Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

60
143
Medium Cost
CelestoAI icon

agentor

by CelestoAI

Sec3

Build and deploy scalable AI agents that can interact with various tools and communicate via A2A and MCP protocols.

Setup Requirements

  • ⚠️Requires API keys for LLMs (e.g., OPENAI_API_KEY, LLM_API_KEY) and various tools (e.g., WEATHER_API_KEY, BRIGHT_DATA_API_KEY, GITHUB_TOKEN, SLACK_TOKEN, CELESTO_API_KEY) which may involve paid services.
  • ⚠️Dependencies for specific tools (e.g., `psycopg2-binary` for PostgreSQL, `PyGithub` for GitHub) are optional and must be installed with `pip install agentor[<extra>]` as needed.
  • ⚠️Setting up Google OAuth credentials is required for `GmailTool`.
  • ⚠️Requires Python 3.10 or higher.
Review RequiredView Analysis
The `ShellTool` allows for arbitrary shell command execution, which is a critical security risk in a server environment without robust sandboxing and explicit human approval for each command. The `FetchTool` can make arbitrary HTTP requests, enabling potential SSRF or data exfiltration if the agent's input is compromised. Tools interacting with external services like `GitHubTool`, `SlackTool`, and `GmailTool` grant significant access to sensitive platforms and could be abused by a malicious agent. The `PostgreSQLTool` could be vulnerable to SQL injection if LLM-generated queries are not properly sanitized before execution. Hardcoded API keys are avoided, relying on environment variables, but the presence of highly permissive tools drastically increases the attack surface.
Updated: 2026-01-14GitHub
59
115
Medium Cost
petabridge icon

memorizer-v1

by petabridge

Sec7

A .NET-based service for AI agents to store, retrieve, and search through memories using vector embeddings, featuring asynchronous chunking, version control, and relationship management.

Setup Requirements

  • ⚠️Docker and Docker Compose are required for easy setup and dependency management.
  • ⚠️An Ollama service (or compatible LLM/embedding API) is required for vector embeddings and LLM operations, which is typically managed via Docker Compose.
  • ⚠️PostgreSQL with the pgvector extension is required as the primary data store.
Verified SafeView Analysis
The project uses permissive default CORS settings and hardcoded default credentials for PostgreSQL and PgAdmin in `appsettings.json` and `docker-compose.yml`. While common for development, these pose significant security risks if deployed to production without modification. However, the `docs/security.md` provides explicit guidance on securing the application for production, including restricting CORS, using secure connection strings, and managing credentials securely. No 'eval', obfuscation, or immediately malicious patterns were found in the provided code snippets.
Updated: 2026-01-14GitHub
59
5
Medium Cost
jxnl icon
Sec8

This MCP server acts as a gateway, allowing AI assistants to interact with the Cursor Cloud Agents API to create, manage, and monitor automated tasks on GitHub repositories.

Setup Requirements

  • ⚠️Requires `CURSOR_API_KEY` environment variable, obtained from cursor.com/settings.
  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️Local Git CLI must be installed for `get_repos` to detect local repositories.
Verified SafeView Analysis
The server uses `child_process.exec` for local Git operations. While `cwd` is passed as a separate option mitigating direct command injection, the `regex_patterns` in `get_repos` could theoretically be used for a ReDoS attack if supplied with complex, malicious regexes by an attacker controlling inputs. However, this is a localized resource exhaustion risk rather than remote code execution. The `CURSOR_API_KEY` is correctly fetched from environment variables, not hardcoded. Error messages are sanitized for production environments.
Updated: 2025-11-25GitHub
59
131
Medium Cost
buildswithpaul icon

Frappe_Assistant_Core

by buildswithpaul

Sec7

AI-powered business data analysis and document management by connecting Claude Desktop (or other LLMs) to Frappe ERP systems.

