Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

100
1589
Medium Cost
agentgateway icon

agentgateway

by agentgateway

Sec8

An API Gateway specialized for agent-to-agent and agent-to-tool communication, providing routing, security, and AI/LLM integration capabilities.

Setup Requirements

  • ⚠️Requires OpenSSL for regenerating test certificates (standard on most Unix-like systems).
  • ⚠️Many examples utilize Docker/Docker Compose for deployment, suggesting it's a common setup. Requires a Rust toolchain to build and run from source.
  • ⚠️For AI/LLM functionalities, external API keys and credentials (e.g., OpenAI, Anthropic, AWS Bedrock, Google Vertex AI) are required, which may incur costs.
Verified SafeView Analysis
The project demonstrates a strong focus on security, implementing TLS/mTLS, JWT, RBAC, and rate-limiting policies. It also includes AI-specific guardrails like prompt guarding and PII recognition. Test certificates are explicitly marked as 'test-only' and not for production use. Configuration often leverages environment variables for sensitive data. The use of Common Expression Language (CEL) for policy evaluation, while involving an 'eval'-like mechanism, is a controlled, sandboxed execution environment and not a general arbitrary code execution risk. Overall, the architecture and implementation suggest a high standard for security, with primary risks stemming from potential misconfigurations rather than inherent vulnerabilities.
Updated: 2026-01-19GitHub
100
26078
Medium Cost
github icon
Sec9

The GitHub MCP Server enables AI agents, assistants, and chatbots to interact with GitHub's platform for repository management, issue/PR automation, CI/CD intelligence, code analysis, and team collaboration through natural language.

Setup Requirements

  • ⚠️Requires a GitHub Personal Access Token (PAT) for authentication, which needs to be generated and configured with appropriate scopes.
  • ⚠️Running locally typically requires Docker installed and running, or Go 1.21+ for building from source.
  • ⚠️Remote server OAuth support varies by host application and may require a registered GitHub App or OAuth App to be set up.
Verified SafeView Analysis
The project demonstrates strong security practices: * **Authentication & Authorization:** Emphasizes secure Personal Access Token (PAT) handling, OAuth, and GitHub App installation controls with policies for minimum scopes, token rotation, and non-committal storage. * **Input Sanitization:** Uses 'bluemonday' to sanitize HTML content, mitigating Cross-Site Scripting (XSS) risks. * **Lockdown Mode:** Provides an additional security layer for public repositories by filtering content from users without push access. * **Error Handling:** Differentiates user-actionable errors from developer errors and stores detailed error information in context for middleware analysis without exposing sensitive data. * **Dependency Audits:** Lists third-party licenses, indicating awareness of supply chain security. * **No Obvious Malicious Patterns:** No direct 'eval' or uncontrolled shell execution with untrusted input in the server's core logic. Docker execution is for deployment or testing, not part of the server's internal runtime processing of user input.
Updated: 2026-01-19GitHub
100
19874
High Cost
1Panel-dev icon

MaxKB

by 1Panel-dev

Sec4

MaxKB (Max Knowledge Brain) is an enterprise-grade intelligent agent platform designed to lower the technical barrier and deployment costs of AI implementation, helping businesses quickly integrate mainstream large language models, build proprietary knowledge bases, and offer a progressive upgrade path from RAG to complex workflow automation and advanced agents for various application scenarios like smart customer service and office assistants.

Setup Requirements

  • ⚠️Requires Docker for deployment.
  • ⚠️Requires PostgreSQL database with pgvector extension.
  • ⚠️Integration with various LLMs (e.g., OpenAI, Claude, Gemini) typically requires paid API keys.
  • ⚠️Custom Python tools executed via `exec_code` require careful security review and trust in the code being run.
Review RequiredView Analysis
The system includes a `ToolExecutor.exec_code` function that executes arbitrary Python code strings within a C-level sandbox (`installer/sandbox.c`). While efforts are made to restrict network access, subprocess creation, and syscalls within the sandbox, executing arbitrary code is a critical security risk due to the potential for bypasses or vulnerabilities in the sandbox implementation itself. The system correctly implements URL validation (e.g., `is_private_ip`, `validate_url`) to mitigate Server-Side Request Forgery (SSRF) and uses XSS protection for Markdown rendering. Sensitive credentials for LLM providers are intended to be encrypted and stored, which is a good practice, but the core execution model remains high-risk.
Updated: 2026-01-19GitHub
100
91652
Medium Cost
google-gemini icon

gemini-cli

by google-gemini

Sec8

Provides an A2A (Agent-to-Agent) server for the Gemini CLI, enabling external agents to interact with and utilize the CLI's capabilities for executing tasks and accessing tools.

