Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

50
62
Low Cost
alphavantage icon

alpha_vantage_mcp

by alphavantage

Sec6

Enables LLMs and agentic workflows to seamlessly interact with real-time and historical stock market data through the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires an Alpha Vantage API Key.
  • ⚠️Requires Python 3.13+ for the server component.
  • ⚠️The `uv` package manager is a hard dependency for building and running the server.
  • ⚠️Cloud deployment on AWS is complex, requiring manual setup of IAM roles, S3 buckets, CloudFront distributions, and an ACM certificate in `us-east-1`.
Verified SafeView Analysis
The OAuth 2.1 implementation in `server/src/oauth.py` is simplified for statelessness. It embeds the user's Alpha Vantage API key directly within base64-encoded authorization codes and uses the API key itself as the client secret for the client_credentials grant. This approach is not a robust OAuth implementation and could expose the Alpha Vantage API key if authorization codes are intercepted or if the client secret is compromised. While `base64` is not encryption, it is used for short-lived codes. Additionally, API keys can be passed via query parameters, increasing the risk of exposure in server logs. The core server application in the `server/` directory does not contain obvious malicious patterns like `eval` or command injection, and uses standard, well-maintained libraries. However, it's important to note that the companion web UI component (`web/components/Markdown.tsx`) present in the same repository utilizes `eval(onClick)` which represents a severe Cross-Site Scripting (XSS) vulnerability if user-supplied content is rendered via this component. This vulnerability is not within the server's core functionality but exists in a part of the repository.
Updated: 2026-01-19GitHub
50
84
High Cost
box-community icon

mcp-server-box

by box-community

Sec2

The Box MCP Server provides a Microservice Context Protocol (MCP) interface to interact with the Box API, enabling AI agents and other clients to perform various file, folder, collaboration, metadata, and AI-powered operations on Box content.

Setup Requirements

  • ⚠️Requires extensive Box Custom App configuration (OAuth, CCG, or JWT) via the Box Developer Console, including pre-registering all callback URLs for OAuth flows.
  • ⚠️Heavily relies on environment variables (often from a .env file) for all Box API and MCP server authentication credentials; misconfiguration will lead to startup or runtime errors.
  • ⚠️The `uv` tool is recommended for Python dependency management and execution, which might require an additional setup step for some users.
Review RequiredView Analysis
CRITICAL: The server's `/oauth/register` endpoint, when running with `--transport=http` or `--transport=sse`, directly exposes the configured `BOX_CLIENT_ID` and `BOX_CLIENT_SECRET` in its response. This is a severe hardcoded secret exposure, as these credentials should remain confidential. Anyone accessing this public endpoint can retrieve the client ID and client secret, which could then be used for unauthorized access to the Box API or to impersonate the application.
Updated: 2025-12-02GitHub
50
83
High Cost
algolia icon

mcp-node

by algolia

Sec9

Enables natural language interaction with Algolia data through Claude Desktop by exposing Algolia APIs via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Node.js >= 22.0.0.
  • ⚠️macOS users must manually remove the quarantine flag from the executable to run it (`xattr -r -d com.apple.quarantine <path_to_executable>`). Windows and Linux support is indicated as 'coming soon'.
  • ⚠️Requires an Algolia account and initial authentication via a browser, which is handled locally by the server.
  • ⚠️Requires specific JSON configuration to be added to Claude Desktop settings, followed by a restart of Claude Desktop.
Verified SafeView Analysis
The server primarily acts as an API proxy for Algolia services. Authentication is handled via a standard OAuth PKCE flow, with access tokens and refresh tokens stored locally in `~/.algolia-mcp/state.json`. API keys generated by the server for Algolia applications are also stored locally. There are no detected uses of `eval` or similar dangerous functions. All network requests are made to legitimate Algolia domains. The reliance on local storage for sensitive credentials implies that the security of the host system is paramount; a compromised local machine could expose these credentials.
Updated: 2026-01-13GitHub
50
78
Low Cost
wso2 icon
Sec9

The FHIR MCP Server acts as a bridge between AI/LLM tools and FHIR APIs, enabling seamless search, retrieval, and analysis of clinical information.

Setup Requirements

  • ⚠️Requires an accessible FHIR API server to function.
  • ⚠️For local Docker/Docker Compose setups, authorization must be explicitly disabled (`FHIR_SERVER_DISABLE_AUTHORIZATION=True`), a limitation noted to be fixed in future releases.
  • ⚠️Requires configuration of FHIR server details and potentially OAuth client credentials via environment variables for proper operation.
Verified SafeView Analysis
The server correctly uses environment variables for sensitive configurations like client IDs, secrets, and access tokens, rather than hardcoding them. It also supports OAuth 2.0 Authorization Code Grant flow. The `docker-compose.yml` uses a default password for PostgreSQL, which is only for a local development setup and not a vulnerability in the application itself. A notable configuration aspect is the `FHIR_SERVER_DISABLE_AUTHORIZATION: True` setting for local Docker runs, which disables authentication and should be set to `False` for production deployments requiring secure access.
Updated: 2026-01-09GitHub
50
27
Low Cost
alDuncanson icon

Handler

by alDuncanson

Sec8

An A2A (Agent-to-Agent) Protocol client and developer toolkit providing CLI, TUI, local server agent, and MCP server for interacting with AI agents.

