Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

48
73
Medium Cost
heroku icon
Sec7

The Heroku Platform MCP Server enables large language models (LLMs) to interact with and manage Heroku Platform resources through a set of specialized tools.

Setup Requirements

  • ⚠️Requires Heroku CLI version 10.10.0 or higher to be installed globally.
  • ⚠️Requires Node.js version 20 or higher.
  • ⚠️If using the `npx` command to run, the `HEROKU_API_KEY` environment variable must be explicitly set with a Heroku authorization token.
Verified SafeView Analysis
The server uses `execSync` and `spawn` to interact with the Heroku CLI. While this is fundamental to its operation, it carries inherent risks if command inputs are not meticulously sanitized. The project mitigates this by using Zod schemas for input validation and a `CommandBuilder` to construct CLI commands. Sensitive API keys (`HEROKU_API_KEY`) are handled via environment variables, which is a good practice. The `git remote add` command executed via `execSync` takes values from Heroku API responses, which are considered trusted in this context. No hardcoded secrets or obvious malicious patterns were found, and the project is open-source and maintained by Salesforce/Heroku.
Updated: 2026-01-18GitHub
48
204
Low Cost
DataSQRL icon

sqrl

by DataSQRL

Sec5

A build tool and CLI for compiling, running, and testing DataSQRL projects, including the deployment of GraphQL, REST, and Micro-Context Protocol (MCP) API servers, Flink stream processing jobs, and database interactions.

Setup Requirements

  • ⚠️Docker required for full local development/testing environment, orchestrating services like PostgreSQL, Kafka (Redpanda), and Flink.
  • ⚠️Requires `jbang` CLI tool to be installed and available in the system PATH for compiling Java User-Defined Functions (UDFs).
  • ⚠️Requires `rpk` (Redpanda) and `postgresql` binaries for local service management if internal services are enabled and not overridden by external configurations.
  • ⚠️Java 11 or higher Runtime Environment is required.
Review RequiredView Analysis
1. Dynamic Code Generation: The `FlinkExecFunctionFactory` and `CodeGenBridge` classes dynamically generate Flink `FlatMapFunction`s at runtime based on `RexNode` expressions. While `RexNode`s are internal Calcite representations, the security relies heavily on robust validation and sanitization of the initial input to the compiler to prevent code injection vulnerabilities. 2. External Command Execution: The `JBangPreprocessor` invokes the `jbang` CLI tool to compile Java User-Defined Functions (UDFs) into JARs. The `OsProcessManager` also executes `rpk` (Redpanda/Kafka) and `psql` (PostgreSQL) commands. If an attacker can control file paths or arguments passed to these external commands, it could lead to arbitrary command execution. 3. Default Insecure Passwords: `OsProcessManager.java` uses hardcoded default `postgres` username and password for initializing the PostgreSQL database. While this is acceptable for local development/containerized environments, it poses a significant security risk if not explicitly overridden with strong credentials in production deployments. 4. File System Operations: The `FilePreprocessingPipeline` and `Packager` perform various file system operations like copying, creating, and deleting directories. This introduces potential for path traversal vulnerabilities if user-controlled input is used to construct file paths without proper validation. 5. Network Exposure: The server exposes HTTP, GraphQL, REST, and MCP endpoints. While authentication (JWT, OAuth2) and CORS handlers are implemented, the overall security depends on the robustness of these implementations and proper configuration. Overall, the dynamic code generation and external command execution are high-risk areas. The default insecure database credentials make it unsafe for non-development environments.
Updated: 2026-01-19GitHub
48
62
Medium Cost
PSPDFKit icon
Sec7

Integrates Nutrient DWS Processor API with AI assistants for powerful PDF document processing, including digital signing, editing, OCR, and redaction.

Setup Requirements

  • ⚠️Requires a Nutrient DWS API key (Paid service).
  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️Strongly recommended to enable sandbox mode by setting `SANDBOX_PATH` environment variable; otherwise, file operations are unrestricted and pose a security risk.
Verified SafeView Analysis
The server can operate in a secure, sandboxed mode by setting the `SANDBOX_PATH` environment variable, restricting file operations to a designated directory. Running without sandbox mode allows unrestricted file system access to any location the server process has permissions for, which is explicitly not recommended and poses a significant security risk. No 'eval' or obvious hardcoded secrets were found in the provided source code. The API key is correctly read from environment variables.
Updated: 2026-01-14GitHub
48
3
High Cost
Abhi-vish icon

code-buddy

by Abhi-vish

Sec3

Provides an AI-powered coding companion with comprehensive file system and development tools, integrating with MCP-compatible clients like Claude Desktop.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid)
  • ⚠️Requires Python 3.13 or higher
  • ⚠️Requires uv package manager for dependency management
Review RequiredView Analysis
The server includes tools that allow arbitrary command execution (`run_command`, `run_python`, `git`, `docker_tool`), HTTP requests (`http_request_tool`, `curl_tool`), and file system modifications outside the project root if `ALLOW_EXTERNAL_PATHS` is set to `true` (which is its default configuration in the provided example). While `PathValidator` attempts to block access to sensitive files, these tools offer broad system and network access. If the LLM's actions are unconstrained or if a vulnerability allows for command injection, this could lead to arbitrary code execution, data exfiltration, or other severe compromises. Running this server in a tightly controlled and isolated environment is highly recommended.
Updated: 2025-12-08GitHub
48
63
Medium Cost
cap-js icon

mcp-server

by cap-js

Sec7

A Model Context Protocol (MCP) server designed to assist AI models in the development of SAP Cloud Application Programming Model (CAP) applications by providing tools for model analysis and documentation search.