Setup Requirements

  • ⚠️Node.js version 20 or higher is required.
  • ⚠️Docker or Podman is required for container-based sandboxing, which is used by the underlying Gemini CLI.
  • ⚠️A Google Cloud Storage bucket name (`GCS_BUCKET_NAME`) is required for task persistence if GCS is configured.
Verified SafeView Analysis
The A2A server leverages the robust policy and sandboxing mechanisms of the underlying `gemini-cli-core` package. It uses `express` for HTTP communication with configurable CORS to restrict access. Input validation for task IDs is implemented to prevent path traversal in cloud storage paths. API keys and authentication tokens are expected to be provided via environment variables. The primary security risks would stem from a misconfiguration of the `gemini-cli-core` settings (e.g., enabling YOLO mode or overly permissive tool policies) or from vulnerabilities in underlying dependencies. No direct `eval` or blatant hardcoded secrets are evident, but reliance on the core CLI's runtime execution policies is critical.
Updated: 2026-01-19GitHub
100
10428
High Cost
0xJacky icon

nginx-ui

by 0xJacky

Sec7

A web-based UI for managing Nginx configurations, monitoring logs, automating SSL certificate issuance via ACME, and providing AI-powered assistance for Nginx-related tasks and terminal commands.

Setup Requirements

  • ⚠️Requires Nginx to be installed and its configuration directories (e.g., `/etc/nginx`) to be accessible by the `nginx-ui` application, often necessitating specific permissions or Docker volume mounts.
  • ⚠️Utilizing LLM features for Nginx configuration or code completion requires an OpenAI API Key, which is a paid service, and should be considered for potential data exposure to third-party providers.
  • ⚠️Proper configuration of `LogDirWhiteList` in settings is mandatory for Nginx log viewing and indexing functionality; misconfiguration will prevent log access.
Verified SafeView Analysis
The project implements robust authentication mechanisms including WebAuthn, TOTP, external OAuth integrations, and brute-force protection for login, which is commendable. API endpoints are generally well-validated, and critical file access paths (e.g., Nginx logs) utilize whitelisting (`LogDirWhiteList`) to prevent path traversal. Encrypted parameters for login requests enhance credential security in transit. However, there are notable areas for improvement: The backup/restore functionality transmits the AES encryption key and IV directly in HTTP headers or form data, which means an attacker intercepting the transaction could decrypt the backup. A more secure approach would involve a user-provided passphrase for key derivation. Additionally, the integration with external LLMs (like OpenAI) for configuration assistance and code completion poses inherent data leakage risks, as sensitive Nginx configurations or system information could be sent to third-party services. Users must be aware of and configure these integrations carefully. Finally, as an Nginx management tool, ensuring proper least-privilege execution and hardening permissions in the deployment environment is critical to mitigate potential privilege escalation vulnerabilities, although the Go code itself attempts to constrain file operations to defined paths.
Updated: 2026-01-17GitHub
100
2450
Medium Cost
microsoft icon

mcp

by microsoft

Sec9

Provides AI agents with comprehensive access to Microsoft Azure service APIs, JSON schemas for item definitions, and best practices for AI-assisted development, all running locally without direct connection to live Azure environments.

Setup Requirements

  • ⚠️Requires Node.js (Latest LTS version) if installing via 'npx' for manual configuration (e.g., for VS Code .mcp.json or Windsurf).
  • ⚠️Requires .NET SDK (version 10.0.100 as per global.json, or a compatible v9.x/v8.x if building from source or running the .NET executable directly).
  • ⚠️Manual configuration requires correctly editing client-specific configuration files (e.g., .vscode/mcp.json) with precise command paths and arguments, which can be error-prone.
Verified SafeView Analysis
The server design emphasizes 'local-first' execution, meaning it runs on the user's machine and primarily provides contextual information (API specs, schemas) rather than directly interacting with live Azure environments. Telemetry collection is configurable and explicitly set to 'false' in development settings, and honors VS Code's telemetry preference. No 'eval' or other obvious malicious obfuscation patterns were found. Development configurations (like Azure AD client/tenant IDs in launchSettings.json) appear to be for public client registrations or sample purposes, not sensitive server secrets. Dependency on 'dotenv' and 'secretlint' (dev dependency) indicates awareness of secure coding practices. A potential 'dynamic download' optimization mentioned in VSIX-DESIGN.md is explicitly noted as 'Not currently implemented in the default design', which mitigates a potential runtime supply chain risk.
Updated: 2026-01-19GitHub
100
1728
Medium Cost
samanhappy icon

