Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(7756)

43
39
Low Cost
truss44 icon
Sec9

Provides comprehensive cryptocurrency analysis, including real-time price data, market insights, and historical trends using the CoinCap API.

Setup Requirements

  • ⚠️CoinCap's v2 API is sunsetting; an API key (for v3) is highly recommended for continued functionality and higher rate limits.
  • ⚠️Requires Node.js (version >=18.0.0, as per package.json engines field) to run.
  • ⚠️Initial setup involves adding configuration to a Claude Desktop config file or setting environment variables for the API key.
Verified SafeView Analysis
The source code uses Zod for robust input validation, which helps prevent common injection vulnerabilities. API keys (COINCAP_API_KEY) are loaded from environment variables or client configuration, preventing hardcoding of sensitive credentials. Network requests are handled via standard `fetch`. There are no explicit uses of `eval` or other dangerous dynamic code execution patterns. Caching mechanism is internal to the server and does not pose a significant external risk.
Updated: 2025-12-07GitHub
43
22
Low Cost
alexanderop icon

mcp-server-starter-ts

by alexanderop

Sec6

A minimal TypeScript starter template for building Model Context Protocol (MCP) servers, enabling AI applications to connect with data sources and tools through a standardized interface.

Setup Requirements

  • ⚠️Requires Node.js version 20.11.0 or higher.
  • ⚠️Requires compiling TypeScript code (`npm run build`) before running the server.
  • ⚠️A manual MCP protocol handshake (initialize request + initialized notification) is required for full functionality when interacting with the server directly via stdio or custom clients.
Verified SafeView Analysis
The server defaults to allowing all CORS origins (`CORS_ORIGIN=*`) when run in HTTP mode. While configurable via environment variables, this default setting poses a significant security risk (e.g., CSRF vulnerabilities) for production deployments and should be restricted to known, trusted origins. No other direct 'eval', hardcoded secrets, or command injection vulnerabilities were found in the provided source code. Input validation for tools and prompts is handled using Zod schemas.
Updated: 2025-12-10GitHub
43
18
Medium Cost

mcp-security-scanner

by sidhpurwala-huzaifa

Sec8

A Python-based penetration testing tool designed to scan and identify vulnerabilities in Model Context Protocol (MCP) servers.

Setup Requirements

  • ⚠️Requires Python version 3.10 or higher.
  • ⚠️Requires a running MCP server to scan (a deliberately insecure test server is provided, but needs to be started separately).
  • ⚠️Experimental SSE transport is discontinued in the latest MCP version and may not work as expected.
Verified SafeView Analysis
The project itself is a security scanner designed to identify vulnerabilities. It includes an `insecure-mcp-server` component which is *deliberately insecure* for testing purposes. Running the scanner (`mcp-scan`) against a target is generally safe, as it performs non-destructive checks. However, the `insecure-mcp-server` should only be run in isolated, controlled environments (e.g., locally on 127.0.0.1 as demonstrated) and never exposed publicly, as it contains known vulnerabilities. No obvious obfuscation or direct 'eval' use in the scanner is indicated, and it operates by sending structured RPC requests.
Updated: 2025-11-17GitHub
43
22
Medium Cost
timescale icon
Sec9

This server acts as a wrapper around a Salesforce database, providing focused tools like semantic search of case summaries and retrieval of case details to LLMs via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires OpenAI API Key (Paid) for embedding generation.
  • ⚠️Requires access to a configured TimescaleDB (PostgreSQL) database with Salesforce data (case summaries, details, email messages).
  • ⚠️Requires Node.js and npm for development and execution.
Verified SafeView Analysis
The server uses environment variables for sensitive credentials (database, OpenAI API key), which is a good practice. PostgreSQL queries are parameterized, preventing common SQL injection attacks. Input validation is performed using Zod schemas for API endpoints. No 'eval' or other highly dangerous dynamic code execution patterns are observed. Follows common boilerplate for secure Node.js applications.
Updated: 2025-12-02GitHub
43
37
Low Cost
apvlv icon
Sec1

Enables AI assistants (like Claude) to directly control and interact with DaVinci Resolve for video editing and post-production tasks via the Model Context Protocol.

