Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

51
156
Low Cost
toolsdk-ai icon
Sec2

An API-driven registry for Model Context Protocol (MCP) servers, enabling discovery, detail retrieval, and execution of various AI tools and agents.

Setup Requirements

  • ⚠️Requires MeiliSearch for enhanced search features (defaults to http://localhost:7700, can be run via Docker Compose).
  • ⚠️External sandbox providers (Sandock, Daytona, E2B) require API keys if enabled (e.g., SANDOCK_API_KEY, DAYTONA_API_KEY, E2B_API_KEY). Falls back to local execution if not configured or for unsupported runtimes.
  • ⚠️Python 3.13+ and 'uv' package installer are required for managing Python MCP server dependencies. The `install-python-deps.sh` script installs hundreds of Python packages from PyPI.
Review RequiredView Analysis
CRITICAL RISK: The registry's design explicitly supports arbitrary code execution through 'StdioClientTransport' for local MCP servers (Node.js, Python, Docker) and as a fallback for sandbox executors. This means installing and running a malicious MCP package can lead to arbitrary code execution on the host system where the registry is running. The `install-python-deps.sh` script installs hundreds of PyPI packages, and the internal validation scripts (`test-mcp-clients.ts`, `py-test-mcp-clients.ts`) also execute MCP client code as part of their process, posing a significant supply chain risk. While sandboxing is an option, its partial support (only Node.js for sandboxes) and fallback to local execution for other runtimes severely limit its effectiveness. User-provided `envs` are passed directly to subprocesses, which could also be exploited.
Updated: 2026-01-05GitHub
51
368
Medium Cost
strowk icon

mcp-k8s-go

by strowk

Sec3

This MCP server enables interaction with Kubernetes clusters to list, get, apply, and execute commands on various resources through a conversational interface.

Setup Requirements

  • ⚠️Requires an active Kubernetes cluster and a configured kubeconfig file to function.
  • ⚠️If using the NPM distribution, Node.js and npm are required for installation and execution.
  • ⚠️If using the Docker distribution, Docker runtime is required.
Review RequiredView Analysis
The 'k8s-pod-exec' tool directly executes user-provided commands using 'sh -c' within a Kubernetes pod. While this is the intended functionality for remote execution, it poses a critical security risk if input is not strictly sanitized or if the tool is exposed to untrusted users or unconstrained AI agents, potentially leading to arbitrary code execution or privilege escalation within the cluster. Although a '--readonly' flag exists to disable this tool, it is not enabled by default. The server does include a '--mask-secrets' flag which is true by default, mitigating some data exposure risks for Kubernetes secrets.
Updated: 2025-12-22GitHub
51
3
Medium Cost
askman-dev icon
Sec8

Provides metacognitive protocols to AI coding agents to help them recover from being stuck in common development scenarios without human intervention.

Setup Requirements

  • ⚠️Requires ANTHROPIC_AUTH_TOKEN environment variable, implying a paid Anthropic API key.
  • ⚠️Requires a Cloudflare account for deployment using `wrangler deploy`.
  • ⚠️Requires `npm run generate:scenarios` to be run during development/build to discover and compile prompt markdown files.
Verified SafeView Analysis
The server uses environment variables for API keys and allowed origins, preventing hardcoding. It uses standard SDKs from Anthropic and Model Context Protocol. Input parsing for AI-generated sampling questions uses `JSON.parse` which, while generally safe for data, requires trust in the model's output not to contain malicious constructs. Origin validation is implemented for web requests.
Updated: 2025-11-29GitHub
51
116
Medium Cost
tsmztech icon
Sec4

Enable natural language interactions and automation with Salesforce data and metadata for AI models.

Setup Requirements

  • ⚠️Requires Salesforce authentication (Username/Password, OAuth 2.0 Client Credentials, or Salesforce CLI) with specific environment variables set.
  • ⚠️If using 'Salesforce_CLI' authentication, the Salesforce CLI (`sf`) must be installed and an org authenticated locally.
  • ⚠️Requires Node.js and npm/npx to be installed for execution.
Review RequiredView Analysis
The server has potential SOQL injection vulnerabilities in `salesforce_query_records`, `salesforce_aggregate_query`, and `salesforce_manage_debug_logs` (when querying for usernames) due to direct string concatenation of user-provided arguments (e.g., `whereClause`, `orderBy`, `username`) into SOQL queries without explicit sanitization. Tools for `salesforce_write_apex`, `salesforce_write_apex_trigger`, and `salesforce_execute_anonymous` directly accept and execute arbitrary Apex code bodies, which is a critical risk if the upstream AI model is compromised or generates malicious code. While `SECURITY.md` mentions that 'All SOQL inputs are sanitized to prevent injection,' the code review contradicts this for certain parameters. Hardcoded secrets are not evident, as environment variables are used for authentication.
Updated: 2026-01-19GitHub
51
6
Medium Cost
smith-and-web icon