Setup Requirements

  • ⚠️Requires a running Frappe/ERPNext instance with the `frappe_assistant_core` app installed and API access enabled.
  • ⚠️Requires extensive Python data science libraries (e.g., pandas, numpy, matplotlib, seaborn, plotly, scipy, pypdf, Pillow, python-docx, pdfplumber) to be installed in the Frappe environment.
  • ⚠️Requires a system-level Tesseract OCR installation for image and scanned PDF content extraction.
  • ⚠️OAuth 2.0 configuration for LLM clients, including generating API credentials and potentially configuring CORS for development tools.
Review RequiredView Analysis
The server extensively uses Python's `exec()` for running AI-generated code. This is mitigated by a multi-layered sandboxing approach: `ReadOnlyDatabase` wraps all `frappe.db` calls to prevent write/delete/update SQL operations; `_scan_for_dangerous_operations` performs static code analysis to block a wide array of dangerous keywords (e.g., `DELETE`, `DROP`, `INSERT`, `exec`, `eval`, `__import__`, `open`, network calls like `requests`, `urllib`); the execution environment (`_setup_secure_execution_environment`) carefully whitelists built-in functions and pre-loads only safe modules, while explicitly removing dangerous ones (`os`, `sys`, `subprocess`, `socket`, `threading`, `multiprocessing`, `asyncio`, `ctypes`, `imp`, `importlib`); user permissions are strictly enforced (`frappe.has_permission`). Unicode sanitization is also performed. Despite these rigorous protections, relying on `exec` with external input inherently carries a risk of potential bypass if a subtle vulnerability exists in the sandboxing or static analysis.
Updated: 2026-01-16GitHub
59
184
Low Cost
rocketship-ai icon

rocketship

by rocketship-ai

Sec9

This MCP server assists AI coding agents by providing Rocketship testing examples, optimal test structure, schema information, CLI guidance, and codebase analysis to help agents write better Rocketship tests.

Setup Requirements

  • ⚠️Requires Node.js 18+ to run the MCP server.
  • ⚠️The build process requires the Go-based Rocketship CLI to be buildable and runnable for dynamic introspection, implying a Go development environment dependency during compilation.
  • ⚠️Full functionality of the integrated 'agent' plugin (which consumes this MCP server's knowledge) depends on `ANTHROPIC_API_KEY` and `claude-agent-sdk` (installed via pip), incurring external API costs and Python dependencies.
Verified SafeView Analysis
The MCP server's primary function is to provide informational guidance and structured knowledge, not to perform direct file modifications or arbitrary code execution at runtime. CLI introspection, which involves building and executing the Rocketship CLI, is an isolated step performed during the build process to embed dynamic knowledge. There are no direct 'eval' patterns or hardcoded secrets found within the MCP server's codebase itself. While the 'agent' plugin (a client of this MCP server) operates with 'bypassPermissions' for non-interactive QA, this refers to the agent's interaction model with its environment rather than a vulnerability of the MCP server.
Updated: 2026-01-19GitHub
59
30
Medium Cost
Kirachon icon

context-engine

by Kirachon

Sec7

Provides an agent-agnostic local context engine via Model Context Protocol (MCP) for coding agents, enabling semantic search, planning, code review, and prompt enhancement with AI integration.

Setup Requirements

  • ⚠️Requires Node.js 18 or higher to run.
  • ⚠️Requires Auggie CLI (`npm install -g @augmentcode/auggie`) for setup and authentication.
  • ⚠️Relies on an external Augment API Token (`AUGMENT_API_TOKEN` environment variable or `auggie login`), which likely incurs costs for LLM and embedding services. Offline mode (`CONTEXT_ENGINE_OFFLINE_ONLY=true`) can be enabled, but requires a pre-built local index and disables online features.
  • ⚠️Optional static analysis features require `tsc` (TypeScript) and optionally `semgrep` to be installed and available in the system's PATH.
Verified SafeView Analysis
The system is designed for 'local-first' operation and includes features like `secretScrubber` to prevent sensitive data exposure to LLMs and robust path validation to prevent traversal attacks. However, it relies on an external 'Auggie API' (default behavior) for core embedding and LLM features, contradicting the 'no data leaves the machine' claim from the architecture documentation. Users should be aware that data is sent to Augment's API unless `CONTEXT_ENGINE_OFFLINE_ONLY` is enabled and a local index is pre-built. An optional HTTP server runs locally, restricted by CORS. User-defined regular expressions in `.review-invariants.yml` (for the `check_invariants` tool) could pose a ReDoS risk if not carefully crafted and validated.
Updated: 2026-01-14GitHub
59
181
High Cost
lostintangent icon

