CLI configured with appropriate credentials for deployment.
  • ⚠️Requires manual configuration of deployment-specific parameters (e.g., container version, AWS region, ECR repository details, VPC configuration) before deployment.
Verified SafeView Analysis
The application code uses standard, widely-adopted frameworks (FastAPI, FastMCP) and does not appear to contain direct hardcoded secrets, 'eval' statements, or other overtly malicious patterns within the provided snippets. Sensitive deployment configuration is externalized to environment variables or SAM parameters. Security of the deployed solution heavily relies on proper AWS infrastructure configuration (e.g., IAM roles, network security groups, load balancer settings, and HTTPS enforcement).
Updated: 2025-12-04GitHub
71
21
Medium Cost
datagouv icon

datagouv-mcp

by datagouv

Sec8

The data.gouv.fr MCP server enables AI chatbots to search, explore, and analyze datasets from the French national Open Data platform directly through conversation.

Setup Requirements

  • ⚠️Docker is required for the recommended setup (local or hosted deployment).
  • ⚠️Requires Python version >=3.13 and <3.15.
  • ⚠️The 'get_metrics' tool is only available when `DATAGOUV_ENV` is set to 'prod', as the Metrics API does not have a demo environment.
  • ⚠️XLSX parsing in 'download_and_parse_resource' requires the 'openpyxl' library, which is not listed as a primary dependency and would need manual installation if full functionality is desired.
Verified SafeView Analysis
The server uses `httpx` for all external API calls, with appropriate timeouts. It defines API endpoints in `env_config.py` which are public data.gouv.fr URLs. No hardcoded secrets were found; the README explicitly states no API keys are required for read-only tools. The `download_and_parse_resource` tool downloads content from external URLs specified in resource metadata. While this tool includes `max_size_mb` (500 MB) and `max_rows` (1000) limits to mitigate abuse, downloading and parsing arbitrary external content (even from data.gouv.fr links) always carries inherent risks, such as potential for parsing vulnerabilities or large file attacks, despite the implemented safeguards. No `eval` or similar dangerous patterns were identified in the source code.
Updated: 2025-12-10GitHub
71
363
Medium Cost
domdomegg icon
Sec8

Facilitate LLM interaction with Airtable databases for schema inspection and record manipulation.

Setup Requirements

  • ⚠️Requires an Airtable Personal Access Token with specified scopes (schema.bases:read, data.records:read, and optionally write permissions).
  • ⚠️Requires Node.js to be installed on the host system.
  • ⚠️If using the HTTP transport (`MCP_TRANSPORT=http`), it lacks built-in authentication and must be secured externally (e.g., via a reverse proxy).
Verified SafeView Analysis
The code generally follows good practices. There are no obvious signs of malicious patterns or obfuscation. The `AirtableService` correctly retrieves the API key from environment variables (AIRTABLE_API_KEY) and uses a mock fetch for testing, which is good. A hardcoded API key is present in `src/e2e.test.ts` but this is an integration test key and not used in production code. The server can be run with an HTTP transport (`MCP_TRANSPORT=http`), but the `main.ts` explicitly warns that 'HTTP transport has no authentication. Only use behind a reverse proxy or in a secured setup.' This is a critical network security consideration that users must be aware of and manage externally if using this transport.
Updated: 2025-12-10GitHub
70
231
Medium Cost
salesforcecli icon

mcp

by salesforcecli

Sec7

Facilitates secure interaction between Large Language Models (LLMs) and Salesforce orgs, enabling LLMs to read, manage, and operate Salesforce resources through a robust set of tools. Supports various development and operations tasks such as code analysis, metadata deployment, org management, and DevOps workflows.

Setup Requirements

  • ⚠️Requires Node.js (up-to-date LTS) and Yarn to be installed.
  • ⚠️Requires Salesforce CLI to be installed and Salesforce orgs to be locally authorized.
  • ⚠️Requires Git CLI for DevOps-related tools.
  • ⚠️User must explicitly authorize Salesforce orgs (e.g., `sf org login web`).
  • ⚠️Local Git repositories must be in a clean state (no uncommitted changes) for certain DevOps operations like conflict detection and checkout.
Verified SafeView Analysis
The project demonstrates security awareness through explicit documentation (`SECURITY.md`), path sanitization in shared utilities (`sanitizePath` to prevent traversal), and controlled access to Salesforce orgs via an allowlist (`--orgs` flag). However, the DevOps provider (`mcp-provider-devops`) utilizes `execSync` to run Git commands (`git status`, `git add`, `git commit`, `git push`, `git fetch`, `git checkout`, `git ls-remote`, `git merge`, `sf project deploy report`). While `repoPath` input is validated to prevent basic unsafe characters, the execution of external shell commands always carries an inherent risk of command injection or unexpected behavior if the inputs or the LLM's generated arguments are not perfectly controlled and sanitized. The `APP_INSIGHTS_KEY` for telemetry is hardcoded as an empty string, which is safe, but `O11Y_UPLOAD_ENDPOINT` is a hardcoded URL. Overall, it is designed for 'Internal Use Only' with presumed trusted LLMs.
Updated: 2025-12-12GitHub
70
3
Medium Cost
FitoDomik icon

gitlab-mcp-server

by FitoDomik

Sec9

Connects an AI assistant to GitLab to facilitate interactive queries and actions on merge requests, pipelines, and code reviews.