obsidian-mcp-server

by smith-and-web

Sec6

Enables AI assistants to interact with and manage an Obsidian markdown vault via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires a `VAULT_PATH` environment variable pointing to the Obsidian vault, which must be correctly mounted/configured.
  • ⚠️API Key (`API_KEY`) is optional but CRITICAL for security; omitting it makes the server publicly accessible with full file system access.
  • ⚠️Requires Node.js >= 18.0.0.
Verified SafeView Analysis
The server performs extensive file system operations (read, write, delete, move) on the configured VAULT_PATH. While path manipulation is mitigated by `path.join` and deletion includes a `confirm` safety check, the API_KEY for authentication is optional. Deploying without an API_KEY makes the server publicly accessible, which is a critical security risk given its file access capabilities. CORS is also open by default ('*'), posing another risk if not restricted in production. The server grants full read/write access to the mounted vault.
Updated: 2026-01-19GitHub
51
75
Medium Cost

amap-mcp-server

by sugarforever

Sec8

This server provides a set of tools for interacting with Gaode Maps (Amap) APIs, including geocoding, location services, route planning, distance measurement, and POI search.

Setup Requirements

  • ⚠️Requires a valid Amap Maps API Key, obtainable from the Amap Open Platform (lbs.amap.com).
  • ⚠️Requires a Python environment with `uv` (or `pip` and `uvicorn`) installed to run the server.
Verified SafeView Analysis
The server functions as a wrapper for the Amap APIs. It requires an `AMAP_MAPS_API_KEY` which is securely handled via environment variables as per the documentation. No 'eval' or obfuscation is indicated. When deployed via SSE or Streamable HTTP, standard network security practices (e.g., firewall, access control) should be applied to the exposed endpoint.
Updated: 2025-11-18GitHub
51
73
Medium Cost
eversinc33 icon

TriageMCP

by eversinc33

Sec3

Enables an LLM to perform static analysis and triage of PE files using local security tools.

Setup Requirements

  • ⚠️Requires Python 3.13 or newer.
  • ⚠️Requires manual installation and configuration of external tools (FLOSS, UPX, CAPA, YARA rules) and updating their paths in `triage.py`.
  • ⚠️Default tool paths are Windows-specific (e.g., C:\Tools\...).
Review RequiredView Analysis
The server allows an LLM to execute external binaries (FLOSS, UPX, CAPA) and access the local filesystem via user-controlled file paths. Without robust input validation, sanitization, or sandboxing mechanisms, a malicious or compromised LLM could potentially: 1) analyze arbitrary system files (information leak via `list_directory`, `get_hashes`, `get_pe_metadata` etc.), 2) attempt to unpack or modify critical system binaries (`upx_unpack`), or 3) exploit command injection vulnerabilities in the external tools if crafted file paths are passed directly to `subprocess` calls. The hardcoded tool paths also mean the setup is specific and not easily adaptable to different security contexts without code modification.
Updated: 2025-12-01GitHub
51
9
Low Cost
zeromicro icon

mcp-zero

by zeromicro

Sec9

A Model Context Protocol (MCP) tool that helps developers quickly scaffold, generate, analyze, and manage go-zero microservice projects using natural language.

Setup Requirements

  • ⚠️Requires Go 1.19 or later to build and run.
  • ⚠️Requires go-zero CLI (goctl) to be installed and discoverable (via PATH or GOCTL_PATH env var).
  • ⚠️Requires an MCP-compatible client (e.g., Claude Desktop) for interaction.
Verified SafeView Analysis
The project includes explicit security considerations and documentation (SECURITY_AUDIT.md, SECURITY_VERIFICATION.md). It implements input validation, path traversal protection, command injection prevention, and secure credential handling (no logging/persistence, memory clearing). External commands use `exec.Command` which safely escapes arguments. Generated code security is validated structurally. One medium-priority recommendation is for enhanced memory clearing to overwrite sensitive data before clearing.
Updated: 2025-12-01GitHub
51
56
Medium Cost
vasylenko icon
Sec9

Manage Bear Notes (search, read, create, update) directly through AI conversations, offering local-only data processing and privacy.