gistpad-mcp

by lostintangent

Sec9

Manages and shares personal knowledge, daily notes, and reusable prompts via GitHub Gists for MCP-enabled AI products.

Setup Requirements

  • ⚠️Requires a GitHub Personal Access Token (PAT) with 'gist' scope set as `GITHUB_TOKEN` environment variable.
  • ⚠️Requires Node.js v22.0.0 or higher.
  • ⚠️Requires manual configuration in the MCP client to add the server's command and environment variables.
Verified SafeView Analysis
The server securely handles GitHub API authentication via a `GITHUB_TOKEN` environment variable, which is explicitly validated as required. It implements input validation using Zod for all tool arguments. No usage of `eval` or direct arbitrary command execution of user input was found. The core functionality relies on the GitHub Gist API, confining operations to the token's permissions. The README strongly recommends generating a PAT with *only* the `gist` scope to minimize potential risks.
Updated: 2026-01-16GitHub
59
222
Low Cost
punkpeye icon

mcp-proxy

by punkpeye

Sec8

A TypeScript streamable HTTP and SSE proxy for MCP servers that use stdio transport.

Setup Requirements

  • ⚠️Requires a running MCP server accessible via stdio (e.g., a local Node.js or Python process).
  • ⚠️Requires Node.js installed in the environment.
  • ⚠️Using `--shell` or `--tunnel` options with an untrusted underlying MCP server exposes significant security risks.
Verified SafeView Analysis
The MCP Proxy itself demonstrates robust implementation for its core functionality and configurable security features. It supports API key authentication via `X-API-Key` headers and custom stateless OAuth 2.0 JWT Bearer token authentication through a user-provided callback. HTTPS/SSL is supported for encrypted communication. CORS is configurable with sensible defaults, allowing users to fine-tune origin, methods, and headers. The `/ping` and `OPTIONS` endpoints are exempt from authentication. However, as a proxy, its overall security posture heavily depends on the trustworthiness and security of the underlying MCP server it spawns and communicates with over stdio. The use of `child_process.spawn` (especially with the `--shell` option) means that executing untrusted commands via the proxy could lead to arbitrary code execution on the host. The `--tunnel` feature, while convenient, exposes the local server to the public internet, requiring careful consideration of the proxied application's vulnerabilities. No obvious hardcoded secrets, `eval` usage on untrusted input, or malicious patterns were found within the proxy's source code itself.
Updated: 2026-01-19GitHub
59
31
Medium Cost
dhanababum icon

supermcp

by dhanababum

Sec4

A multi-tenant SQL database connector for the MCP platform, enabling AI assistants to interact with various SQL databases like PostgreSQL, MySQL, MSSQL, Oracle, Snowflake, and SQLite through a unified interface.

