Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(7756)

60
212
Medium Cost
punkpeye icon

mcp-proxy

by punkpeye

Sec8

A TypeScript proxy that enables streamable HTTP and SSE access for Model Context Protocol (MCP) servers communicating over standard I/O.

Setup Requirements

  • ⚠️Requires a pre-existing Model Context Protocol (MCP) server that communicates over `stdio` (standard input/output).
  • ⚠️Requires Node.js runtime and `npm` or `npx` to run.
  • ⚠️The proxy executes the provided command (`e.g., tsx server.js`) using Node.js's `child_process.spawn`. This command needs to be trusted and properly configured by the operator to avoid security risks, especially if `--shell` is enabled.
Verified SafeView Analysis
The proxy's core functionality relies on `child_process.spawn` to execute a user-provided command. While this is its intended purpose, it means the security is highly dependent on the trustworthiness of the command executed and the environment in which `mcp-proxy` itself runs. If `mcp-proxy`'s command-line arguments can be manipulated by untrusted actors, it could lead to arbitrary code execution. However, the proxy implements robust authentication for incoming client requests via API keys or custom OAuth callbacks, and provides extensive CORS configuration. No direct `eval` or intentional obfuscation is present in the provided source code.
Updated: 2025-12-06GitHub
60
98
Medium Cost
pi22by7 icon

In-Memoria

by pi22by7

Sec9

Provides persistent intelligence infrastructure (semantic concepts, patterns, architecture) for AI agents to understand and interact with codebases.

Setup Requirements

  • ⚠️Requires Node.js version 18 or higher.
  • ⚠️Relies on platform-specific native Rust binaries which are installed as optional dependencies; may require troubleshooting if `npm install` fails in unusual environments.
  • ⚠️While local vector embeddings are free, an OpenAI API Key (paid) is detected and utilized for 'enhanced embeddings' if available.
Verified SafeView Analysis
The project demonstrates robust security practices including path sanitization (preventing path traversal in `analyzeCodebase`, `getFileContent`), input validation using Zod schemas for all MCP tool calls, and careful handling of database paths. It explicitly addresses SurrealDB crash safety by checking and setting `SURREAL_SYNC_DATA`. File watchers and analysis tools use extensive ignore lists to avoid processing sensitive or irrelevant files. The primary security consideration lies in the use of native Rust binaries, which inherently relies on the integrity of the distributed platform-specific packages. There are no obvious hardcoded secrets or 'eval' usage, and network activity defaults to local SurrealKV for vector embeddings.
Updated: 2025-11-19GitHub
60
165
High Cost
alexei-led icon

aws-mcp-server

by alexei-led

Sec7

The AWS MCP Server allows AI assistants to execute AWS CLI commands and access AWS environment context, providing a powerful interface for cloud management and automation.

Setup Requirements

  • ⚠️Requires AWS CLI to be installed and configured with valid credentials.
  • ⚠️Requires Python 3.13+.
  • ⚠️Docker is highly recommended for enhanced security and a consistent execution environment.
Verified SafeView Analysis
The server *directly executes* AWS CLI commands via subprocess without application-layer command filtering, relying entirely on the host's IAM policies for authorization. It includes strong OS-level sandboxing (Landlock/Bubblewrap/Seatbelt) and recommends Docker hardening (read-only filesystem, dropped capabilities, PID limits) to mitigate host-level risks. However, a permissive IAM policy could allow the AI to perform destructive or unintended actions, as the server does not perform command validation beyond ensuring it's an 'aws' command. No hardcoded secrets or 'eval' patterns found.
Updated: 2025-12-02GitHub
60
69
Medium Cost

rohlik-mcp

by tomaspavlin

Sec7

Enhances LLMs with grocery shopping capabilities across Rohlik Group's online services.

Setup Requirements

  • ⚠️Requires Rohlik Group account (username/password) for a supported region (e.g., Rohlik.cz, Knuspr.de).
  • ⚠️Relies on a reverse-engineered Rohlik API, which may violate Rohlik's terms of service and carries inherent risks like potential instability or account issues.
  • ⚠️Requires Node.js and NPM/NPMX installed locally, and specific configuration within Claude Desktop's `claude_desktop_config.json`.
Verified SafeView Analysis
Uses real Rohlik account credentials (username/password) that are passed via environment variables. The server interacts with a reverse-engineered Rohlik API, which may violate Rohlik's terms of service and could lead to account issues. Running `npx` executes remote code. Debug mode (`ROHLIK_DEBUG`) could expose sensitive information in local logs if not properly secured.
Updated: 2025-11-17GitHub
60
8
Low Cost
iceener icon
Sec7

Control a Tesla vehicle remotely via the Tessie API using the Model Context Protocol (MCP) for AI agents.