Setup Requirements

  • ⚠️Requires DaVinci Resolve Studio (version 17 or higher) - a paid, professional software.
  • ⚠️Requires the `mcp` CLI tool for installation.
  • ⚠️Requires Claude Desktop or 5ire for AI integration.
Review RequiredView Analysis
CRITICAL: The `execute_python` tool allows arbitrary Python code execution on the host machine, granting full system access if the AI or client is compromised or misused. The `execute_lua` tool similarly allows arbitrary Lua script execution within DaVinci Resolve's Fusion environment. This constitutes a severe security vulnerability.
Updated: 2025-12-06GitHub
43
31
Low Cost

typingmind-mcp

by TypingMind

Sec7

A server for managing and integrating Model Context Protocol (MCP) servers with TypingMind, enabling custom AI model connections.

Setup Requirements

  • ⚠️Requires an authentication token provided by TypingMind.
  • ⚠️Requires Node.js v14 or later if not run via Docker.
  • ⚠️Default server ports 50880 or 50881 must be available, or a custom port must be specified via the PORT environment variable.
Verified SafeView Analysis
The server requires an authentication token for all API endpoints, which is a good security practice. HTTPS support is available. The `/mcp-connect` proxy endpoint, while authenticated, could be an SSRF vector if the authentication token is compromised, as it allows arbitrary URL fetching from the server's perspective. It's crucial to protect the `AUTH_TOKEN`.
Updated: 2025-11-17GitHub
43
4
Medium Cost
pawneetdev icon

rest-to-mcp-adapter

by pawneetdev

Sec9

Transforms REST API specifications (OpenAPI, Swagger, OpenAPI Actions) into Model Context Protocol (MCP) tools, enabling AI agents like Claude and GPT to interact with any REST API.

Setup Requirements

  • ⚠️Requires Python 3.11+ (as stated in README).
  • ⚠️Currently in beta status (v0.1.0), meaning the API may evolve and require updates.
  • ⚠️Requires users to provide API keys, bearer tokens, or other credentials for most real-world API integrations.
Verified SafeView Analysis
The codebase demonstrates good security practices including `yaml.safe_load`, proper JSON parsing, robust URL validation, and explicit handling of circular `$ref` references during spec dereferencing. It explicitly advises against logging credentials and for secure storage (e.g., environment variables). External `$ref` support is intentionally disabled due to security considerations. Authentication parameters are automatically filtered from user-facing tool schemas.
Updated: 2025-11-27GitHub
43
33
Medium Cost
Teradata icon
Sec3

A Model Context Protocol (MCP) server designed to expose a wide range of Teradata database functionalities as AI-driven tools, including data quality assessment, SQL optimization, vector store operations, backup/restore, and chat completion, enabling LLMs to interact with and manage Teradata systems.

Setup Requirements

  • ⚠️Requires access to a running Teradata database, configured via `DATABASE_URI` environment variable.
  • ⚠️Specific Teradata database features (e.g., `CompleteChat` UDF, IVSM/ONNX embedding models, Teradata 20.0 with vector data type) are required for full functionality of AI/ML tools.
  • ⚠️Default credentials for the DSA API (Backup/Restore tools) are 'admin:admin', which must be overridden in a production environment via environment variables (`DSA_USERNAME`, `DSA_PASSWORD`).
  • ⚠️Python dependencies from `requirements.txt` must be installed (`uv sync` or `pip install -r`).
Review RequiredView Analysis
Several tools construct SQL queries using f-strings or direct string concatenation with user-provided parameters (e.g., `database_name`, `table_name`, `column_name`, or full `sql` string), presenting a significant SQL injection vulnerability if input is not perfectly sanitized or if an LLM generates malicious SQL. The `eval()` function is used in `utils.py` for type resolution, though in a restricted namespace, still carries a minimal risk. The DSA client defaults to weak 'admin:admin' credentials, posing a high security risk if not overridden. Options to disable SSL verification (`ignore_https_verification`) are present, which can lead to insecure deployments.
Updated: 2025-12-10GitHub
43
32
Medium Cost
kelvin6365 icon

plane-mcp-server

by kelvin6365

Sec9

Enables LLMs to interact with Plane.so to manage projects and issues through its API, facilitating project management workflows.

