Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(7756)

70
349
Medium Cost
kimtaeyoon83 icon
Sec9

Retrieves transcripts from YouTube videos, including Shorts, with language fallback and optional ad filtering.

Setup Requirements

  • ⚠️Requires Node.js 18 or higher.
  • ⚠️Requires `npm install` and `npm run build` if running directly (not via npx).
Verified SafeView Analysis
The server's core logic for fetching transcripts directly interacts with YouTube's internal API via HTTPS. Input parameters are validated. There are no obvious hardcoded secrets, 'eval' usage, or obfuscation. Error handling is implemented for network issues and invalid inputs. The primary risk is the inherent reliance on YouTube's undocumented internal API, which could change and break functionality, but this does not expose direct security vulnerabilities to the user running the server.
Updated: 2025-12-04GitHub
70
7
Medium Cost
SamMorrowDrums icon

remarkable-mcp

by SamMorrowDrums

Sec8

This MCP server unlocks the reMarkable tablet as a 'second brain' for AI assistants, enabling them to read, search, and traverse the user's entire reMarkable library, including handwritten notes via OCR.

Setup Requirements

  • ⚠️Requires a reMarkable tablet with either Developer Mode enabled (for SSH) or a reMarkable Connect subscription (for Cloud mode).
  • ⚠️Google Vision API Key is highly recommended for effective handwriting OCR; it has a free tier but incurs costs after 1,000 requests/month.
  • ⚠️Requires `rmc` and `cairosvg` (or `inkscape`) system-wide installations for image rendering and Tesseract OCR.
  • ⚠️Using SSH password authentication requires `sshpass` to be installed and is not recommended due to security concerns.
Verified SafeView Analysis
The server uses `subprocess.run` for SSH/SCP and image processing (`rmc`, `cairosvg`, `inkscape`). While `subprocess.run` can be risky if inputs are not properly sanitized, the current implementation appears to handle internal paths or controlled inputs. The use of `sshpass` for password authentication is explicitly warned against in the documentation as it stores the password in plain text. No `eval` or other obvious code obfuscation/malicious patterns were found.
Updated: 2025-12-02GitHub
69
256
High Cost
decocms icon

admin

by decocms

Sec8

DecoCMS is an open-source Context Management System (MCP Mesh) for AI, designed to centralize, compose, and secure AI agents, workflows, and full-stack AI applications with built-in governance, observability, and cost control.

Setup Requirements

  • ⚠️Requires 'Bun' runtime for local development and direct execution.
  • ⚠️Requires 'DATABASE_URL' environment variable (supports SQLite and PostgreSQL).
  • ⚠️Requires 'ENCRYPTION_KEY' and 'MESH_JWT_SECRET' environment variables for secure operation.
  • ⚠️Comprehensive authentication setup (email, social, SSO) via 'Better Auth' requires external provider configuration.
Verified SafeView Analysis
The system employs robust security measures including granular Role-Based Access Control (RBAC) via 'Better Auth', JWTs for internal tokens, and AES-256-GCM encryption for sensitive connection credentials. Management tools, notably 'DATABASES_RUN_SQL' which executes raw SQL, are heavily reliant on this access control. Improper configuration of permissions for such powerful tools could lead to privilege escalation or data breaches. CORS origin configuration is noted as a TODO in the source, which should be addressed for production deployments.
Updated: 2025-12-14GitHub
69
226
Medium Cost
anyproto icon

anytype-mcp

by anyproto

Sec8

The Anytype MCP Server enables AI assistants to interact with Anytype's API through natural language for knowledge management.