Setup Requirements

  • ⚠️Requires a Tessie account and API access token, which is a paid service.
  • ⚠️Requires your Tesla vehicle's VIN to be configured as an environment variable.
  • ⚠️For Cloudflare Worker deployment, a KV namespace (`TOKENS`) must be created and configured in `wrangler.toml`.
  • ⚠️A random bearer token must be generated and configured (`BEARER_TOKEN`) for client authentication to the MCP server.
Verified SafeView Analysis
The server employs good practices for secret management (environment variables), encryption (AES-256-GCM for storage), and logging (redacting sensitive data). Client authentication uses a bearer token, which is validated against an environment variable. However, a critical security risk for production deployments is that the `isAllowedOrigin` function in `src/shared/mcp/security.ts` currently returns `true` for all origins, effectively disabling origin validation. The `README.md` explicitly warns about this, emphasizing the deployer's responsibility to harden the HTTP layer with proper token validation, secure storage, TLS, strict CORS/origin checks, rate limiting, and audit logging for remote deployments. If deployed without addressing the `isAllowedOrigin` placeholder, it becomes vulnerable to Cross-Origin Resource Sharing (CORS) attacks. For local development, this is generally acceptable.
Updated: 2025-12-09GitHub
60
111
Medium Cost
kubeflow icon
Sec9

Connects AI agents to Apache Spark History Server for intelligent job analysis and performance monitoring.

Setup Requirements

  • ⚠️Requires Python 3.12+.
  • ⚠️Requires 'uv' package manager for dependency management and execution.
  • ⚠️An existing Apache Spark History Server must be running and accessible (Docker is required if using the provided `start_local_spark_history.sh` script for a local server).
  • ⚠️Node.js is required if using the MCP Inspector for interactive local testing.
  • ⚠️Ollama (or another LLM provider like OpenAI, Anthropic, Amazon Bedrock) is required for AI agent integration examples (e.g., LangGraph, Strands Agents).
Verified SafeView Analysis
The project demonstrates strong security practices, including a pre-commit hook (`check-config-security.py`) to prevent hardcoded credentials, configurable SSL verification for HTTP requests, and the use of environment variables/Kubernetes secrets for sensitive data. The `SparkHtmlClient` uses Playwright to render external Spark UI content in a sandboxed browser environment; while direct user control over screenshot `save_path` is not exposed in the API, the design generally prioritizes secure handling of external interactions. A comprehensive `SECURITY.md` policy is in place. No 'eval' or malicious patterns were found in the provided code.
Updated: 2025-12-10GitHub
60
167
Medium Cost
nickgnd icon

tmux-mcp

by nickgnd

Sec3

Enables AI assistants to interact with, control, and observe tmux terminal sessions.

Setup Requirements

  • ⚠️Requires Node.js to be installed and available in the execution environment.
  • ⚠️Requires tmux to be installed and running.
  • ⚠️Potential for command injection if interacting with untrusted or adversarial AI models, as commands are executed directly in the terminal without robust sanitization.
Review RequiredView Analysis
The `executeCommand` tool, and consequently the underlying `tmux.executeCommand` function, is highly vulnerable to command injection. User-provided commands are directly interpolated into shell commands (e.g., `echo "START"; ${command}; echo "END"`) before being sent via `tmux send-keys`. This allows an attacker (or a misbehaving AI) to inject arbitrary shell commands (e.g., by using `;`, `&`, `|`, `$(...)`, or backticks) which will be executed by the target shell within the tmux pane. While the code attempts to escape single quotes, this is insufficient to prevent shell metacharacter injection. The `rawMode` and `noEnter` options explicitly bypass command wrapping, sending raw, unsanitized input directly, further increasing the risk. The README includes a warning, but the fundamental execution mechanism remains a critical security risk.
Updated: 2025-12-02GitHub
60
146
Medium Cost
tableau icon

tableau-mcp

by tableau

Sec9

Provides a Model Context Protocol (MCP) server that enables AI agents to interact with Tableau Cloud/Server, supporting data querying, metadata retrieval, content exploration, and AI-powered insights from Tableau Pulse.

Setup Requirements

  • ⚠️Tableau Authentication Configuration: Requires specific environment variables (e.g., PAT_NAME, PAT_VALUE; UAT_PUBLIC_KEY, UAT_PRIVATE_KEY; OAUTH_CLIENT_ID_SECRET_PAIRS, OAUTH_PRIVATE_KEY, OAUTH_PUBLIC_KEY) depending on the chosen AUTH_TYPE. Proper key generation and management are critical.
  • ⚠️Tableau Server/Cloud Compatibility: Tableau Pulse features are primarily available on Tableau Cloud. The VizQL Data Service, essential for `query-datasource` and `get-datasource-metadata`, may need to be explicitly enabled on Tableau Server (TSM configuration).
  • ⚠️Extensive Environment Variables: A large number of environment variables are used for all configuration aspects (server URL, site name, logging, tool scoping, security settings), requiring careful setup via a .env file or system environment configuration.
Verified SafeView Analysis
The server demonstrates robust security practices, including environment variable-based configuration for sensitive data, explicit handling of OAuth flows with PKCE, `crypto.timingSafeEqual` for secret comparisons, and `ssrfcheck` to mitigate SSRF risks when fetching client metadata. Sensitive information is masked in logs (`secretMask.ts`). While VizQL query execution carries inherent risks, the tool includes client-side validation against datasource metadata and filter values (`validateQueryAgainstDatasourceMetadata`, `validateFilterValues`) to reduce potential for invalid or harmful queries. The `DANGEROUSLY_DISABLE_OAUTH` flag highlights awareness of security implications. No `eval` or direct arbitrary code execution is found.
Updated: 2025-12-12GitHub
60
153
High Cost
tuannvm icon
Sec8

