Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(7756)

42
1
Low Cost
birdseyevue icon

daisyui-mcp

by birdseyevue

Sec9

Provides DaisyUI component documentation to AI assistants for UI development.

Setup Requirements

  • ⚠️Requires `python update_components.py` to be run once for initial setup (fetching documentation).
  • ⚠️Requires Python 3.10+.
Verified SafeView Analysis
The server fetches documentation from a hardcoded external URL (daisyui.com/llms.txt) and stores it locally. Processing of this external content involves regex and file writing to a specific 'components' directory. The MCP server then serves content from these local markdown files. There are no apparent 'eval' statements or other direct code execution of external content. Path traversal attempts in `get_component` are mitigated by using `pathlib.Path` objects and filename sanitization during creation, limiting file access to the intended 'components' directory. No hardcoded secrets were found.
Updated: 2025-11-28GitHub
42
19
Medium Cost
mafzaal icon

d365fo-client

by mafzaal

Sec1

Provides a Model Context Protocol (MCP) server for AI agents to interact with Microsoft Dynamics 365 Finance & Operations (D365 F&O) environments, enabling comprehensive metadata exploration, CRUD operations on data entities, OData action calls, and label resolution. It leverages an advanced caching system to optimize performance and reduce API calls.

Setup Requirements

  • ⚠️Requires Azure AD application registration with appropriate permissions for D365 F&O authentication (or an environment configured for DefaultAzureCredential).
  • ⚠️An active Microsoft Dynamics 365 Finance & Operations environment (sandbox or production) is essential for full functionality.
  • ⚠️Contains critical remote code execution (RCE) and SQL injection vulnerabilities, making it unsafe to deploy in production or with untrusted input without addressing these security flaws.
Review RequiredView Analysis
CRITICAL VULNERABILITIES: 1. **Remote Code Execution (RCE):** The `_format_query_results` function in `src/d365fo_client/mcp/mixins/database_tools_mixin.py` uses `json.loads(eval(value))` for processing query results. If `value` (which originates from database query results) can be manipulated by an attacker (e.g., through a malicious SQL query that bypasses internal safety checks, or via compromised data in the local SQLite cache), this allows **arbitrary code execution** on the server running the MCP. 2. **SQL Injection Risk:** The `_validate_query_safety` function in `database_tools_mixin.py` attempts to prevent malicious SQL queries against the local SQLite cache using a keyword blacklist. Blacklisting is generally ineffective against sophisticated SQL injection attacks, significantly increasing the risk of the aforementioned RCE vulnerability if the local database is compromised by a malicious query. 3. **Default Insecure SSL:** The `FOClientConfig` (`src/d365fo_client/models.py`) defaults `verify_ssl` to `False`. This disables SSL certificate validation for connections to D365 F&O, making the client vulnerable to Man-in-the-Middle (MITM) attacks where an attacker could intercept and tamper with communication. Users *must* explicitly set `verify_ssl=True` in production. Additional Notes: * **Localhost Authentication Bypass:** The `auth.py` module contains a `_is_localhost()` check that provides a mock token for `localhost` or `127.0.0.1` URLs. This could be a security risk if the MCP server is misconfigured to point to a local mock D365 F&O endpoint while being exposed to untrusted external networks.
Updated: 2025-12-14GitHub
42
21
High Cost
xorrkaz icon

cml-mcp

by xorrkaz

Sec2

The cml-mcp server integrates Cisco Modeling Labs (CML) with Large Language Model (LLM) applications, enabling natural language control over network lab creation, configuration, and management.

Setup Requirements

  • ⚠️Requires Python 3.12+ and Cisco Modeling Labs (CML) 2.9 or later.
  • ⚠️PyATS and Genie are required for device CLI command execution (optional, but needed for full features).
  • ⚠️Windows users require Windows Subsystem for Linux (WSL) or Docker for full functionality (especially PyATS support).
  • ⚠️For HTTP transport, a Node.js-based `mcp-remote` bridge is required for most MCP clients.
Review RequiredView Analysis
CRITICAL: The `httpx.AsyncClient` used for CML API communication is initialized with `verify=False` (`ssl_verify=False` for `virl2_client`), disabling SSL/TLS certificate validation. This makes all communication with the CML server vulnerable to Man-in-the-Middle (MITM) attacks, even if HTTPS is used. This is a severe security vulnerability. Additionally, the `send_cli_command` tool allows the LLM to execute arbitrary CLI commands on virtual devices, posing a high risk if the LLM is compromised or misbehaves. While this is an intended feature, it grants significant control and can lead to destructive actions. Default PyATS credentials ('cisco') are used if environment variables are not set.
Updated: 2025-12-11GitHub
42
29
Medium Cost
tandemai-inc icon

rdkit-mcp-server

by tandemai-inc

Sec1

The RDKit MCP Server provides agentic access to the RDKit cheminformatics library, allowing Language Models to interact with its functions through natural language.

