Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse Directory Why Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:

SORT:

Vetted Servers(9120)

Medium Cost

2ly

by AlpinAI

Sec9

Skilder is an infrastructure layer for AI agent tooling, providing a private tool registry and embedded runtimes for integrating with various agent frameworks and custom tools.

Setup Requirements

⚠️Requires Docker for deployment (local or production).
⚠️Node.js v22+ is required for local development.
⚠️Requires initial generation of cryptographic keys via `npm run setup-local` (or `sh ./generate-keys.sh`) for local development, which are then stored in `dev/.docker-keys/`.
⚠️Relies on NATS and Dgraph as core infrastructure components, which are managed via Docker Compose.

Verified SafeView Analysis

The project demonstrates robust security practices for a distributed system, including the use of generated cryptographic keys for JWTs and NATS, strong password hashing (scrypt with peppering), and database-backed access validation for tokens (mitigating stale token issues). It features distributed rate limiting for API keys and OAuth initiation. GraphQL subscriptions are periodically re-validated for workspace access, which is a commendable measure against permission revocation during active sessions. While development configurations expose certain services (e.g., Dgraph, NATS Dashboard) and use broad CORS settings (origin: '*'), these are explicitly for development and should be hardened for production deployment.

Updated: 2025-12-14GitHub→

Low Cost

1mcp

by buremba

Sec9

Orchestrates AI agent tool calls by executing JavaScript/TypeScript code in a WASM sandbox, reducing LLM context bloat and managing security policies.

Setup Requirements

⚠️Requires Node.js version >=22.0.0.
⚠️Initial setup requires network access to download WASM runtimes (QuickJS/Pyodide) from CDN.
⚠️Python dependencies must be 'wheel-only' (no native extensions or sdists) and compatible with Pyodide.

Verified SafeView Analysis

The project demonstrates robust security considerations with a multi-layered approach, including WASM sandbox isolation (QuickJS/Pyodide), cryptographic signing of execution capsules (Ed25519), and double-enforcement of network and filesystem policies (browser and server). Path traversal protections and IP literal blocking are implemented. The specification indicates that critical security issues identified in development have been addressed. However, it notes that upstream MCP servers are fully trusted by the relay server (requiring external security measures for those services) and current rate limiting is basic (queue depth of 100). Code execution uses `vm.evalCode` within the sandboxed runtime, which is controlled by the capsule builder.

Updated: 2025-12-08GitHub→

219

High Cost

kagimcp

by kagisearch

Sec9

Provides search and summarization tools to LLMs via the Model Context Protocol (MCP) using Kagi's API.

Setup Requirements

⚠️Requires a Kagi API Key; the search API is currently in closed beta and requires an invitation from Kagi.
⚠️Requires global installation of the 'uv' package manager (for both setup and execution).
⚠️May conflict with the LLM client's built-in web search functionality, requiring manual disabling in the client's settings.
⚠️Local/development setup often requires specifying absolute paths to the project directory in configuration.

Verified SafeView Analysis

The server integrates with the Kagi API for its core functionality. API keys must be securely handled as environment variables. No obvious malicious code or severe vulnerabilities indicated in the provided README and file list. Standard practices like using 'uv' for package management are followed.

Updated: 2025-11-17GitHub→

Medium Cost

messages

by cardmagic

Sec9

Fuzzy search and browse Apple Messages (iMessage/SMS) from the command line or as an MCP server.

Setup Requirements

⚠️Requires macOS operating system.
⚠️Requires Node.js version 22 or higher.
⚠️Requires 'Full Disk Access' permission for your terminal application to read `~/Library/Messages/chat.db`.

Verified SafeView Analysis

The server primarily operates locally, reading from the Apple Messages database (`~/Library/Messages/chat.db`) and AddressBook, then building local search indexes in `~/.messages/`. It uses `better-sqlite3` in read-only mode for the source databases, which is a good security practice. The `node-typedstream` library handles parsing binary blobs for message content, which is a potential, but non-obvious, vector for malformed data. The MCP server uses `StdioServerTransport`, meaning communication is over standard I/O, not a network, reducing network-based attack surfaces. No `eval` or obvious hardcoded secrets were found. The most significant security consideration is the explicit requirement for 'Full Disk Access' permission for the terminal, which grants broad access but is necessary for its core functionality and is a user-controlled setting.

Updated: 2026-01-18GitHub→

Low Cost

mcp-typescript-sdk

by emqx

Sec9

The TypeScript SDK facilitates the implementation of Model Context Protocol (MCP) over MQTT for creating AI-integrable servers and clients, enabling LLMs to discover and interact with external services and tools.