Setup Requirements

  • ⚠️Requires Node.js version 20 or higher.
  • ⚠️Initial Model Download: On first use of embedding-related features (e.g., `search_docs`), the server downloads a multi-megabyte ONNX model and tokenizer files from huggingface.co, requiring an active internet connection and local storage.
  • ⚠️Requires an MCP client (e.g., VS Code extension like Cline, opencode, GitHub Copilot agent mode) to interact with the server.
Verified SafeView Analysis
Potential Path Traversal Vulnerability: The `search_model` tool takes a `projectPath` argument, which is then passed to `cds.resolve` and `findCdsFiles`. The current code does not explicitly sanitize `projectPath` against path traversal attempts, meaning a malicious input could potentially lead to arbitrary file system access if `cds.resolve` or underlying Node.js `fs` operations do not sufficiently mitigate this. The `createEmbeddings` function also performs file I/O using an `id` parameter, which could be a path traversal vector if this function were exposed to untrusted input (currently it's internal to `searchMarkdownDocs` which uses a hardcoded ID, and commented as 'not for production'). No obvious hardcoded secrets or 'eval' usage found. External models are downloaded from trusted sources (HuggingFace, cap.cloud.sap).
Updated: 2025-12-09GitHub
48
34
Medium Cost
rocklambros icon

nist-csf-2-mcp-server

by rocklambros

Sec4

A professional cybersecurity assessment backend API for NIST CSF 2.0, providing real-time dashboards and executive reporting capabilities.

Setup Requirements

  • ⚠️Requires Node.js environment (supports ES Modules).
  • ⚠️Uses a local SQLite database for persistence, requiring careful management for production deployments.
  • ⚠️This repository contains only the backend API; a separate frontend project is needed for a full GUI.
Review RequiredView Analysis
The server demonstrates strong input validation using Zod schemas for most parameters, and includes robust security logging and monitoring features. Authentication mechanisms (JWT, API Key) are implemented but disabled by default in development. However, a critical vulnerability exists: the `generate_report` tool allows a user to specify `output_path` without sufficient path traversal validation. This could enable an attacker to write arbitrary files to sensitive locations on the server (e.g., `/etc/passwd`), potentially leading to remote code execution. This makes the application unsafe to run as-is without remediation.
Updated: 2025-12-06GitHub
48
58
High Cost
mrsimpson icon
Sec7

Manages conversation state and guides LLM coding agents through structured software development workflows with long-term project memory and multi-agent collaboration.

Setup Requirements

  • ⚠️Requires Node.js >=18.0.0
  • ⚠️Requires pnpm >=9.0.0 (specifically pnpm@9.14.2 is noted in lockfile)
  • ⚠️Requires 'Beads' CLI tool (`bd`) for task tracking functionality.
  • ⚠️Requires Git repository initialized for full functionality related to branch management and commit behavior.
Verified SafeView Analysis
The system extensively uses `child_process.execSync` to interact with Git and an external 'Beads' CLI tool. While arguments for these commands appear to be largely internally generated or derived from structured configuration (e.g., workflow names, task IDs), any direct or indirect injection of unsanitized user/LLM input into these commands could pose a security risk. The Express server is used with CORS, indicating network interaction, but no obvious hardcoded secrets or 'eval' usage were found. Proper input validation is critical given the LLM-driven nature.
Updated: 2026-01-19GitHub
48
2
Medium Cost
nirholas icon
Sec8

Extracts, parses, and organizes documentation from websites (llms.txt, install.md) for AI agents, LLMs, and automation workflows, offering structured, agent-ready formats and generation tools.

Setup Requirements

  • ⚠️Anthropic API Key (ANTHROPIC_API_KEY) is required for AI-powered `install.md` generation (paid service).
  • ⚠️Outbound internet access is required for the server to fetch documentation URLs and interact with external APIs (e.g., GitHub, Anthropic).
  • ⚠️GitHub Token is recommended for `install.md` generation from private GitHub repositories or to avoid GitHub API rate limits.
Verified SafeView Analysis
The application inherently performs network requests to arbitrary, user-provided URLs for web scraping and API interactions (e.g., GitHub, sitemaps, llms.txt files). While a `fetchWithTimeout` function is implemented to prevent hanging requests and `User-Agent` headers are set for identification, this type of functionality always carries an inherent risk of Server-Side Request Forgery (SSRF) if not meticulously controlled, though no obvious direct vulnerabilities were identified in the provided snippets. Rate limiting is robustly implemented via a sliding window algorithm and applied across critical API endpoints, which is a strong positive for preventing abuse. Environment variables (`ANTHROPIC_API_KEY`, `ADMIN_KEY`) are correctly used for sensitive information instead of hardcoding. No direct `eval` or other highly dangerous code patterns were found.
Updated: 2026-01-18GitHub
48
21
Medium Cost
PatrickSys icon

codebase-context

by PatrickSys

Sec9

Provides AI coding agents with real-time, context-rich insights into a codebase's patterns, libraries, architecture, and conventions to improve code generation quality and alignment with team standards.