Setup Requirements

  • ⚠️Requires Bear app installed on macOS.
  • ⚠️Requires Node.js 22.13.0+ to run the MCP server.
  • ⚠️Claude Desktop's security warning "Installing will grant access to everything on your computer." is a general message; the extension's code explicitly only accesses the Bear Notes SQLite database (~/Library/Group Containers/9K33E3U3T4.net.shinyfrog.bear/Application Data/database.sqlite).
Verified SafeView Analysis
The server is explicitly designed as 'local-only', with no external network connections, ensuring data privacy. It directly accesses the Bear Notes SQLite database at a fixed, application-specific path for read operations, using parameterized SQL queries to prevent injection. Write operations leverage Bear's X-callback-URL API, invoked via macOS's 'open -g' command, which safely passes the URL as a single argument. No 'eval' or other obfuscation techniques are used, and there are no hardcoded secrets in the provided source code. The primary security 'gotcha' is Claude Desktop's general warning about file system access, which in this case is restricted to the specific Bear database.
Updated: 2026-01-18GitHub
51
83
Low Cost
microsoft icon

fabric-rti-mcp

by microsoft

Sec8

Provides a Model Context Protocol (MCP) server that enables AI agents to interact with Microsoft Fabric Real-Time Intelligence (RTI) services for data querying, analysis, and management.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Azure authentication is required (e.g., logged into Azure CLI, VS Code, or configured via environment variables).
  • ⚠️Using the 'kusto_get_shots' tool for semantic search requires an Azure OpenAI embedding endpoint, which is a paid service and needs specific configuration.
Verified SafeView Analysis
The server uses Azure Identity SDKs (DefaultAzureCredential, ManagedIdentityCredential) for secure authentication and token handling, including an On-Behalf-Of (OBO) flow using MSAL. No hardcoded critical secrets were found. Destructive operations (e.g., Kusto commands, Eventstream deletion) are explicitly marked. The server's HTTP mode uses a broad CORS policy (allowing all origins), which might require stricter network controls for production deployments. User-provided KQL queries, while executed by the server, rely on the upstream AI agent's trustworthiness to prevent malicious queries.
Updated: 2026-01-09GitHub
51
93
High Cost
gensecaihq icon

Wazuh-MCP-Server

by gensecaihq

Sec9

Provides an MCP-compliant remote server for seamless integration between AI assistants (like Claude Desktop) and the Wazuh SIEM platform, enabling natural language security operations.

Setup Requirements

  • ⚠️Requires Docker 20.10+ with Compose v2.20+ for deployment.
  • ⚠️Requires a functional Wazuh 4.8.0 - 4.14.1 deployment with API access.
  • ⚠️Wazuh Indexer configuration (WAZUH_INDEXER_HOST, etc.) is mandatory for vulnerability management tools.
  • ⚠️Claude Desktop integration for custom connectors typically requires an HTTPS-accessible server in production and a Claude Pro, Max, Team, or Enterprise plan.
Verified SafeView Analysis
The project demonstrates excellent security architecture and hardening. Key strengths include hardened Docker container configurations (non-root user, dropped capabilities, read-only filesystem), robust authentication mechanisms (JWT, OAuth 2.0 with PKCE, HMAC for API keys to prevent timing attacks), comprehensive input validation to mitigate injection attacks (SQLi, XSS, path traversal), and network security measures (strict CORS, origin validation, rate limiting, configurable SSL verification). Resilience patterns like circuit breakers, retries, and graceful shutdown are implemented for stability. The configuration validation is extensive, with checks for password strength, host validity, and file permissions. A minor area for improvement is the default in-memory storage for OAuth clients and tokens in `oauth.py` and `auth.py`, which could limit horizontal scalability for these features without external state management. Additionally, the security overview in `docs/security/README.md` contains an outdated reference to 'STDIO-only transport' which is misleading for this remote HTTP/SSE server.
Updated: 2025-12-12GitHub
51
138
High Cost
stippi icon
Sec3

Standardizes communication between code editors and AI coding agents, enabling autonomous code analysis and modification via command-line, GUI, or server modes.

Setup Requirements

  • ⚠️Requires Rust toolchain installation (via rustup).
  • ⚠️Platform-specific dependencies for GUI: libxkbcommon-dev (Linux), MetalToolchain (macOS).
  • ⚠️Mandatory configuration of API keys in `providers.json` for LLM services (e.g., ANTHROPIC_API_KEY, OPENAI_API_KEY).
  • ⚠️Requires manual creation and configuration of JSON files (`providers.json`, `models.json`, `projects.json`, `tools.json`).
  • ⚠️Default sandbox policy is 'danger-full-access', allowing unrestricted command execution. Users must manually switch to a more restrictive mode.
  • ⚠️Requires a local Ollama server if using Ollama models.
Review RequiredView Analysis
The `execute_command` tool allows for arbitrary shell command execution with the provided command line. By default, the agent runs with a `DangerFullAccess` sandbox policy. The documentation explicitly states that `execute_command` is 'completely unchecked' and there are no checks to prevent relative paths from escaping the project root or accessing git-ignored files. While a sandboxing feature is under active development, the critical permission elevation and tool integration phases are still incomplete. Running this server without explicitly configuring a restrictive sandbox policy or thoroughly understanding its current limitations poses a significant security risk, as a malicious or buggy agent could execute arbitrary code on the host system.
Updated: 2026-01-18GitHub
PreviousPage 53 of 760Next