Setup Requirements

  • ⚠️Requires an Anytype API Key (obtained from Anytype application settings or CLI).
  • ⚠️Requires a local Anytype application running and accessible, or a reachable Anytype API endpoint.
  • ⚠️The `OPENAPI_MCP_HEADERS` environment variable must be set with the API key and Anytype version (as a JSON string).
Verified SafeView Analysis
The codebase adheres to good practices by externalizing API keys via environment variables (OPENAPI_MCP_HEADERS). The HTTP client correctly handles file uploads by reading local file paths provided as strings. A commented-out section in `src/openapi/parser.ts` reveals a potential for using `eval` for Zod schema generation. While currently inactive, activating it would introduce a significant arbitrary code execution vulnerability. Overall, it is generally safe to run, given trust in the underlying Anytype API.
Updated: 2025-12-10GitHub
69
166
Medium Cost
aaronsb icon
Sec9

Provides AI assistants with semantic agency over an Obsidian knowledge graph, enabling them to understand, navigate, and synthesize information across notes using the Model Context Protocol.

Setup Requirements

  • ⚠️Requires Obsidian to be installed and running, as it functions as an Obsidian plugin.
  • ⚠️An MCP-compatible AI client (e.g., Claude Desktop, Claude Code) is necessary to connect and interact with the server.
  • ⚠️Connecting via `mcp-remote` (used by some AI clients like Claude Desktop) requires Node.js/NPM to be installed on the client machine to run `npx mcp-remote`.
  • ⚠️If HTTPS is enabled with auto-generated self-signed certificates, AI clients may need to be configured to bypass SSL certificate validation (e.g., `NODE_TLS_REJECT_UNAUTHORIZED=0`), which carries inherent security risks if not understood.
Verified SafeView Analysis
The plugin implements robust security measures including granular operation permissions, comprehensive path validation (preventing traversal attacks), API key authentication, and `.mcpignore` file-based exclusions. It supports HTTPS with auto-generated self-signed certificates (requiring client-side SSL verification bypass for local dev). An `InputValidator` framework prevents various attack vectors like ReDoS, DoS, and file size limits. A configurable 'read-only' mode is available. The use of `new Function()` for Bases YAML expression evaluation represents a calculated risk, common in plugin DSLs, but appears to be within a controlled, sandboxed context.
Updated: 2025-12-08GitHub
69
117
Medium Cost
neo4j icon

mcp

by neo4j

Sec9

Provides an official Model Context Protocol (MCP) server for Neo4j, enabling LLMs and other AI clients to interact with Neo4j databases through tool calls for schema introspection and Cypher query execution.

Setup Requirements

  • ⚠️Requires a running Neo4j database instance (e.g., Neo4j Desktop, AuraDB) with the APOC plugin installed. The server will not start if APOC is missing.
  • ⚠️Requires Go 1.25+ for development and compilation.
  • ⚠️Requires an MCP-compatible client (e.g., VSCode with MCP support, Claude Desktop) to interact with the server, as it operates over standard I/O.
Verified SafeView Analysis
The server employs good security practices, including external configuration for sensitive credentials via environment variables/CLI, explicit query classification to restrict read-only tools from performing write operations (checked via `EXPLAIN` on Cypher queries), and redaction of sensitive data in logs (e.g., passwords, tokens, URIs). The `write-cypher` tool is noted as potentially destructive and comes with user-level warnings, also being disableable via the `NEO4J_READ_ONLY` flag. Telemetry is opt-out and anonymized. No 'eval' or malicious patterns were identified in the provided code.
Updated: 2025-12-12GitHub
69
234
Medium Cost
zinja-coder icon

jadx-mcp-server

by zinja-coder

Sec8

Provides an MCP server for LLMs to perform automated Android APK reverse engineering, vulnerability analysis, and manifest parsing by interacting with a JADX-AI-MCP plugin.