mcphub

by samanhappy

Sec5

An orchestration hub that aggregates, manages, and routes Model Context Protocol (MCP) servers and their tools, providing a centralized interface, user management, OAuth 2.0 authorization server capabilities, and AI-powered tool discovery and routing.

Setup Requirements

  • ⚠️Database (PostgreSQL) is required for 'Better Auth', 'Activity Logging', and 'Smart Routing' features (configured via DB_URL environment variable).
  • ⚠️OpenAI API Key (Paid) and an embedding model are required for 'Smart Routing' (AI-powered tool discovery using vector search).
  • ⚠️CRITICAL: The JWT_SECRET environment variable MUST be explicitly set in production for security and persistent user sessions; a temporary random key is generated otherwise.
Review RequiredView Analysis
CRITICAL RISKS: 1. Remote Code Execution (RCE) via `ServerConfig` 'command' and 'args' fields, allowing arbitrary command execution on the host system. This is a very high-severity vulnerability if server configuration can be modified by an attacker or unauthorized user. 2. DXT file uploads (ZIP archives) pose a high risk for path traversal and arbitrary file writes/execution due to inadequate sandboxing during extraction and processing. 3. Parsing of user-controlled base64-decoded JSON from the `state` parameter in OAuth callbacks could be vulnerable to prototype pollution. 4. The JWT_SECRET falls back to a temporary random key if not explicitly set, creating a critical security flaw in production as it leads to session invalidation on restarts and potential session hijacking if guessed or deduced. 5. Public OAuth dynamic client registration (RFC 7591) without authentication (default config) requires careful security considerations. 6. The `OpenAPIClient`'s `passthroughHeaders` could expose sensitive information or allow injection if not explicitly managed.
Updated: 2026-01-18GitHub
100
3744
Medium Cost
cameroncooke icon

XcodeBuildMCP

by cameroncooke

Sec5

Provides an MCP (Model Context Protocol) server for AI agents and other clients to programmatically build, test, run, and debug iOS and macOS applications, manage simulators/devices, and capture logs.

Setup Requirements

  • ⚠️Requires Xcode Command Line Tools installed and configured.
  • ⚠️Requires Node.js (specific version details might be in `NODEJS_2025.md`).
  • ⚠️Downloads external `xcodemake` binary from GitHub if not found locally.
  • ⚠️Downloads project templates from GitHub for scaffolding operations.
  • ⚠️Requires `axe` (Apple UI Automation Helper) to be installed or accessible via a bundled version.
  • ⚠️Sentry DSN configuration (optional) for error reporting.
Review RequiredView Analysis
The server downloads external binaries (xcodemake) and project templates from specific GitHub repositories, which presents a supply chain risk if these repositories are compromised. Command execution heavily relies on `child_process.spawn` with `useShell: true` for Xcode-related commands. Many tools pass user-provided `extraArgs` directly to these shell commands without explicit sanitization within the tool's logic, creating a potential shell injection vulnerability if client-side input is not strictly controlled. While Zod is used for schema validation, it cannot fully mitigate shell interpretation of valid strings. The server operates with privileges necessary for Xcode development, meaning an exploit could lead to sensitive operations (e.g., code signing, system access).
Updated: 2026-01-17GitHub
100
5412
Medium Cost
kreuzberg-dev icon

kreuzberg

by kreuzberg-dev

Sec8

Extracts text, tables, images, and metadata from 56 file formats including PDF, Office documents, and images. Supports multiple OCR backends, extensible plugins, and is designed for data preprocessing in AI/ML workflows.

