Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(7756)

51
119
High Cost
stippi icon
Sec4

An AI coding assistant that autonomously analyzes and modifies code, supporting integration with clients like Claude Desktop via MCP server mode.

Setup Requirements

  • ⚠️Requires Rust toolchain installation.
  • ⚠️Requires macOS Metal Toolchain for GUI on macOS.
  • ⚠️Requires API keys for commercial LLM providers (e.g., Anthropic, OpenAI, Perplexity), which are typically paid services.
  • ⚠️Requires local Ollama installation for local LLM inference, if chosen.
  • ⚠️Initial configuration of `providers.json` and `models.json` is manual.
  • ⚠️Default sandbox mode (`danger-full-access`) poses a significant security risk if not explicitly changed.
Review RequiredView Analysis
The `execute_command` tool allows the AI to run arbitrary shell commands. By default, the `sandbox_mode` is `danger-full-access`, which means the agent has full disk and network access, posing a significant security risk if malicious prompts are executed or if the agent is compromised. While a sandboxing feature (macOS `seatbelt`) and `ask_user_approval` exist, they are not the default secure configuration. File system operations are subject to path validation within project roots, but this is bypassed in `danger-full-access` mode. This default configuration makes it unsafe for untrusted input.
Updated: 2025-12-14GitHub
51
3
High Cost
bkalafat icon

DiffPilot

by bkalafat

Sec9

Provides local AI-powered code review, commit message generation, and secret scanning for Git repositories via MCP-compatible AI assistants.

Setup Requirements

  • ⚠️Requires VS Code 1.101+ (if using the extension)
  • ⚠️Requires Node.js 18+
  • ⚠️Requires Git installed and accessible in PATH
  • ⚠️Requires an MCP-compatible AI assistant (e.g., GitHub Copilot, Claude)
Verified SafeView Analysis
The server implements comprehensive security measures, including strict input validation (CWE-20), command injection (CWE-78) and path traversal (CWE-22) prevention, null byte injection prevention (CWE-158), extensive output sanitization and redaction of sensitive data (CWE-200), rate limiting (CWE-400), and secure error handling with logging (CWE-532). Git commands are executed with timeouts and a buffered approach to prevent resource exhaustion. No 'eval' or direct obfuscation is present. The primary security risk involves the trust in the underlying Git client and the repository itself, which are external to the tool's core logic.
Updated: 2025-12-10GitHub
51
61
Low Cost
wasmcp icon

wasmcp

by wasmcp

Sec7

Build and run composable Model Context Protocol (MCP) servers using WebAssembly components for AI-assisted development.

Setup Requirements

  • ⚠️Requires a WebAssembly runtime like Wasmtime or Spin to execute composed servers.
  • ⚠️Building Rust components requires adding the `wasm32-wasip2` target to Rustup (`rustup target add wasm32-wasip2`).
  • ⚠️Enabling OAuth authentication requires proper JWT configuration via environment variables (e.g., `JWT_PUBLIC_KEY` or `JWT_JWKS_URI`, `JWT_ISSUER`).
  • ⚠️Utilizing the Rego policy engine via the `POLICY` environment variable demands extreme caution, as untrusted policy code could lead to security vulnerabilities.
Verified SafeView Analysis
The server leverages WebAssembly sandboxing and includes robust JWT validation (issuer, audience, scopes, public key/JWKS). It supports flexible authorization via an embedded Rego policy engine; however, if the `POLICY` or `POLICY_DATA` environment variables can be controlled by untrusted sources, it introduces a significant risk of arbitrary policy execution within the component's sandbox. Outbound HTTP requests (e.g., to JWKS URIs or external APIs like Open-Meteo) are made using WASI `outgoing-handler`, which requires explicit host permissions from the runtime, but untrusted configuration could still lead to SSRF if the runtime is configured permissively. Session management includes validation for session IDs and user-defined keys. The `install.sh` script downloads binaries from GitHub, relying on GitHub's integrity. Overall, the system has strong security features but demands trusted configuration inputs, especially concerning Rego policies and network destinations.
Updated: 2025-12-11GitHub
51
63
Low Cost
shinzo-labs icon

shinzo-ts

by shinzo-labs

Sec9

Provides OpenTelemetry-compatible instrumentation for TypeScript MCP servers to gain insight into agent usage patterns, contextualize tool calls, and analyze server performance.