Setup Requirements

  • ⚠️Requires JADX-GUI with the JADX-AI-MCP Plugin to be running and an Android APK loaded, as this server acts as a proxy to that setup.
  • ⚠️Requires Python 3.13+.
  • ⚠️Dependencies like fastmcp, httpx, and requests must be installed. The pyproject.toml suggests using 'uv' (e.g., 'uv run') or 'pip install .' to manage dependencies.
Verified SafeView Analysis
The server uses httpx to communicate with a JADX-AI-MCP Plugin running on localhost (default 127.0.0.1:8650), limiting network exposure for sensitive JADX interaction to the local machine. No direct use of eval() or exec() is found. The server exposes an HTTP endpoint via FastMCP, which clients (LLMs) connect to. Powerful modification tools (e.g., rename_class, rename_method) are exposed, but these operations are delegated to the JADX plugin. Misuse by an LLM could lead to unwanted changes, but the server itself acts as a proxy, and the project includes a SECURITY.md file and claims an external security assessment.
Updated: 2025-12-12GitHub
69
256
High Cost
decocms icon

mesh

by decocms

Sec3

Centralized Context Management System (MCP Mesh) for building and managing AI applications, agents, and workflows with integrated governance, observability, and cost control.

Setup Requirements

  • ⚠️Requires `ENCRYPTION_KEY` environment variable to be set to a strong, randomly generated key. Defaulting to an empty string in production makes the system highly insecure.
  • ⚠️Node.js version >= 24.0.0 is required.
  • ⚠️The `DATABASES_RUN_SQL` tool uses string interpolation for SQL parameters, which is susceptible to SQL injection if inputs are not meticulously sanitized.
Review RequiredView Analysis
Critical vulnerability: The `ENCRYPTION_KEY` environment variable, used by `CredentialVault`, defaults to an empty string if not set. This renders all encrypted data trivial to decrypt. Additionally, the `DATABASES_RUN_SQL` tool uses string concatenation for SQL parameters, making it highly susceptible to SQL injection if inputs are not meticulously sanitized, even with access control in place. Ensure `ENCRYPTION_KEY` is always set to a strong, randomly generated value and implement proper parameterized queries for SQL operations.
Updated: 2025-12-14GitHub
68
165
High Cost
PipedreamHQ icon

mcp-chat

by PipedreamHQ

Sec7

A reference open-source AI chat application leveraging Pipedream's Model Context Protocol (MCP) to integrate with thousands of APIs and tools, supporting conversational AI, automatic tool discovery, and document creation/editing with real-time feedback.

Setup Requirements

  • ⚠️Requires Pipedream Account and Project setup (OAuth credentials needed).
  • ⚠️Requires API keys for at least one LLM provider (OpenAI, Anthropic, or Google Gemini) – these are typically paid services.
  • ⚠️Requires `EXA_API_KEY` for web search functionality (potentially a paid service).
  • ⚠️Requires Docker for local database persistence (Postgres, Redis).
  • ⚠️Google OAuth credentials are required for sign-in, with `allowDangerousEmailAccountLinking: true` enabled by default, which might bypass email verification.
Review RequiredView Analysis
The application demonstrates good security practices including Auth.js for authentication (with Drizzle Adapter and password hashing), Drizzle ORM for database interactions (parameterized queries), Zod for file upload validation, and server-only enforcement for sensitive operations. Authorization checks are present in API routes to ensure user ownership of chats and documents. Datadog RUM is configured to mask user input by default. However, there are notable concerns: 1. Client-side Python code execution via Pyodide: LLM-generated code running in the browser introduces a significant risk. While prompts attempt to restrict network/file access, an imperfect sandbox or LLM output deviation could lead to client-side exploits. 2. Google OAuth `allowDangerousEmailAccountLinking: true`: This setting can lead to account hijacking if not accompanied by robust email verification by NextAuth, which may not be the default behavior of the Drizzle adapter. 3. Debug logging in production: The `/api/chat` endpoint logs `fullSession` details under a 'DEBUG' flag. If exposed, this could leak sensitive session data. 4. `ignoreBuildErrors: true` in `next.config.ts`: This can mask critical type errors that might introduce runtime vulnerabilities or unexpected behavior. 5. Reliance on MCP Server: The security and integrity of the external MCP server are critical; compromise of this service could impact the chat application's security.
Updated: 2025-12-03GitHub
68
129
Medium Cost
atlassian icon
Sec9

Serves as a cloud-based bridge connecting Atlassian Cloud (Jira, Confluence) with large language models (LLMs) and external AI clients, enabling real-time data interaction, content summarization, task creation, and workflow automation.

