Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

43
34
Medium Cost
webscraping-ai icon

webscraping-ai-mcp-server

by webscraping-ai

Sec8

Integrates with WebScraping.AI to provide LLM-powered web data extraction, including question answering, structured data extraction, and HTML/text retrieval, with advanced features like JavaScript rendering and proxy management.

Setup Requirements

  • ⚠️Requires WebScraping.AI API Key (Paid service)
  • ⚠️Requires Node.js (>=18.0.0)
  • ⚠️Specific JSON configuration files required for integration with AI agents like Cursor or Claude Desktop.
Verified SafeView Analysis
The server itself does not execute user-provided code on the host. The 'js_script' parameter is sent to the external WebScraping.AI API for execution within their headless browser environment. The 'ContentSanitizer' is a positive security feature, wrapping scraped content with clear boundaries to protect against prompt injection into connected LLMs. A minor concern is 'JSON.parse(error.message)' for API errors, which could theoretically be a vector if the external API's error messages are crafted maliciously, but its impact is limited to formatting error output, not code execution. Overall, it implements reasonable safeguards for its function.
Updated: 2025-11-24GitHub
43
29
Medium Cost

mcp-server

by HuaweiCloudDeveloper

Sec7

Enables AI assistants to manage Huawei Cloud resources via a Model Context Protocol server for conversational AI workflows.

Setup Requirements

  • ⚠️Requires Huawei Cloud Access Key (AK) and Secret Key (SK) configured as environment variables (HUAWEI_ACCESS_KEY, HUAWEI_SECRET_KEY).
  • ⚠️Requires Python 3.10+ installed on the system.
  • ⚠️Each Huawei Cloud service (e.g., ECS, VPC) corresponds to a distinct MCP server that needs to be run individually or specifically targeted.
Verified SafeView Analysis
Requires sensitive Huawei Cloud API keys (AK/SK) as environment variables. The server acts as a proxy for AI models to manage cloud resources, requiring careful consideration of access control for both the server and the interacting AI models. Standard network security practices (firewall, access control) are crucial if exposed beyond localhost.
Updated: 2025-11-18GitHub
43
8
Low Cost
florinel-chis icon

magento-graphql-docs-mcp

by florinel-chis

Sec8

Provides tools to search and retrieve Magento 2 GraphQL API documentation from local markdown files, aiding development and coding agents.

Setup Requirements

  • ⚠️Requires local cloning of the AdobeDocs/commerce-webapi repository for documentation source.
  • ⚠️Python 3.10 or higher is required.
  • ⚠️The documentation path (`MAGENTO_GRAPHQL_DOCS_PATH`) must be explicitly configured via environment variable, symlink, or by cloning the documentation repo as a sibling directory.
Verified SafeView Analysis
The server primarily processes local markdown files and uses `stdio` by default. An optional HTTP/SSE transport can be configured, which if bound to `0.0.0.0` (configurable), would expose the server on the network. The `docker/entrypoint.sh` performs a `git clone` of the AdobeDocs repository, which relies on the integrity of that upstream source. No obvious malicious patterns like `eval` or direct code execution from arbitrary content are present. The extraction of GraphQL elements uses regex, not a full parser, which is generally safer than executing unknown schemas.
Updated: 2025-11-24GitHub
43
16
Medium Cost

devduck

by cagataycali

Sec6

This project serves as a GitHub Action or an agent-based system designed for automating development workflows, potentially integrating with AWS using OIDC for authentication.

Setup Requirements

  • ⚠️Requires Python environment setup and dependencies from `requirements.txt`.
  • ⚠️Requires an AWS account with OIDC configured for authentication.
  • ⚠️Designed to run within a GitHub Actions environment if used as an action.
Review RequiredView Analysis
The presence of `agent_runner.py` and `action.yml` suggests code execution capabilities, and `setup-aws-oidc.sh` implies handling sensitive AWS credentials. Without code review, potential risks include arbitrary code execution vulnerabilities and improper credential management, especially in a CI/CD context.
Updated: 2025-11-18GitHub
43
11
Low Cost
dieselftw icon

wdk-mcp

by dieselftw

Sec2

A local-first server providing seed and wallet management, balance reads, and transaction sending for cryptocurrency development, optionally exposed via ngrok for remote LLMs.

