Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

49
80
Medium Cost
spences10 icon

mcp-n8n-builder

by spences10

Sec9

Programmatic creation and management of n8n workflows by AI assistants via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires a running n8n instance accessible via its REST API.
  • ⚠️Requires an n8n API key for authentication.
  • ⚠️Careful configuration of `N8N_HOST` is needed; setting it to 'http://localhost:5678' (without '/api/v1') is likely the correct approach to avoid double '/api/v1' in the URL, despite README examples.
Verified SafeView Analysis
The source code does not contain 'eval' or obvious obfuscation. Secrets (N8N_API_KEY) are correctly handled via environment variables. Network requests are made to a configurable n8n host. A critical functional note: The N8N_HOST environment variable configuration examples in the README are contradictory to the code's API client implementation. If N8N_HOST is set to include '/api/v1' (e.g., 'http://localhost:5678/api/v1') as per README examples, the client will incorrectly construct URLs as 'http://localhost:5678/api/v1/api/v1/...' causing API calls to fail. N8N_HOST should ideally be set without '/api/v1' (e.g., 'http://localhost:5678') as the client appends it.
Updated: 2026-01-15GitHub
49
282
Medium Cost
minthcm icon

minthcm

by minthcm

Sec2

Human Capital Management (HCM) system with employee management, appraisals, and task management functionalities, leveraging a CRM-based backend.

Setup Requirements

  • ⚠️Requires PHP version 8.0.0 to 8.2.99. Other versions are not supported.
  • ⚠️Requires Node.js and npm for building the Vue.js frontend application.
  • ⚠️Requires specific file system permissions for the `legacy` directory and `.htaccess` file to allow read/write access.
  • ⚠️Requires a running Elasticsearch instance with connectivity details (host, port, credentials).
Review RequiredView Analysis
The server's source code contains multiple instances of `eval()` calls within core functionalities like KReports (`legacy/modules/KReports/KReport.php`, `legacy/modules/AOR_Reports/AOR_Report.php`) and AOW_WorkFlow (`legacy/modules/AOW_WorkFlow/AOW_WorkFlow.php`). If user input can influence the `$formula` variable or other dynamically evaluated strings, these can lead to severe Remote Code Execution (RCE) vulnerabilities. While some SQL queries appear to use parameterized statements (`$db->quoted()`, `$db->implodeQuoted()`), the presence of `eval()` makes the system highly susceptible to attacks. The installer (`install/Installer.php`, `legacy/install/install_utils.php`) uses `exec()` and `chmod()` for file system operations, which, while standard for installation, could be risky if not executed in a controlled environment. The `api/lib/Search/ElasticSearch/Operators/QueryString.php` uses a wildcard search which might be prone to injection if input is not fully sanitized for Elasticsearch. Overall, the direct use of `eval()` presents a critical security flaw.
Updated: 2026-01-19GitHub
49
45
High Cost
w31r4 icon

codex-mcp-go

by w31r4

Sec9

Wraps the OpenAI Codex CLI as an MCP tool, enabling AI clients like KiloCode, Roo Code, and Claude Code to utilize Codex for high-precision coding tasks, debugging, and code reviews within an agentic workflow.

Setup Requirements

  • ⚠️Requires OpenAI's 'codex' CLI installed and configured globally (e.g., via npm).
  • ⚠️Requires an OpenAI API Key configured for the underlying 'codex' CLI.
  • ⚠️Building from source requires Go 1.24+.
Verified SafeView Analysis
The server executes the external 'codex' CLI command with strict input validation for parameters like 'cd' (working directory) and 'sandbox'. The 'sandbox' parameter is explicitly validated against a whitelist of safe modes (read-only, workspace-write, danger-full-access), defaulting to 'read-only'. Critically, 'model' and 'profile' parameters are explicitly rejected by the wrapper unless an allowlist is enabled (which is not present in the provided code), preventing potential misuse of alternative configurations for the underlying 'codex' CLI. Prompts for Windows are escaped to prevent shell injection. The primary security consideration remains the trusted integrity of the underlying 'codex' CLI itself and the cautious use of 'danger-full-access' by the controlling AI, which the project's recommended prompts strongly discourage.
Updated: 2025-12-27GitHub
49
65
Medium Cost
dnnyngyen icon

iron-manus-mcp

by dnnyngyen

Sec9

Orchestrates AI workflows with an 8-phase control flow and focused tools, acting as a Model Context Protocol (MCP) server for complex project management.