Setup Requirements

  • ⚠️Requires an Atlassian Cloud site with Jira and/or Confluence
  • ⚠️Requires access to a compatible AI Client (e.g., Claude for Teams, which may imply a paid plan)
  • ⚠️Requires Node.js v18+ installed for local client setup to run the 'mcp-remote' proxy
Verified SafeView Analysis
The server explicitly prioritizes security, leveraging OAuth 2.0 for secure authentication and access control, ensuring all actions respect existing user permissions in Jira and Confluence. All traffic is encrypted via HTTPS (TLS 1.2 or later). The JQL query builder script (`jql_builder.py`) includes specific sanitization functions (`sanitize_jql_value`) to prevent JQL injection attacks, indicating a proactive approach to common web vulnerabilities. No hardcoded secrets or malicious patterns were found in the provided source code. The architecture involves a client connecting to a secure SSE endpoint (`https://mcp.atlassian.com/v1/sse`), which is a standard secure communication pattern.
Updated: 2025-12-12GitHub
68
34
High Cost
sjkim1127 icon

Reversecore_MCP

by sjkim1127

Sec9

Reversecore_MCP is an AI-powered platform for automated binary analysis, malware analysis, vulnerability research, and game/firmware security, enabling AI agents to interact with advanced reverse engineering tools and generate comprehensive intelligence reports.

Setup Requirements

  • ⚠️Docker required for easy deployment (or manual setup of dependencies)
  • ⚠️Radare2 (CLI tool) must be installed
  • ⚠️Ghidra (and pyghidra library) recommended for advanced decompilation/structure recovery
  • ⚠️LIEF (Python library) required for binary parsing
  • ⚠️YARA (Python library) required for rule-based detection
  • ⚠️Graphviz (CLI tool) required for PNG Control Flow Graph generation
Verified SafeView Analysis
The project demonstrates a strong focus on security, especially regarding input validation and command execution. File paths are strictly validated to prevent traversal, and Radare2 commands are sanitized, with dangerous shell and write operations explicitly blocked. The `copy_to_workspace` tool includes size limits and prevents overwrites. Environment variables are used for sensitive configurations like email. Overall, robust measures are in place to mitigate common exploitation vectors, though inherent risks with external tool execution always remain.
Updated: 2025-12-07GitHub
68
148
Medium Cost
xpack-ai icon
Sec1

XPack is an open-source marketplace platform designed to allow users to create and sell their own Model Context Protocol (MCP) services, facilitating AI agent integration with various APIs.

Setup Requirements

  • ⚠️The quick-start script (`quick-start.sh`) runs with root privileges and makes significant system changes, including disabling SELinux and configuring Docker with `privileged: true` for all containers.
  • ⚠️Default hardcoded credentials (MySQL, Redis, RabbitMQ, Admin dashboard) are used for quick setup and must be changed for production use.
  • ⚠️Requires Docker and Docker Compose installed for containerized deployment, or Node.js >= 22.x and Pnpm >= 10.x for frontend, and Python >= 3.11 for backend manual build.
Review RequiredView Analysis
The quick-start script and Docker Compose configuration include critical security risks. All Docker containers are run with `privileged: true`, which grants them root capabilities on the host system, making the host extremely vulnerable. The quick-start script also disables SELinux (`setenforce 0`, `SELINUX=disabled`), further weakening system security. Default hardcoded passwords for MySQL, Redis, and RabbitMQ (e.g., `mysql_ZTdhRB`, `redis_6sJZDm`, `rabbitmq_Gs123dA`, `admin/123456789`) are set, posing a significant risk if not changed immediately. While there's an encryption mechanism for payment configurations (`PAYMENT_CONFIG_SECRET_KEY`), the fundamental deployment approach is severely insecure for a production environment, especially one handling user data and payments.
Updated: 2025-12-11GitHub
PreviousPage 28 of 647Next