Setup Requirements

  • ⚠️Requires Python 3.11+.
  • ⚠️Running the local A2A agent server ('handler server agent') requires Ollama to be installed and running locally, and may prompt to pull models if not available.
  • ⚠️Installation with 'pipx' or 'uv tool install' is recommended for a smooth experience, or 'pip' for standard package management.
Verified SafeView Analysis
The project handles authentication credentials (API keys, bearer tokens) and stores them in `~/.handler/sessions.json` on the local filesystem. While common for developer tools, this file is not encrypted, making stored credentials vulnerable if the user's home directory is compromised. The `handler server agent` component uses `subprocess.run` to interact with the `ollama` CLI, which is generally safe for its intended use cases (`ollama list`, `ollama pull`) but always carries a minor risk if arguments were less controlled. The `APIKeyAuthMiddleware` for the local A2A server uses `secrets.token_urlsafe` for generating API keys, which is good practice. Local servers (`handler server agent` and `handler server push`) bind to `0.0.0.0` or `127.0.0.1` by default; users should be aware of network exposure when binding to `0.0.0.0` without additional security measures, though the A2A agent supports API key authentication.
Updated: 2026-01-19GitHub
50
44
Low Cost
spences10 icon

mcpick

by spences10

Sec8

Manages MCP server configurations for Claude Code to optimize context usage and performance by enabling/disabling servers, creating backups, and using profiles.

Setup Requirements

  • ⚠️Requires Node.js 22+.
  • ⚠️Requires Claude Code to be installed and configured on the system.
  • ⚠️If building from source, pnpm is recommended.
Verified SafeView Analysis
The tool uses `node:child_process.exec` to interact with the `claude` CLI. It includes `shell_escape` for arguments and `is_valid_env_key` for environment variable keys to prevent shell injection during command construction. While `exec` calls are a potential risk vector, the implementation attempts to sanitize user inputs carefully. The overall security also depends on the safety of the `claude` CLI itself and the commands users configure for their MCP servers.
Updated: 2026-01-15GitHub
50
83
Medium Cost
okooo5km icon
Sec7

A Model Context Protocol server providing knowledge graph management capabilities for LLMs to maintain memory across conversations.

Setup Requirements

  • ⚠️For manual installations (e.g., downloading binaries or building from source), users must manually add the server executable's directory to their system's PATH.
  • ⚠️The quick install script (`curl | bash`) is not supported on Windows; Windows users must download the pre-built `.zip` binary and configure their PATH manually.
  • ⚠️For network transports (SSE, Streamable HTTP), authentication is optional and disabled by default. It is critical to enable it using the `--auth-bearer <token>` flag for any non-local deployment.
Verified SafeView Analysis
The server supports optional Bearer token authentication for network transports (SSE/HTTP), which is crucial for secure deployment. However, this authentication is not enabled by default, and the server itself does not provide TLS encryption. For production environments, it is critical to deploy the server behind a reverse proxy that handles HTTPS and to enable the `--auth-bearer` flag. The `Access-Control-Allow-Origin: *` header on the SSE endpoint further emphasizes the need for robust external authentication. The `install.sh` script, while convenient, downloads and executes a binary via `curl | bash`, which carries inherent supply chain risks.
Updated: 2026-01-19GitHub
50
611
Medium Cost
thorsten icon

phpMyFAQ

by thorsten

Sec8

The phpMyFAQ MCP Server allows Large Language Models (LLMs) to query a phpMyFAQ installation to provide contextually relevant answers based on its FAQ content, enabling AI assistants to access and utilize the knowledge base.

Setup Requirements

  • ⚠️PHP 8.4+ is required.
  • ⚠️Requires an external database (MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, or SQLite3).
  • ⚠️AI-assisted translation features require API keys for external (potentially paid) translation services (e.g., Google, DeepL, Azure, Amazon).
  • ⚠️If using Elasticsearch or OpenSearch, the host system needs `vm.max_map_count` kernel setting configured to at least 262144.
Verified SafeView Analysis
The project demonstrates good security practices by separating development and production configurations, using `SensitiveParameter` attributes for sensitive PHP variables, and providing Kubernetes manifests for secure cloud deployment. The MCP server itself is explicitly stated to provide only read access to publicly available FAQ content and respects existing visibility rules. No hardcoded production secrets or `eval()` calls were found in the provided source code. Development Docker configurations contain weak default passwords, but this is explicitly noted for development use only.
Updated: 2026-01-19GitHub
50
29
Low Cost
bug-ops icon

mcp-execution

by bug-ops

Sec9

Transforms any Model Context Protocol (MCP) server into executable, type-safe TypeScript tools for AI agents, enabling progressive loading and achieving significant token savings.