Setup Requirements

  • ⚠️Requires Node.js 22.16+
  • ⚠️Requires pnpm 10.2.1+
  • ⚠️Requires an OpenTelemetry collector for full telemetry observability (e.g., Jaeger, Prometheus, Console)
Verified SafeView Analysis
The codebase demonstrates good security practices by incorporating PII sanitization by default and handling sensitive authentication credentials (bearer tokens, API keys, basic auth) through configuration, ideally sourced from environment variables. No 'eval', obfuscation, or hardcoded secrets were found. Network communication for telemetry export uses OTLP-HTTP, a standard protocol. The PII sanitization regex patterns are a strong feature. The overall design prioritizes secure data handling.
Updated: 2025-12-08GitHub
51
38
High Cost
autolearnai icon

autolearn

by autolearnai

Sec1

AutoLearn is an MCP (Model Context Protocol) server that enables AI agents to dynamically create, improve, and execute Python skills (functional code workflows) from natural language, with real-time updates and persistence.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid)
  • ⚠️Requires Python 3.11+
  • ⚠️Frontend requires Node.js and npm install
Review RequiredView Analysis
CRITICAL VULNERABILITY: The `backend/sandbox.py` explicitly logs a warning stating 'Executing skill {skill_name} directly (no sandbox) due to pickling limitations'. This means dynamically generated and executed Python code has full access to the underlying server environment, which is an extreme security risk. Additionally, `exec()` is used directly in `backend/skill_engine.py` with code from potentially untrusted AI generation. The CORS `allow_origins=['*']` in `backend/app.py` is also a significant production risk, although noted as a demo setting.
Updated: 2025-11-25GitHub
51
83
Medium Cost
algolia icon

mcp-node

by algolia

Sec9

Enables natural language interactions with Algolia search, analytics, and monitoring data via the Model Context Protocol (MCP) and Claude Desktop.

Setup Requirements

  • ⚠️Requires Claude Desktop for integration.
  • ⚠️Authentication with Algolia account via browser-based OAuth is mandatory for full features (or manual API key setup via CLI).
  • ⚠️The pre-built executable is currently only available for macOS; Windows & Linux builds are 'coming soon'.
  • ⚠️Requires Node.js version 22.0.0 or higher to run from source.
Verified SafeView Analysis
The server uses OAuth for authentication with Algolia, opening a local HTTP server for the callback, which is a standard and generally secure flow. API keys are either managed automatically by the DashboardApi (creating keys with necessary ACLs) and stored in a local state file, or provided via CLI arguments. The OAuth client ID is hardcoded, but this is typically public. No 'eval' or other directly exploitable dangerous patterns were found. The tool's ability to create API keys with broad ACLs (like 'admin') is powerful but within its intended operational scope.
Updated: 2025-12-04GitHub
51
67
High Cost
wso2 icon
Sec8

Provides seamless integration with FHIR APIs, acting as a bridge between AI/LLM tools and healthcare data for search, retrieval, and analysis.

Setup Requirements

  • ⚠️Requires an accessible FHIR API server.
  • ⚠️Requires Python 3.12+.
  • ⚠️FHIR_SERVER_BASE_URL environment variable is mandatory.
  • ⚠️When running locally via Docker or Docker Compose, authorization should be disabled (`FHIR_SERVER_DISABLE_AUTHORIZATION=True`).
Verified SafeView Analysis
The server uses Pydantic for configuration validation and environment variable loading, which is good practice. PKCE code generation uses cryptographically secure methods (`secrets`, `hashlib`). HTTP requests to external FHIR servers include timeouts and robust error handling. No 'eval' or direct system command execution is observed. Internal MCP tokens are generated securely. The `decode_jws` function in `oauth/types.py` only decodes the JWT payload and does not perform signature verification; this implies reliance on the upstream OAuth server to have properly validated the ID token's signature during the token exchange flow, which is a common pattern in API gateways acting as OAuth clients.
Updated: 2025-12-11GitHub
51
84
High Cost
microsoft icon

files-mcp-server

by microsoft

Sec3

This server provides a Model Context Protocol (MCP) interface for local testing with Microsoft OneDrive and SharePoint resources, enabling clients to interact with files, folders, sites, and libraries.

Setup Requirements

  • ⚠️Requires `ODMCP_TENANT_ID` and `ODMCP_CLIENT_ID` environment variables.
  • ⚠️Requires an Azure AD app registration with `Files.ReadWrite.All` and `Sites.Read.All` delegated Graph scopes.
  • ⚠️Designed for developer environments only; not for production use.
  • ⚠️The direct file streaming endpoint uses a hardcoded 'fake' token, making it non-functional for real Graph data without code modification.
Review RequiredView Analysis
The primary MCP server mechanism correctly uses delegated authentication via bearer tokens from the client. However, a specific Express route for direct file streaming (`/file/*/contentStream`) hardcodes `token = "fake"` for its Graph API calls. This renders the direct file streaming endpoint non-functional for real Graph access and represents a significant vulnerability or broken feature if not addressed, even within a developer-only context. Required environment variables (Tenant ID, Client ID) are appropriately handled.
Updated: 2025-12-02GitHub
51
3
Low Cost
Sec8

A backend server component for processing and serving Markmap visualizations, likely converting Markdown content into interactive mind maps.