Setup Requirements

  • ⚠️Requires Node.js 20+ runtime environment.
  • ⚠️Requires a Python 3+ installation with data science libraries (e.g., pandas, numpy, scikit-learn, requests, beautifulsoup4) for computational tasks.
  • ⚠️Network access to external APIs may be required, subject to ALLOWED_HOSTS configuration.
Verified SafeView Analysis
The server demonstrates strong security practices including explicit Server-Side Request Forgery (SSRF) protection with allowlists, robust input validation using Zod schemas, and a Python code validator to sanitize user-provided scripts, mitigating common injection risks. It relies on environment variables for configuration, avoiding hardcoded secrets, and includes a runtime protection mechanism to remove legacy, potentially insecure JSON files. The inherent risk of executing arbitrary (albeit sanitized) Python code and making external API calls is managed but cannot be entirely eliminated.
Updated: 2026-01-19GitHub
49
51
Medium Cost
iceener icon
Sec8

This server allows Language Models (LLMs) to interact with Linear.app, managing issues, projects, teams, cycles, and comments through a streamable HTTP Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Bun or Node.js 24+ and a Linear.app account.
  • ⚠️For 'Local (API key)' setup, a Linear Personal Access Token (`BEARER_TOKEN`) is required.
  • ⚠️For 'Local + OAuth' setup, requires creating a Linear OAuth application and configuring `PROVIDER_CLIENT_ID`, `PROVIDER_CLIENT_SECRET`, `OAUTH_SCOPES`, `OAUTH_REDIRECT_URI`, and `OAUTH_REDIRECT_ALLOWLIST`.
  • ⚠️For production deployments, `RS_TOKENS_ENC_KEY` is highly recommended for encrypted token storage to prevent tokens from being stored in plaintext.
Verified SafeView Analysis
The codebase demonstrates good security practices including AES-256-GCM encryption for token storage (using Web Crypto API or Node.js crypto), secure file permissions (0o600 for files, 0o700 for directories), and input validation. It implements origin and protocol version validation for MCP requests. The README explicitly warns about hardening for production deployments, indicating awareness of remaining responsibilities for the deployer. Sensitive data redaction is also applied in logging. A key risk factor is if `RS_TOKENS_ENC_KEY` is not provided in production, leading to unencrypted token storage (which the server warns about).
Updated: 2026-01-14GitHub
49
93
Low Cost
wanaku-ai icon

wanaku

by wanaku-ai

Sec4

Centralized routing and management of AI agent access to diverse tools and resources via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires a running Keycloak instance for all authentication and authorization.
  • ⚠️The default 'exec' tool can execute arbitrary system commands; extreme caution is advised, and it should be disabled or tightly controlled in production.
  • ⚠️Building custom capabilities (tools/resource providers) often requires familiarity with Apache Camel and gRPC development.
Review RequiredView Analysis
The 'exec' tool, available by default, allows arbitrary command execution without input validation, posing a severe remote code execution risk. Proper OIDC authentication with Keycloak is implemented, but requires careful configuration (e.g., enabling TLS verification in production). Secret encryption at rest is supported but must be explicitly enabled with environment variables.
Updated: 2026-01-14GitHub
48
47
Medium Cost
mcp-use icon

mcp-use-cli

by mcp-use

Sec4

An interactive command-line interface (CLI) tool for connecting to and interacting with Model Context Protocol (MCP) servers using natural language, acting as an AI client that orchestrates LLM responses with external tools.