Setup Requirements

  • ⚠️Requires the Bun runtime environment.
  • ⚠️Sensitive wallet data (including seed phrases) and API keys are stored unencrypted in a local JSON file (`wdk-data.json`), posing a significant security risk for actual asset management.
  • ⚠️The codebase explicitly uses `wdk-wallet-solana`, indicating a focus on Solana chain operations, despite the README's statement 'EVM/ETH-focused flows only', which may be a point of confusion or a future development intent.
Review RequiredView Analysis
The primary critical security risk is that the `wdk-data.json` data store is explicitly noted as 'not encrypted at rest (yet)'. This means sensitive information like seed phrases and API keys are stored in plain JSON, making them vulnerable if the local machine is compromised. The `encrypt` and `decrypt` stubs in `WalletConfigManager` confirm this is a known, unaddressed issue. While intended for local development, this flaw exposes users to high risk if not adequately secured by other means. Users should be aware of this significant data-at-rest vulnerability. No hardcoded secrets were found in the provided code, but `NGROK_AUTHTOKEN` is read from environment variables, which is a standard practice.
Updated: 2025-11-27GitHub
43
23
Medium Cost
conorluddy icon

xc-mcp

by conorluddy

Sec8

Provides an intelligent MCP server for Xcode and iOS simulator workflows, optimized for AI agents to automate iOS development and testing tasks efficiently.

Setup Requirements

  • ⚠️Requires Node.js (18+ recommended) and npm/npx installed.
  • ⚠️Requires Xcode Command Line Tools to be installed and configured (`xcode-select --install`).
  • ⚠️Requires `idb` (Facebook IDB) and its `idb_companion` service to be installed and running (e.g., `brew install idb-companion`).
  • ⚠️Requires `sips` (macOS default image processing tool) for screenshot optimization.
Verified SafeView Analysis
The server executes external `xcrun simctl` and `idb` commands via `child_process.exec` and `child_process.spawn`. While comprehensive input validation and shell escaping (`isSafePath`, `isValidBundleId`, `isValidUdid`) are implemented to mitigate command injection, the inherent nature of wrapping powerful command-line tools poses a risk if these mitigations were bypassed or found to be incomplete. The server uses `StdioServerTransport`, limiting external network attack surface, and persistence is to local, user-controlled directories, reducing broader system compromise risk. No hardcoded secrets or 'eval' statements were found.
Updated: 2025-12-08GitHub
43
34
Medium Cost
isdaniel icon
Sec9

Provides current and historical weather, air quality, and timezone information via an MCP server, integrating with the Open-Meteo API.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️For HTTP modes (SSE or Streamable HTTP), `starlette` and `uvicorn` dependencies are required (though typically installed with `pip install mcp_weather_server` for basic setup, specific instructions recommend explicit install for HTTP modes).
  • ⚠️Relies on `tzdata` for comprehensive timezone support, which might have platform-specific installation considerations, especially on Windows.
Verified SafeView Analysis
The server uses `httpx` for external API calls, `starlette` and `uvicorn` for HTTP modes, which are standard and robust libraries. No hardcoded API keys are visible; the server explicitly states it uses free Open-Meteo APIs requiring no keys. Input validation for tool arguments is present via `validate_required_args`. CORS is enabled for HTTP modes. No `eval` or blatant obfuscation detected.
Updated: 2025-12-13GitHub
43
34
Medium Cost
aikts icon
Sec9

A comprehensive Model Context Protocol (MCP) server that enables AI assistants to interact with Yandex Tracker APIs for issue, queue, user, and workflow management.

Setup Requirements

  • ⚠️Requires an active Yandex Tracker account and valid API token or service account credentials.
  • ⚠️Requires specifying either a TRACKER_CLOUD_ORG_ID (for Yandex Cloud organizations) or a TRACKER_ORG_ID (for Yandex 360 organizations).
  • ⚠️Dynamic OAuth 2.0 authentication requires setting up a Yandex OAuth application, configuring client ID/secret, and making the MCP server publicly accessible for callbacks.
  • ⚠️Requires Python 3.11 or higher.
Verified SafeView Analysis
The server implements multiple robust authentication mechanisms including static OAuth, IAM tokens, and dynamic IAM via service accounts, as well as a full OAuth 2.0 provider with refresh token support. When using Redis for OAuth data or caching, it supports Fernet encryption for tokens at rest and SHA-256 hashing for Redis keys. Secrets are expected to be provided via environment variables, not hardcoded. The OAuth mode requires the server to be publicly accessible for callback URLs, which is a common pattern for OAuth but requires careful network configuration. There are no obvious 'eval', obfuscation, or malicious patterns.
Updated: 2026-01-17GitHub
43
8
Medium Cost
PCIRCLE-AI icon

claude-code-buddy

by PCIRCLE-AI

Sec9

An intelligent AI Agent orchestration system for Claude Code, focusing on smart task routing, prompt enhancement, project memory, workflow guidance, and planning, presented via a real-time terminal UI dashboard.