Setup Requirements

  • ⚠️Requires Docker for containerized deployment, or Node.js (v18+) and npm/yarn for local development.
  • ⚠️Specific Markmap processing and serving routes or configuration may be required based on the intended use case.
Verified SafeView Analysis
No obvious 'eval' or obfuscation. Project structure (TypeScript, eslint, tests) suggests modern development practices. Standard server risks (e.g., exposed ports, dependency vulnerabilities) apply, which can be mitigated by containerization via Docker.
Updated: 2025-11-18GitHub
51
52
Low Cost
StefanMaron icon
Sec8

Provides AI assistants with semantic understanding of AL (Application Language) codebases and Business Central object relationships by parsing compiled AL symbol files.

Setup Requirements

  • ⚠️Requires .NET SDK 8.0+ for AL CLI (auto-installed, but manual intervention might be needed on some systems for PATH configuration or NuGet sources).
  • ⚠️Relies on compiled AL packages (.app files) being present in `.alpackages` directories or specified paths.
  • ⚠️Initial package loading (especially for large codebases like the Base Application) can take several seconds.
Verified SafeView Analysis
The server uses `child_process.spawn` to interact with external `AL` and `dotnet` CLI tools, which introduces a dependency on their security. File system operations for package discovery and symbol extraction include safeguards such as limiting recursion depth, blacklisting common system directories (e.g., node_modules, .git), and enforcing absolute paths for `rootPath` to mitigate arbitrary path traversal. Package content (i.e., `.app` files) is processed by extracting `SymbolReference.json` via ZIP or AL CLI; while the server's code itself appears free of obvious malicious patterns like `eval`, a vulnerability could exist if a crafted `.app` file exploits the underlying AL compiler or ZIP extraction process. Users should ensure they are processing trusted AL packages.
Updated: 2025-12-11GitHub
51
204
Medium Cost
iknowjason icon

AutomatedEmulation

by iknowjason

Sec6

Provisions an automated Breach and Attack Simulation (BAS) lab in AWS, integrating Caldera with an LLM-enabled MCP server, VECTR, and a Windows client with Red/Blue tools.

Setup Requirements

  • ⚠️Requires AWS IAM programmatic access keys with permissions to build AWS resources.
  • ⚠️Requires Terraform 1.5.7 (or compatible version) to be installed locally.
  • ⚠️If your public IP address changes or if `ifconfig.me` returns an IPv6 address, terraform apply must be re-run or manual firewall adjustments are needed.
Verified SafeView Analysis
The project deploys a complex security lab with default administrative credentials (for Caldera and VECTR) that should be immediately changed. The MLflow server for LLM tracing is explicitly stated to be publicly exposed by default, requiring careful configuration of EC2 security groups by the user. While the firewall rules initially whitelist the user's public IP, the option to open to 0.0.0.0/0 exists, posing a significant risk if misused. The core purpose is security emulation, which involves deploying agents and services, but diligent user management of credentials and network access is critical for a secure setup.
Updated: 2025-11-23GitHub
51
86
Low Cost
tuannvm icon

mcp-trino

by tuannvm

Sec9

Enables AI assistants to query Trino distributed SQL engine via Model Context Protocol.

Setup Requirements

  • ⚠️Requires a running Trino (or PrestoSQL) cluster to connect to.
  • ⚠️For production Kubernetes deployments, requires Helm, kubectl, and potentially AWS Load Balancer Controller and a configured OIDC provider for OAuth.
  • ⚠️If OAuth is enabled, `JWT_SECRET` must be consistently configured across all replicas for multi-pod deployments, or OIDC provider details (issuer, audience, client ID/secret) must be provided.
Verified SafeView Analysis
The project demonstrates strong security awareness. It includes robust SQL injection prevention by defaulting to read-only queries, and allows write queries only with an explicit override and warning. OAuth authentication is implemented using a dedicated, reusable library with strong security features like PKCE, HMAC-signed state, and exact redirect URI matching. It provides good defaults for Kubernetes Pod Security Context (runAsNonRoot, readOnlyRootFilesystem, dropped capabilities, no privilege escalation). Secrets (e.g., Trino password, JWT_SECRET) are handled via Kubernetes Secrets and recommended to be generated securely. CORS is set to `*` by default for HTTP transport, which is permissive but configurable through ingress rules for production. Dependency on an external OAuth library requires trust in that component.
Updated: 2025-12-13GitHub
PreviousPage 52 of 647Next