Setup Requirements

  • ⚠️Requires `uv` for Python package management.
  • ⚠️GitLab Access Token needs `api` scope for write operations (e.g., commenting, resolving discussions), despite README suggesting `read_api` for initial setup.
  • ⚠️Requires a numeric `GITLAB_PROJECT_ID` for configuration.
Verified SafeView Analysis
The server securely handles GitLab API tokens by requiring them via environment variables (GITLAB_ACCESS_TOKEN, GITLAB_PROJECT_ID) and uses `aiohttp` for external API calls, correctly setting private tokens in headers. There are no signs of `eval`, code obfuscation, or hardcoded secrets. The `run-mcp.sh` script prioritizes loading environment variables from a local `.env` file, which is good practice for managing sensitive information.
Updated: 2025-11-28GitHub
70
295
Medium Cost
cloudwego icon

abcoder

by cloudwego

Sec4

Analyzes and processes code repositories to generate a Universal Abstract-Syntax-Tree (UniAST) and exposes it as a Model Context Protocol (MCP) server for LLMs to consume for AI-assisted programming applications.

Setup Requirements

  • ⚠️Requires `npm` to install `abcoder-ts-parser` for TypeScript projects, and `tsconfig.json` configuration for parsing.
  • ⚠️Requires `clangd-18` to be installed manually for C/C++ projects. For Java, it attempts to auto-download JDTLS, which may require a functional `java` executable.
  • ⚠️Large TypeScript monorepo projects may require manual adjustment of Node.js's maximum memory allocation via `NODE_OPTIONS=--max-old-space-size=...`.
Review RequiredView Analysis
The system automatically downloads the Java Development Tools Language Server (JDTLS) from `download.eclipse.org` and `abcoder-ts-parser` via `npm install -g` if not found. These actions introduce supply chain risks, as a compromised download source could lead to execution of malicious code. There is no explicit checksum verification for these external binaries. Node.js's `--max-old-space-size` is set for TypeScript parsing, indicating potential large memory usage which could be exploited in certain scenarios.
Updated: 2025-12-13GitHub
70
3
High Cost
greatSumini icon

sharp-mcp

by greatSumini

Sec7

This MCP server provides image session management and processing capabilities for AI coding assistants, enabling tasks like metadata extraction, color picking, background removal, cropping, and compression.

Setup Requirements

  • ⚠️Requires Node.js >= v18.0.0.
  • ⚠️ML model files (~10-50MB) for background removal are downloaded on first run, causing a delay.
  • ⚠️The server process needs appropriate file system read/write permissions for tools interacting with local paths (e.g., `create_session_by_path`, `output_path` parameters).
Verified SafeView Analysis
The server can handle user-provided file paths for reading and writing images (`create_session_by_path`, `compress_image`, `extract_region`, `remove_background`). While `validateAbsolutePath` is used to prevent relative path traversal, the server's underlying process permissions will determine the extent of potential file system access an attacker could exploit if they gain control over the `output_path`. Storing base64 images in memory sessions, and performing CPU/memory intensive operations like background removal, cropping, and compression, poses a potential Denial-of-Service (DoS) risk if not adequately rate-limited or resource-managed at a higher layer. The ML model files (10-50MB) for background removal are downloaded and cached on first use, which introduces a supply chain risk if the source of these models were compromised. No hardcoded secrets or 'eval' were found in the provided code.
Updated: 2025-11-28GitHub
70
115
High Cost
nesquikm icon

mcp-rubber-duck

by nesquikm

Sec9

An MCP server acting as a bridge to query and orchestrate multiple OpenAI-compatible LLMs for rubber duck debugging and multi-agent operations.

Setup Requirements

  • ⚠️Requires Node.js 20+ and npm/yarn.
  • ⚠️Requires API keys for cloud LLM providers (e.g., OpenAI, Google Gemini), which typically incur costs.
  • ⚠️For local LLM integration (e.g., Ollama, LM Studio), those applications must be running locally with required models downloaded.
Verified SafeView Analysis
The server employs robust security measures, including extensive use of environment variables for secrets, a `SafeLogger` to redact sensitive data, and `JSON.parse` for LLM outputs which safely handles malformed JSON without code execution. The `FunctionBridge` facilitates calls to external MCP servers, including `stdio` commands which are configured by the operator, not dynamically generated from user input. Argument validation using `Ajv` and an `ApprovalService` (configurable for 'always', 'trusted', or 'never' modes, with session-based memory) provide strong defenses against malicious tool calls, requiring human intervention for untrusted actions. The overall architecture is designed with security in mind for its intended use case, with the primary remaining risk lying in potential misconfiguration of `stdio` commands by the operator.
Updated: 2025-12-08GitHub
PreviousPage 26 of 636Next