Setup Requirements

  • ⚠️Initial indexing can take several minutes for large codebases (~2-5 mins for 30k files) and requires downloading a ~130MB model for local embedding.
  • ⚠️Requires `OPENAI_API_KEY` if `EMBEDDING_PROVIDER` is set to 'openai' (a paid service).
  • ⚠️Full pattern momentum analysis (rising/declining patterns) depends on the project being a Git repository.
Verified SafeView Analysis
The server primarily operates locally, processing files within the specified project root. External network calls are limited to OpenAI (if configured and `OPENAI_API_KEY` is provided) for embeddings. Local `git log` commands are executed via `child_process.exec`, but arguments are fixed and not user-controlled, mitigating injection risks. No `eval` or obvious obfuscation is present. Overall, risks are well-managed for an on-device code analysis tool.
Updated: 2026-01-18GitHub
48
134
Medium Cost
deepset-ai icon

hayhooks

by deepset-ai

Sec6

Deploy and serve Haystack Pipelines and Agents as REST APIs or MCP Tools, with OpenAI compatibility and Open WebUI integration, including support for RAG systems with file uploads and streaming.

Setup Requirements

  • ⚠️Requires Docker for running Elasticsearch (in RAG example) or for containerized Hayhooks deployment.
  • ⚠️Requires OpenAI API Key (paid service) for many LLM components used in examples and quick start guides.
  • ⚠️Requires Python 3.10+.
Review RequiredView Analysis
The default CORS settings (`HAYHOOKS_CORS_ALLOW_ORIGINS=["*"]`) allow all origins, which is a significant security risk if the server is exposed publicly without tighter controls. The RAG example's `docker-compose.yml` configures Elasticsearch with `xpack.security.enabled=false`, which is suitable only for local development and highly insecure for production environments. Sensitive API keys (e.g., OPENAI_API_KEY) are loaded from environment variables, which is a good practice, but careful management is required.
Updated: 2026-01-15GitHub
48
62
Medium Cost
yywz1999 icon

gdb-mcp-server

by yywz1999

Sec2

Provides an AI-assisted debugging server for GDB using the Model Context Protocol, enabling AI agents to interact with and control GDB sessions.

Setup Requirements

  • ⚠️Requires Python 3.7+ (tested with 3.11).
  • ⚠️Requires platform-specific dependencies like `pexpect` (Linux/macOS), `xdotool` (Linux for keyboard fallback), and `pyautogui` (Windows for keyboard fallback).
  • ⚠️Optimal terminal experience requires iTerm2 on macOS and tmux on Linux.
  • ⚠️A GDB process must be running and accessible in a specific terminal setup for the server to attach and interact reliably.
Review RequiredView Analysis
The server directly injects user-provided commands into underlying system utilities (AppleScript, tmux, pexpect, xdotool, pyautogui) without strong sanitization. This creates significant command injection vulnerabilities. A malicious AI agent or user controlling the `command` parameter could execute arbitrary shell commands or send arbitrary keystrokes to the host system, potentially impacting any active window. The server's reliance on 'send-keys' or 'write text' via terminal automation tools is inherently risky as it can simulate user input to any active application.
Updated: 2025-11-27GitHub
48
32
Low Cost
Kastalien-Research icon

thoughtbox

by Kastalien-Research

Sec9

Provides a durable, local-first reasoning ledger and structured cognitive tools for AI agents, enabling step-by-step thinking, branching, revisions, and autonomous critique, with progressive tool disclosure and client compatibility adaptations.

Setup Requirements

  • ⚠️Requires Node.js 22+ to be installed on the system.
  • ⚠️Requires specific JSON configuration to integrate with supported MCP clients (e.g., Claude Code, GitHub Copilot).
  • ⚠️The 'thoughtbox_gateway' tool is frequently needed for clients that don't refresh tool lists mid-turn (e.g., streaming HTTP clients).
Verified SafeView Analysis
The server is designed for local-first use and incorporates robust input validation (`sanitizePath`, `validateFilename`) in the notebook component to mitigate path traversal and similar file-system based vulnerabilities when executing user-defined code. External process execution (`spawn` for Node.js, npm, tsx) is performed with explicit commands and arguments, reducing the risk of shell injection. There are no overt hardcoded secrets. While the Observatory component allows for flexible CORS configuration (including `*`), this is an opt-in setting in an optional, typically local, monitoring tool. Overall, the source code indicates a conscious effort towards security for its intended use case.
Updated: 2026-01-19GitHub
PreviousPage 60 of 760Next