Setup Requirements

⚠️Requires Node.js >= 18
⚠️Project must be configured to use ES modules (`"type": "module"` in package.json)
⚠️Requires an MQTT broker to be running and accessible (e.g., locally or a public broker)

Verified SafeView Analysis

The source code appears to follow good security practices. It extensively uses Zod schemas for input validation, which helps prevent malformed requests and potential injection vulnerabilities. Message parsing uses `JSON.parse`, which is safe for valid JSON. There are no explicit uses of `eval`, `child_process.exec`, or other dynamic code execution mechanisms. Sensitive information like MQTT credentials (username, password) are expected to be provided by the user during configuration and are not hardcoded. The SDK uses `nanoid` for generating unique IDs, which is cryptographically strong. MQTT 5.0 features are leveraged to enhance connection robustness. The error handling mechanism also appears to prevent excessive internal detail leakage. The `RELEASING.md` indicates secure npm publishing via OIDC, reflecting a general security awareness.

Updated: 2026-01-19GitHub→

361

High Cost

UnrealGenAISupport

by prajwalshettydev

Sec2

The plugin enables large language models (LLMs) to programmatically interact with and control Unreal Engine, facilitating generative AI applications in game development, such as spawning objects, manipulating scenes, and generating blueprints or Python scripts.

Setup Requirements

⚠️Requires `mcp[cli]` Python package installation.
⚠️Requires Unreal Engine's Python Editor Script Plugin to be enabled.
⚠️For DeepSeek reasoning model, Unreal Engine HTTP timeouts must be increased (e.g., `HttpConnectionTimeout=180`, `HttpReceiveTimeout=180` in `DefaultEngine.ini`).
⚠️Requires `PS_<ORGNAME>` environment variables for API keys (e.g., `PS_OPENAIAPIKEY`, `PS_ANTHROPICAPIKEY`, etc.).
⚠️Requires manual configuration of `claude_desktop_config.json` or `.cursor/mcp.json` file in specific user/project directories.

Review RequiredView Analysis

The MCP server (`mcp_server.py`) acts as a bridge, forwarding LLM-generated Python scripts to the Unreal Engine's Python interpreter (`unreal_socket_server.py`). The `handle_execute_python` function in `python_commands.py` executes these scripts using `exec(f.read())` on temporary files without sufficient sandboxing or robust input validation. This creates a severe remote code execution (RCE) vulnerability, allowing an LLM (if compromised or intentionally misdirected) to run arbitrary Python code within the Unreal Editor's environment. The `is_potentially_destructive` check is a weak heuristic and easily bypassable. The README explicitly warns about security risks, indicating this is a known, inherent risk of the design.

Updated: 2026-01-04GitHub→

350

Medium Cost

tfmcp

by nwiizo

Sec9

A CLI tool and MCP server that enables LLMs to analyze, manage, and operate Terraform configurations and infrastructure environments.

Setup Requirements

⚠️Requires Rust 1.85.0+ (Edition 2024) for compilation.
⚠️Terraform CLI must be installed and available in the system's PATH.
⚠️Dangerous operations (like 'apply' and 'destroy') are disabled by default and require setting the TFMCP_ALLOW_DANGEROUS_OPS environment variable to 'true'.

Verified SafeView Analysis

The server implements robust security controls by default. Dangerous operations (apply/destroy) are disabled, sensitive file patterns are blocked (e.g., 'prod*', 'secret*'), and a maximum resource limit is enforced. All operations are subject to audit logging. The code also includes internal secret detection patterns for Terraform configurations to warn users of potential hardcoded secrets. Policies can be customized via environment variables, requiring users to explicitly opt-in to less secure behaviors. There are no obvious 'eval' or obfuscation patterns.

Updated: 2025-12-28GitHub→

111

Low Cost

MCP-oura

by YuzeHao2023

Sec9

Provides language models with access to Oura API health data (sleep, readiness, resilience) via the Model Context Protocol.

Setup Requirements

⚠️Requires an Oura API Personal Access Token (obtained from Oura Developer Portal).
⚠️Requires Python 3.12 or newer.
⚠️Intended for integration with Model Context Protocol (MCP) compatible language models like Claude for Desktop.

Verified SafeView Analysis

The server retrieves the Oura API token from environment variables, which is a good security practice. It uses `httpx` for external API calls, and the data transformation logic does not appear to introduce direct security vulnerabilities. No usage of `eval`, obfuscation, or other immediately malicious patterns were found. Error handling is present, returning human-readable messages.

Updated: 2025-12-21GitHub→

148

Medium Cost

mcp-server-wazuh

by gbrigandi

Sec8

This Rust-based server acts as a bridge between a Wazuh SIEM system and applications requiring contextual security data, especially for AI assistants using the Model Context Protocol (MCP).

Setup Requirements

⚠️Requires a running Wazuh server (v4.12 recommended) with its API and Indexer accessible.
⚠️Critical environment variables for Wazuh API and Indexer credentials must be configured (e.g., in a `.env` file or directly in the shell).
⚠️The default `WAZUH_VERIFY_SSL=false` is insecure; for production, it must be explicitly set to `true` with valid SSL certificates.