Setup Requirements

  • ⚠️Requires ANTHROPIC_API_KEY (Paid API usage).
  • ⚠️Requires Node.js (v18+) and npm/yarn for dependency management.
  • ⚠️Requires Git to be installed and configured on the system.
  • ⚠️E2E Healing Agent, if used, requires Playwright to be installed and its browsers configured.
Verified SafeView Analysis
The project demonstrates strong security awareness: extensive input validation (Zod, regex whitelists), safe use of child processes (`spawn` with array arguments, whitelisting, explicit path validation), no hardcoded credentials, and robust privacy sanitization for telemetry. Critical components like `RollbackManager` and `MCPToolInterface`'s `commandRunner` implement robust measures against command injection. `UninstallManager` also includes checks for path traversal and symlinks. Potential risks are inherent to LLM-based tools (e.g., LLM generating malicious code) or vulnerabilities in underlying dependencies.
Updated: 2026-01-19GitHub
43
31
Low Cost

iceberg-mcp

by morristai

Sec8

Serves as an MCP server providing metadata about Apache Iceberg catalogs.

Setup Requirements

  • ⚠️Requires Rust toolchain installed to build from source.
  • ⚠️AWS credentials (either profile or explicit keys) must be configured for AWS Glue catalog support.
  • ⚠️Manual editing of Claude Desktop's `claude_desktop_config.json` is required for integration.
Verified SafeView Analysis
The server handles connections to various data catalogs (REST, AWS Glue) and requires configuration with sensitive credentials (AWS access keys, secrets) for cloud providers. It exposes network endpoints for its operation. User is responsible for securing provided credentials and network environment. Logging to local files should be monitored for sensitive data.
Updated: 2025-11-17GitHub
43
76
High Cost
EBISPOT icon

ols4

by EBISPOT

Sec5

A repository for biomedical ontologies, providing a website, REST API, and MCP server for accessing the latest ontology versions.

Setup Requirements

  • ⚠️Docker is required for local setup and deployment.
  • ⚠️High memory requirements (e.g., 10-50GB memory limits for backend services, 15-20GB for Solr/Neo4j).
  • ⚠️Optional: OpenAI API Key for embedding generation (requires a paid OpenAI account).
Verified SafeView Analysis
The `ols4-neo4j` Docker service explicitly disables Neo4j authentication (`NEO4J_AUTH=none`) which is a major security vulnerability if exposed in a production environment. The API allows cross-origin requests for GET methods from any origin (`Access-Control-Allow-Origin: *`), which is typical for a public API but noted.
Updated: 2026-01-19GitHub
43
17
Medium Cost
pavolloffay icon
Sec9

The OpenTelemetry Model Context Protocol (MCP) server enables LLMs to efficiently use the OpenTelemetry stack by providing tools to configure an OpenTelemetry collector through strict JSON schemas and validation.

Setup Requirements

  • ⚠️Go 1.24+ runtime required for building from source or installing via `go install`.
  • ⚠️A `claude` CLI client (or similar MCP-compatible client) is required to interact with the server for LLM integration as described in the README.
Verified SafeView Analysis
The server leverages the OpenTelemetry Collector Builder (OCB) to generate Go code for component factories and configuration providers. Security practices include robust handling of HTTP/gRPC, TLS, and explicit mechanisms for fetching sensitive configuration values from secure sources (e.g., AWS Secrets Manager, Google Secret Manager) rather than hardcoding. The system also includes mitigations against common network-related vulnerabilities like decompression bombs (MaxRequestBodySize) and race conditions. The overall architecture is modular and relies on well-vetted OpenTelemetry components, leading to a high security posture. A potential, though indirect, risk exists if the `manifest.yaml` used by OCB were to include malicious or untrusted module replacements.
Updated: 2026-01-14GitHub
PreviousPage 75 of 760Next