Setup Requirements

  • ⚠️Requires a Plane.so API Key and Workspace (obtained from a Plane.so account)
  • ⚠️Requires Node.js 22.x or higher
Verified SafeView Analysis
The server securely loads API keys and workspace slugs from environment variables, preventing hardcoding. It explicitly checks for the presence of required environment variables (`PLANE_API_KEY`, `PLANE_WORKSPACE_SLUG`). Input schemas are defined for tools, and additional runtime checks are performed on critical arguments like `project_id`. The `create-issue` and `update-issue` tools include robust logic to handle potentially malformed `assignees` input from LLMs, reducing the risk of invalid data being sent to the Plane API. All external API calls are made using `fetch` with proper error handling. No `eval` or other dynamic code execution is observed.
Updated: 2025-12-06GitHub
43
33
Medium Cost
CodeLogicIncEngineering icon

codelogic-mcp-server

by CodeLogicIncEngineering

Sec9

Integrates CodeLogic's rich software dependency data with AI programming assistants via the Model Context Protocol (MCP) to provide code and database impact analysis.

Setup Requirements

  • ⚠️Requires CodeLogic Server Host, Username, Password, and Workspace Name (proprietary CodeLogic API access).
  • ⚠️Python 3.13 or higher required.
  • ⚠️Requires Astral UV for installation and execution.
  • ⚠️Requires CodeLogic API version 25.10.0 or greater (for server versions 0.4.0+).
Verified SafeView Analysis
Authentication credentials (username/password) are retrieved from environment variables, which is a standard practice for handling secrets. Network calls use httpx with configured timeouts and retries. No 'eval' or other direct dynamic code execution patterns were found. The server relies on an external CodeLogic API, meaning its overall security depends on that external service.
Updated: 2025-12-02GitHub
43
15
High Cost
saaslabsco icon

justcall-mcp-server

by saaslabsco

Sec7

Enables Large Language Models (LLMs) and AI agents to make real-world voice calls and send SMS through JustCall’s APIs by providing a function-calling interface.

Setup Requirements

  • ⚠️Requires a JustCall API Key and Secret, obtainable from the JustCall dashboard.
  • ⚠️Requires an LLM client that supports the Model Context Protocol (e.g., Claude Desktop/Web, ChatGPT Plus/Pro/Business/Enterprise).
  • ⚠️Optimal deployment is designed for Cloudflare Workers, but it can also run as a Docker container.
Verified SafeView Analysis
The server relies on the Model Context Protocol (MCP) SDK and acts as a proxy to the JustCall API. It enforces the presence of a 'Bearer' token in the Authorization header for protected endpoints (/mcp, /sse, /sse/message). However, the server itself does not perform intrinsic validation of the token's content (e.g., JWT signature verification or API key validity). This crucial validation is delegated to the downstream JustCall API. Assuming the JustCall API's authentication is robust, the overall system is secure. No 'eval', obfuscation, or obvious malicious patterns were found in the provided source code. Hardcoded secrets are avoided by using environment variables as a fallback for API credentials.
Updated: 2025-12-10GitHub
43
47
Medium Cost

flapi

by DataZooDE

Sec8

A high-performance C++ server application, potentially providing an API or control plane functionality, leveraging DuckDB for embedded data management and possibly interacting with AI agents or large language models.

Setup Requirements

  • ⚠️Docker engine required to run the server via Docker.
  • ⚠️The Docker image named 'flapi' must be built first using `docker build -t flapi .`.
  • ⚠️External API keys (e.g., for Claude AI) may be required for full functionality, depending on configuration.
Verified SafeView Analysis
The project is written in C++ using robust tools (CMake, vcpkg). As a server, it will inherently expose network ports. The presence of 'AGENTS.md' and 'CLAUDE.md' suggests potential integration with external AI APIs, which could introduce data handling and supply chain risks if not properly secured.
Updated: 2025-11-18GitHub
PreviousPage 75 of 647Next