Setup Requirements

  • ⚠️Requires API keys for chosen LLM providers (e.g., OpenAI, Anthropic, Google), most of which are paid services.
  • ⚠️For local MCP servers, execution relies on `npx` (Node.js Package Executor) and specific `@modelcontextprotocol/*` packages, which might be auto-installed but incur runtime dependencies.
  • ⚠️The `mcp-use` core dependency lists Node.js >=22.0.0 as an engine requirement, potentially conflicting with the CLI's own Node.js >=16 requirement.
Review RequiredView Analysis
The CLI stores API keys and server configurations in a local file (`~/.mcp-use-cli/config.json`) with client-side encryption. However, the encryption key is deterministically derived from hardcoded strings, making it vulnerable to decryption by anyone with access to the source code. A critical risk lies in the core functionality allowing users to add 'Local Server' configurations that specify arbitrary commands and arguments (e.g., `npx @modelcontextprotocol/server-filesystem`). While intended for tool integration, this design means that loading a malicious server configuration could lead to arbitrary code execution on the user's machine, requiring users to fully trust the source of all added MCP server configurations. Telemetry is collected via Scarf, with opt-out options.
Updated: 2025-11-24GitHub
48
73
Medium Cost
Qoyyuum icon
Sec8

Allows AI assistants to control MetaTrader 5 terminal for trading operations and market data analysis.

Setup Requirements

  • ⚠️Requires MetaTrader 5 terminal installed on Windows.
  • ⚠️Python 3.11 or higher is required.
  • ⚠️The 'uv' package manager is recommended for dependency management and running the server.
Verified SafeView Analysis
The server primarily acts as a bridge to a local MetaTrader 5 terminal. It uses environment variables (loaded via python-dotenv) for its own transport configuration, which is a good practice. Input to trading tools (like order_send) is validated using Pydantic models. There are no obvious signs of 'eval', obfuscation, or malicious network patterns. The server can run in stdio mode (default, generally safer for local client interaction) or HTTP mode (configurable to localhost for development). The primary security risk lies in improper usage by the end-user (e.g., connecting to live trading accounts without robust risk management, exposing the HTTP endpoint publicly) rather than inherent code vulnerabilities. The test_client.py has hardcoded fallback credentials, but this is for a test script and not the main server runtime logic.
Updated: 2026-01-19GitHub
48
116
Medium Cost
MariaDB icon

mcp

by MariaDB

Sec9

Provides a Model Context Protocol (MCP) interface for managing and querying MariaDB databases, supporting standard SQL operations and advanced vector/embedding-based search for AI assistants.

Setup Requirements

  • ⚠️Requires a running MariaDB server instance.
  • ⚠️Requires Python 3.11 or newer.
  • ⚠️If embedding features are enabled (`EMBEDDING_PROVIDER` is set), requires API keys for OpenAI/Gemini (paid services) or a configured HuggingFace model which might involve large model downloads.
  • ⚠️For network transports (SSE/HTTP) outside localhost, authentication needs to be explicitly configured for security (not provided by default, but FastMCP supports it).
Verified SafeView Analysis
The server implements strong security practices by explicitly disabling 'MULTI_STATEMENTS' in database connections to prevent SQL injection, as verified by automated tests. It uses parameterized queries for user-supplied values and validates database/table names using `isidentifier()` before string interpolation. A configurable read-only mode restricts write operations. CORS and Trusted Host middleware are used for HTTP transports, and sensitive credentials are loaded from environment variables or .env files, not hardcoded. No 'eval' or similar dangerous functions are found.
Updated: 2026-01-05GitHub
48
303
Medium Cost
tinystruct icon