Verified SafeView Analysis

The server's tools primarily provide read-only access to Wazuh data, limiting the impact of potential misuse. It properly externalizes sensitive credentials to environment variables. However, the default setting of `WAZUH_VERIFY_SSL=false` for Wazuh API and Indexer connections is explicitly insecure and should be set to `true` in production environments after ensuring proper certificate validation.

Updated: 2025-12-12GitHub→

Low Cost

mcp-local-rag

by shinpr

Sec9

Local RAG server for developers enabling private, offline semantic search with keyword boosting on personal or project documents (PDF, DOCX, TXT, MD, HTML).

Setup Requirements

⚠️Requires Node.js version 20 or higher.
⚠️Initial ~90MB embedding model download on first run (takes 1-2 minutes) before it can operate fully offline.
⚠️The `BASE_DIR` environment variable MUST be set to define the root directory for searchable documents, acting as a critical security boundary.
⚠️Changing the `MODEL_NAME` requires deleting the LanceDB database (`DB_PATH`) and re-ingesting all documents due to incompatible vector dimensions.

Verified SafeView Analysis

The server demonstrates strong security practices for a local RAG solution. It explicitly prevents path traversal attacks (S-002) by validating file paths against a defined `BASE_DIR` and ensuring they are absolute. All processing is local (S-001), with the only external network communication being the initial (cached) download of the embedding model from HuggingFace. Sensitive data (document content, search queries) is confirmed not to be logged (S-003), and stack traces are suppressed in production environments (S-004). No hardcoded secrets were found. The use of `isEvalSupported: false` in the PDF parser is a good practice. Overall, the security measures are well-implemented and tested.

Updated: 2026-01-17GitHub→

227

Low Cost

MCP-connect

by EvalsOne

Sec1

A lightweight bridge service that exposes local MCP servers as HTTP APIs, enabling cloud AI tools and agents to interact with various local MCP services via Streamable HTTP or a classic request/response bridge.

Setup Requirements

⚠️Requires Node.js >= 22.0.0 and npm/yarn for local execution.
⚠️Requires `AUTH_TOKEN` to be set for secure operation; defaults to unauthenticated access, which is a major security risk.
⚠️Requires an E2B API Key (`E2B_API_KEY`) for cloud sandbox deployment, along with a Python 3.8+ environment (`pip install -r requirements.txt`).
⚠️The `serverPath` in the `/bridge` endpoint or `command` in `mcp-servers.json` allows arbitrary command execution. Proper whitelisting, sanitization, or containerization is essential when exposing this service to untrusted input.

Review RequiredView Analysis

CRITICAL VULNERABILITIES: The `/bridge` endpoint allows an unauthenticated or authenticated client to specify an arbitrary `serverPath` in the request body. If this `serverPath` is a command (e.g., `rm -rf /`), the `MCPClientManager` will directly execute it via `StdioClientTransport`. This is a direct command injection vulnerability. Additionally, the `AUTH_TOKEN` environment variable defaults to an empty string, meaning the server runs unauthenticated by default. This allows any client to make calls, including exploiting the command injection. The `deploy/e2b/sandbox_deploy.py` script also fetches `startup.sh` and other configuration from a `remote_base` URL by default, which introduces a supply chain risk if the remote source is compromised. Sensitive environment variables like `N8N_API_KEY` can be included in `mcp-servers.json` and are handled via environment variable resolution, requiring careful management to prevent leaks.

Updated: 2025-12-11GitHub→

181

Low Cost

mcp-servers-nix

by natsukium

Sec9

Provides a Nix-based configuration framework for Model Control Protocol (MCP) servers with ready-to-use packages and reproducible deployments.

Setup Requirements

⚠️Requires Nix package manager. Users unfamiliar with Nix will have a learning curve for setup and usage.
⚠️Developing or extending the framework for custom servers may require Node.js/npm and TypeScript knowledge (as indicated by the 'package-lock.json' for 'slite-mcp-server').
⚠️Specific MCP server modules configured by this framework will have their own runtime dependencies (e.g., Python for some tools, specific binaries) that need to be met.

Verified SafeView Analysis

The repository leverages Nix, which inherently promotes reproducible and isolated builds, reducing supply chain risks. It explicitly addresses security concerns regarding credentials by recommending `envFile` or `passwordCommand` instead of hardcoding sensitive information directly into Nix store-readable attributes. The provided `toml-inline-gen.py` and `update.sh` scripts are straightforward and do not contain obvious 'eval' or malicious patterns. While `package-lock.json` lists various dependencies (including dev tools like `eslint`, `vitest`, `typescript`), without access to the full source code of the individual MCP servers, a complete deep dive into potential vulnerabilities of all transitive dependencies isn't possible, but the framework itself demonstrates good security awareness and practices for its configuration role.

Updated: 2026-01-19GitHub→

PreviousPage 35 of 760Next