The Slack MCP Client acts as a production-ready bridge enabling AI models to interact with real tools and systems through Slack conversations via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires Slack Bot and App tokens (manual setup of a Slack application with specific permissions is necessary).
  • ⚠️Requires API keys for chosen LLM providers (e.g., OpenAI API Key, Anthropic API Key), which are typically paid services.
  • ⚠️Requires installation and configuration of external Model Context Protocol (MCP) servers (e.g., `@modelcontextprotocol/server-filesystem`, `@modelcontextprotocol/server-github`) which may have their own dependencies (e.g., Node.js/npm for `npx` commands, Git, Kubernetes).
  • ⚠️If using Ollama, a local Ollama server instance must be running and accessible.
Verified SafeView Analysis
The server's core functionality involves executing external commands (e.g., `npx`, `github-mcp-server`) via `os/exec.Command` for MCP server integration. This execution is controlled by administrator-defined configurations (`command` and `args` in `config.json`), not direct user input, mitigating the risk of arbitrary code execution. Best practices for sensitive data are encouraged, with explicit recommendations for Kubernetes Secrets or External Secrets Operator for API keys and tokens. The Helm chart includes basic NetworkPolicy and CiliumNetworkPolicy options, indicating an awareness of network security. While direct external command execution inherently carries higher risk than purely internal processing, it appears to be implemented in a controlled and observable manner central to the project's purpose. Logging of environment variables occurs in debug contexts, which should be managed carefully in production.
Updated: 2025-12-08GitHub
59
151
Medium Cost
toolsdk-ai icon
Sec3

A self-hosted registry and gateway for Model Context Protocol (MCP) servers, enabling discovery, secure execution, and OAuth 2.1 authentication for AI agents and LLM applications.

Setup Requirements

  • ⚠️Requires Docker for recommended deployment and MeiliSearch.
  • ⚠️Requires Sandock, Daytona, or E2B API Key (Paid/Account required) for sandbox execution.
  • ⚠️Initial build takes 10-15 minutes due to installing thousands of MCP packages and their dependencies.
  • ⚠️MeiliSearch instance is required for full-text search functionality.
Review RequiredView Analysis
The system includes a critical security flaw: a fallback to local execution for MCP tools if sandbox execution fails (e.g., due to misconfiguration or resource issues). This bypasses intended isolation, allowing potentially untrusted third-party code to run directly on the host machine. Furthermore, the `install-python-deps.sh` script installs a very large number of third-party Python packages from PyPI without explicit security vetting in the source code, introducing significant supply chain risks. While sandboxing is used for Node.js environments, its effectiveness is undermined by the local fallback and the sheer volume of unvetted dependencies from `install-python-deps.sh` which are then made available for execution.
Updated: 2025-12-12GitHub
59
5
Medium Cost
jxnl icon
Sec8

This MCP server acts as a gateway, allowing AI assistants to interact with the Cursor Cloud Agents API to create, manage, and monitor automated tasks on GitHub repositories.

Setup Requirements

  • ⚠️Requires `CURSOR_API_KEY` environment variable, obtained from cursor.com/settings.
  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️Local Git CLI must be installed for `get_repos` to detect local repositories.
Verified SafeView Analysis
The server uses `child_process.exec` for local Git operations. While `cwd` is passed as a separate option mitigating direct command injection, the `regex_patterns` in `get_repos` could theoretically be used for a ReDoS attack if supplied with complex, malicious regexes by an attacker controlling inputs. However, this is a localized resource exhaustion risk rather than remote code execution. The `CURSOR_API_KEY` is correctly fetched from environment variables, not hardcoded. Error messages are sanitized for production environments.
Updated: 2025-11-25GitHub
59
205
Medium Cost
ivo-toby icon
Sec9

Exposes OpenAPI endpoints as Model Context Protocol (MCP) tools, enabling Large Language Models (LLMs) to discover and interact with REST APIs through a standardized protocol.

Setup Requirements

  • ⚠️Requires an OpenAPI Specification (URL, local file, stdin, or inline content must be provided).
  • ⚠️Requires a base URL for the target API (`API_BASE_URL`).
  • ⚠️Many real-world APIs will require custom authentication logic (e.g., token refresh) via the `AuthProvider` interface, or static headers must be kept up-to-date manually.
Verified SafeView Analysis
The server includes origin validation for HTTP transport and has a configurable maximum request body size (4MB). It utilizes an `AuthProvider` interface for dynamic authentication, reducing reliance on potentially expired hardcoded tokens. Placeholder tokens in examples are clearly marked. No `eval` or obvious malicious patterns were found. Users must responsibly manage API keys and tokens (e.g., via environment variables or a custom AuthProvider) to avoid hardcoding secrets in production.
Updated: 2025-12-03GitHub
PreviousPage 34 of 647Next