Setup Requirements

  • ⚠️Python 3.10+ required
  • ⚠️Optional: ONNX Runtime 1.22.x+ for embeddings support
  • ⚠️Optional: Tesseract OCR for OCR functionality
  • ⚠️Optional: LibreOffice for full support of legacy Microsoft Office formats (.doc, .ppt, .xls)
Verified SafeView Analysis
The core Rust library implements robust security features, including explicit data validation (e.g., zip bomb, XML entity expansion prevention) and graceful panic handling at FFI boundaries. External process execution (e.g., LibreOffice for older Office formats) introduces an inherent risk, but the project appears to be aware and implements safeguards. No direct 'eval' or obvious hardcoded sensitive credentials were found in the provided code snippets. Overall, the project demonstrates a strong focus on secure processing of potentially untrusted inputs, but risks associated with native code execution and external dependencies should always be considered.
Updated: 2026-01-18GitHub
100
5059
High Cost
mrexodia icon

ida-pro-mcp

by mrexodia

Sec3

This project provides an MCP (Model Context Protocol) server that integrates with IDA Pro, enabling AI assistants to perform reverse engineering tasks like binary analysis, decompilation, memory manipulation, and debugging within the IDA Pro environment.

Setup Requirements

  • ⚠️Requires Python 3.11 or higher.
  • ⚠️Requires IDA Pro 8.3 or higher (IDA Free is not supported).
  • ⚠️Requires manual restart of IDA Pro and the MCP client after installation/configuration changes.
Review RequiredView Analysis
The project includes a `py_eval` tool which allows arbitrary Python code execution (`eval` and `exec`) within the IDA Pro context. This is a severe remote code execution (RCE) vulnerability if the server is exposed to untrusted clients or if the `--unsafe` flag is used. While this tool is marked `@unsafe` and can be managed via a web-based configuration page, its presence significantly lowers the security posture. Default binding to `127.0.0.1` limits direct external network exposure, but CORS policies can be made 'unrestricted'.
Updated: 2026-01-16GitHub
100
1093
Medium Cost
joey-zhou icon
Sec2

Provides backend support and a management platform for smart hardware devices, focusing on AI-powered voice interaction, device management, and IoT control.

Setup Requirements

  • ⚠️Requires API keys for chosen LLM (e.g., OpenAI, ZhiPuAI, Xunfei, Ollama, Coze, Dify), STT, and TTS providers.
  • ⚠️Requires Docker or local installations of MySQL and Redis for data persistence and caching.
  • ⚠️Implicitly requires ESP32 hardware for full functionality as an IoT backend. Local Vosk and Silero VAD models need to be present at `models/vosk-model` and `models/silero_vad.onnx` respectively.
  • ⚠️Frontend JSEncrypt keys (`web/src/utils/jsencrypt.ts`) need to be managed and are a potential security concern if not for trivial local storage encryption.
Review RequiredView Analysis
A critical security vulnerability exists in `WebSocketHandler.java` where device authentication is commented out, allowing any device with a known `device-id` to connect without a valid token. The frontend code (`web/src/utils/jsencrypt.ts`) contains hardcoded RSA public and private keys, which is a significant client-side security risk if used for anything beyond local storage convenience. File upload functionality (`FileUploadController.java`) allows configurable upload paths, which could be exploited for arbitrary file writes if the target directory is not properly secured on the server. The application uses Spring Security/Sa-Token for API authentication, which is generally good, but this does not cover the unauthenticated WebSocket endpoint.
Updated: 2026-01-13GitHub
100
3536
Medium Cost
antvis icon
Sec8

A Model Context Protocol server for generating charts using AntV for various data visualization and analysis needs.

Setup Requirements

  • ⚠️Requires Node.js runtime (handled by npx for ease of use).
  • ⚠️Relies on an external chart generation service (https://antv-studio.alipay.com/api/gpt-vis by default); private deployment is possible via `VIS_REQUEST_SERVER` environment variable.
  • ⚠️Geographic map generation tools (district, path, pin maps) are limited to data within China and use AMap service.
Verified SafeView Analysis
The server uses Zod for robust input validation on all chart generation tools, which helps prevent malformed data and potential injection issues. It offloads actual chart rendering to an external service (defaulting to AntV's public service), which means data is transmitted off-server by default. While this is configurable for private deployments, users should be aware of this data flow. CORS is enabled for all origins ('*'), which is typical for an API designed for broad client integration but should be considered in specific deployment scenarios.
Updated: 2026-01-19GitHub
PreviousPage 4 of 760Next