Setup Requirements

  • ⚠️Requires Rust 1.89+ for building from source.
  • ⚠️Requires Node.js 18+ for running generated TypeScript tools.
  • ⚠️Requires user to create/manage `~/.claude/mcp.json` for server configurations.
Verified SafeView Analysis
The Rust codebase demonstrates robust security practices, including explicit checks against path traversal (e.g., '..'), command injection (forbidden characters in commands/environment variables), and denial-of-service (DoS) protection (file size/count limits). It avoids `unsafe` Rust code. The TypeScript runtime bridge executes user-configured external commands via `child_process.spawn`. While this introduces an inherent risk if the user's `~/.claude/mcp.json` configuration is malicious, the project properly sanitizes parameters passed to these configured commands by JSON stringifying them. It is safe assuming trusted user configuration.
Updated: 2026-01-19GitHub
50
87
Medium Cost
tuannvm icon

mcp-trino

by tuannvm

Sec9

Enables AI assistants to interact with Trino's distributed SQL query engine for data analytics through a standardized Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires a running Trino cluster for data access.
  • ⚠️Requires Kubernetes 1.19+ and Helm 3.0+ for Helm chart deployments (with EKS specific integrations if using AWS).
  • ⚠️OAuth authentication requires a configured OIDC provider and careful setup of client IDs, secrets, issuer URLs, audience, and redirect URIs; JWT_SECRET is critical for multi-pod deployments.
  • ⚠️Performance for AI queries can be significantly improved by configuring TRINO_ALLOWED_SCHEMAS/CATALOGS/TABLES to restrict the data scope.
Verified SafeView Analysis
The project demonstrates a high level of security awareness. It includes robust default SQL injection prevention by restricting queries to read-only operations (configurable). OAuth 2.1 authentication is implemented via a dedicated, production-ready library (oauth-mcp-proxy) with features like PKCE, state signing, JWKS validation, and clear security best practices for multi-pod deployments (e.g., requiring JWT_SECRET). Kubernetes deployment configurations emphasize strong security postures with non-root containers, read-only filesystems, dropped capabilities, and network policies. No 'eval', obfuscation, or hardcoded sensitive secrets were found. The `install.sh` script downloads and executes a binary directly from GitHub, a common practice but carries inherent supply chain risks if the GitHub repository itself were compromised.
Updated: 2026-01-19GitHub
49
137
Medium Cost
pydantic icon

logfire-mcp

by pydantic

Sec5

Enables LLMs to retrieve and analyze application telemetry data (OpenTelemetry traces and metrics) from Pydantic Logfire, including executing arbitrary SQL queries.

Setup Requirements

  • ⚠️Requires 'uv' for installation and execution.
  • ⚠️Requires a Pydantic Logfire read token (LOGFIRE_READ_TOKEN environment variable or --read-token argument).
  • ⚠️Requires LOGFIRE_BASE_URL if running Logfire in a self-hosted environment.
  • ⚠️The server's internal age limit for queries is 210 days, despite the README stating 7 days, which can lead to unexpectedly large and costly queries.
Verified SafeView Analysis
The `arbitrary_query` tool directly executes user-provided SQL queries via the Logfire API. This introduces a significant attack surface for potential data exfiltration or denial-of-service (DoS) attacks through resource-intensive queries. While the `LOGFIRE_READ_TOKEN` is expected to be read-only, the underlying `logfire.experimental.query_client` is marked as experimental, which might imply potential instability or unhardened security. A critical discrepancy exists where the README states a maximum `age` lookback of 7 days for queries, but the actual code's Pydantic validation allows a lookback of up to 210 days. This significantly extends the window for data extraction and increases the potential for accidentally triggering extremely costly or performance-degrading queries.
Updated: 2026-01-05GitHub
49
85
Medium Cost
seuros icon

action_mcp

by seuros

Sec9

ActionMCP is a Ruby gem providing Model Context Protocol (MCP) server capabilities to Rails applications, enabling AI assistants to connect to external data sources and tools.

Setup Requirements

  • ⚠️Requires a Ruby on Rails application (Ruby 3.4.8+/4.0.0+, Rails 8.1.1+).
  • ⚠️Requires a relational database (PostgreSQL, MySQL, or SQLite3) for session, message, and task persistence, involving database migrations during setup.
  • ⚠️Potential for middleware conflicts in existing Rails applications; often requires using a minimal Rack setup (`mcp_vanilla.ru`) to avoid issues with web-specific middleware.
Verified SafeView Analysis
The project demonstrates strong security awareness, explicitly rejecting STDIO transport for production and focusing on robust network-based deployments. It includes a Gateway system for pluggable authentication (JWT, API Keys, session-based) with input validation, origin header checks, and DNS rebinding protection. Consent management for sensitive tool operations is a key feature. Detailed documentation highlights security best practices like preventing token theft and addressing the 'Confused Deputy Problem'. Middleware conflicts are acknowledged with a `mcp_vanilla.ru` solution, though this can be a friction point for less experienced users if not handled carefully.
Updated: 2026-01-09GitHub
PreviousPage 57 of 760Next