Setup Requirements

  • ⚠️Requires Python 3.12+.
  • ⚠️Deployment is primarily demonstrated via Docker and Docker Compose, requiring familiarity with containerization.
  • ⚠️The core `app` backend requires a PostgreSQL database (TimescaleDB recommended). Specific database drivers (e.g., `psycopg2-binary`, `pymysql`) must be installed for each target SQL database type the connector intends to support.
  • ⚠️The hardcoded `SECRET = "SECRET"` in `app/src/users.py` for user authentication tokens must be manually changed in the source code or overridden via environment variables for any non-development deployment to prevent critical security vulnerabilities.
Review RequiredView Analysis
The `app/src/users.py` file, which is part of the core SuperMCP backend that manages connectors, contains a hardcoded `SECRET = "SECRET"` used for password reset and email verification tokens. This is a critical vulnerability that makes user account management insecure. Docker Compose files for development (`docker-compose.dev.yml`, `docker-connectors-compose.yml`) include default placeholder secrets (`mysecretpassword`, `your-super-secret-jwt-key-change-in-production`, `CONNECTOR_SECRET` UUIDs) which must be replaced with strong, unique values in production environments. Good security practices observed include the use of parameterized queries to prevent SQL injection, Pydantic for input validation, bcrypt for hashing connector secrets, and FastAPI-Users for authentication.
Updated: 2026-01-18GitHub
59
109
Medium Cost
cobanov icon

teslamate-mcp

by cobanov

Sec8

Connects a TeslaMate PostgreSQL database to AI assistants, enabling natural language queries about Tesla vehicle data and analytics.

Setup Requirements

  • ⚠️Requires an existing and running TeslaMate instance with a PostgreSQL database.
  • ⚠️Requires the `DATABASE_URL` environment variable to be configured correctly.
  • ⚠️Authentication is optional but highly recommended for remote deployments; otherwise, the server will be publicly accessible.
  • ⚠️Python 3.11+ or Docker is required for setup.
Verified SafeView Analysis
The server implements robust SQL validation (`src/validators.py`) to ensure only read-only `SELECT` queries are executed, preventing common SQL injection attacks. Environment variables are used for sensitive configurations like `DATABASE_URL` and `AUTH_TOKEN`, avoiding hardcoded secrets. Optional bearer token authentication is available for remote deployments (`main_remote.py` includes `BearerAuthMiddleware`), which is crucial for securing the API. The primary security consideration is to ensure authentication is enabled and correctly configured when deploying the server remotely, as without it, the API would be publicly accessible over HTTP.
Updated: 2025-11-29GitHub
59
101
High Cost
tuannvm icon
Sec8

Serves as a Model Context Protocol (MCP) bridge to integrate OpenAI's Codex CLI for AI-powered code analysis, generation, and review within various editors like Claude Code, VS Code, and Cursor.

Setup Requirements

  • ⚠️Requires Codex CLI v0.75.0+ to be installed globally.
  • ⚠️Requires an OpenAI API key for authentication with the Codex CLI (implies paid usage).
  • ⚠️User must explicitly log in to Codex CLI via `codex login --api-key "your-openai-api-key"`.
Verified SafeView Analysis
The server uses `child_process.spawn` to execute the `codex` CLI. While user-provided prompts and working directories are passed to the CLI, the server takes precautions: the executable `codex` is fixed, and arguments are constructed and escaped (`escapeArgForWindows`) to mitigate direct shell injection. Session IDs are validated with a regex. No hardcoded secrets were found; API keys are expected to be managed by the underlying Codex CLI's login mechanism. The main security surface area relies on the robustness of the `codex` CLI itself in processing arbitrary user input, which is an external dependency.
Updated: 2026-01-19GitHub
58
88
Medium Cost
Kapeli icon
Sec9

Provides tools to interact with the Dash documentation browser API for listing docsets, searching documentation, and enabling full-text search.

Setup Requirements

  • ⚠️Requires macOS to run the Dash application.
  • ⚠️Requires Dash 8 or higher to be installed.
  • ⚠️Requires Python 3.12 or higher (as per pyproject.toml).
  • ⚠️The Dash API server must be enabled in Dash Settings > Integration, although the server attempts to enable it automatically.
Verified SafeView Analysis
The server primarily interacts with the local Dash application's API via the loopback address (127.0.0.1), minimizing external network exposure. It uses `subprocess.run` to manage and launch Dash and enable its API, but these commands use fixed parameters (e.g., bundle identifiers, 'defaults write' keys), preventing injection through user input. No 'eval' or similar dangerous functions are used, and no hardcoded secrets were found.
Updated: 2025-12-11GitHub
PreviousPage 37 of 760Next