tinystruct

by tinystruct

Sec3

Provides a framework for building and interacting with AI models, managing tools, data resources, and prompts via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Java Runtime Environment (JRE/JDK).
  • ⚠️Requires careful management of the `mcp.auth.token` for secure server access.
  • ⚠️Potential dependency on Redis for distributed locking (`DistributedRedisLock.java`) or other data storage (`tinystruct.data`) which may need to be running and configured.
Review RequiredView Analysis
CRITICAL: The framework includes functionality for arbitrary code execution via `ScriptEngine.eval()` in `DefaultTemplate.java` and command injection via `Runtime.getRuntime().exec()` in `Dispatcher.java`. If user-controlled input reaches these functions, it can lead to severe security vulnerabilities. The MCP server component itself implements an authentication token mechanism (`mcp.auth.token`), which is a good practice, but the underlying framework elements present significant risks if not carefully managed or disabled in production environments. Default Redis URI is localhost:6379, which is safe for local development but risky if exposed publicly without authentication.
Updated: 2026-01-15GitHub
48
2
Low Cost
IntranetFactory icon

hono-oauth-mcp

by IntranetFactory

Sec8

A Hono-based Model Context Protocol (MCP) server that integrates with any MCP-compliant OAuth2 server for authentication, deployable across Supabase Edge Functions, Cloudflare Workers, and Deno Deploy.

Setup Requirements

  • ⚠️Requires Supabase CLI for local development and deployment to Supabase Edge Functions.
  • ⚠️Requires Deno runtime installed for local development and deployment to Deno Deploy.
  • ⚠️Older versions of MCP Inspector (pre-January 2026) may not correctly handle the `resource_metadata` parameter in WWW-Authenticate headers when the metadata endpoint is at an uncommon path, though Claude Desktop/Web are noted to handle this correctly.
Verified SafeView Analysis
The server's bearer token verification (`verifyToken: (token: string) => { return !!token; }`) only checks for the presence of a token, not its validity. This design relies on a downstream service (e.g., Supabase PostgREST) or the OAuth client's interaction with the authorization server to perform actual JWT validation. For Supabase Edge Functions, `verify_jwt = false` is explicitly set, confirming this delegated security model. The `cors` configuration is permissive (`origin: (origin) => origin`), which may need tightening in production environments depending on direct browser access requirements. No 'eval', hardcoded secrets, or malicious patterns were found in the provided source code.
Updated: 2026-01-17GitHub
48
100
Low Cost
aashari icon
Sec2

Connects AI assistants (LLMs) to Atlassian Bitbucket repositories for code review, repository management, and workflow automation via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires Node.js 18.0.0 or higher.
  • ⚠️Requires a Bitbucket Cloud account (not Bitbucket Server/Data Center).
  • ⚠️Requires manual generation of authentication credentials: either a Scoped API Token (recommended, using ATLASSIAN_USER_EMAIL + ATLASSIAN_API_TOKEN) or a Bitbucket App Password (legacy, using ATLASSIAN_BITBUCKET_USERNAME + ATLASSIAN_BITBUCKET_APP_PASSWORD), set as environment variables or in a `~/.mcp/configs.json` file.
  • ⚠️The `bb_clone` tool performs `git clone` to the local filesystem, which requires appropriate file system permissions and disk space on the machine running the server.
Review RequiredView Analysis
CRITICAL: The `bb_clone` tool executes `git clone` shell commands using user-supplied `repoSlug` and `targetPath` parameters. Although `path.join` is used and the `targetDir` is quoted in the shell command, direct execution of external commands with user-controlled input can be vulnerable to shell injection (Remote Code Execution) if malicious characters can escape the quoting. This risk is amplified when connected to AI agents, which may generate unexpected or exploitable input strings. Further input sanitization or using a Git library instead of shell execution for cloning would significantly improve security. Network requests (fetch) also log raw responses to `/tmp`, which could contain sensitive data if the host system is compromised.
Updated: 2026-01-07GitHub
PreviousPage 59 of 760Next