Setup Requirements

  • ⚠️Requires an OpenAI API Key for the CLI client and evaluations (paid service).
  • ⚠️The MCP server must be running locally for clients to connect.
  • ⚠️RDKit library dependencies can sometimes be complex to install outside of common package managers like conda.
Review RequiredView Analysis
CRITICAL VULNERABILITIES: 1. Arbitrary File Read/Write: The `read_file`, `write_file`, `pdb_to_mol`, and `sdf_to_mol` tools directly accept user-controlled file paths. An attacker (e.g., via a jailbroken LLM) could read or write to arbitrary locations on the server's filesystem (e.g., `/etc/passwd`, sensitive data files), leading to information disclosure, unauthorized modification, or denial of service. The `FILE_DIR` setting is not enforced for these critical tools. 2. Pickle Deserialization: The `decode_mol` function uses `pickle.loads` to deserialize `PickledMol` objects. If a malicious base64-encoded pickled string is provided as input to any tool accepting `PickledMol`, it could lead to arbitrary code execution on the server. 3. DNS Rebinding Protection: DNS rebinding protection is explicitly disabled (`enable_dns_rebinding_protection=False`), which can expose the server to attacks if it's accessible from untrusted networks.
Updated: 2025-12-12GitHub
42
5
Low Cost
danielealbano icon
Sec9

This MCP server enables LLM agents to manage Azure DevOps Boards by creating, updating, querying, and linking work items, as well as listing teams, boards, and iteration paths.

Setup Requirements

  • ⚠️Requires Azure CLI (`az login`) for authentication prior to running the server.
  • ⚠️Running in HTTP server mode (`--server`) binds to `0.0.0.0`, exposing it to the network. Ensure appropriate firewall rules are in place.
  • ⚠️The WIQL query tool (`azdo_query_work_items_by_wiql`) allows direct execution of Work Item Query Language, which an LLM should use carefully to avoid unintended results.
Verified SafeView Analysis
The server leverages Azure CLI's `az login` for authentication, securely offloading credential management. The HTTP server mode binds to `0.0.0.0`, which means it listens on all network interfaces; users should ensure proper network security (e.g., firewall) if enabling this mode. The `azdo_query_work_items_by_wiql` tool executes raw WIQL queries, which is powerful but requires careful use by the calling agent to prevent unintended data exposure or manipulation. Other query tools construct WIQL safely.
Updated: 2025-12-07GitHub
42
31
Medium Cost
nim444 icon
Sec8

Provides an MCP server for AI agents to automate Android devices using uiautomator2.

Setup Requirements

  • ⚠️Requires Python 3.13 or higher.
  • ⚠️Requires Android Debug Bridge (adb) installed and in system PATH.
  • ⚠️Requires a connected Android device with USB debugging enabled.
  • ⚠️Requires manual modification of `server.py` to switch between HTTP and stdio transport modes for different use cases (e.g., AI agent vs. API).
Verified SafeView Analysis
The project uses `uiautomator2` which grants powerful control over a connected Android device. It uses `subprocess.run` to check ADB status but does so safely by resolving `adb` path and using fixed commands, avoiding injection risks. No hardcoded secrets or `eval` usage were found. The server can be configured to run on `0.0.0.0` (all network interfaces), which means it's accessible on the local network. Users should ensure their network environment is secure to prevent unauthorized access to the server, as control of the server implies control of the connected Android device.
Updated: 2025-11-21GitHub
42
17
Low Cost
szaffarano icon

org-mcp-server

by szaffarano

Sec9

An MCP server for org-mode knowledge management, providing search, content access, and note linking capabilities for AI agents.

Setup Requirements

  • ⚠️Requires an existing Rust toolchain (Rustup, Cargo) for building from source or installing via Cargo.
  • ⚠️Requires a Model Context Protocol (MCP) agent (e.g., OpenCode) for full integration, as the server primarily communicates via standard I/O.
  • ⚠️Requires an existing directory of org-mode files configured via `org_directory` for useful functionality.
Verified SafeView Analysis
The project is written in Rust, which inherently offers strong memory safety guarantees, mitigating many common vulnerabilities. The primary server binary (`org-mcp-server`) communicates via standard I/O (`stdio`) as a child process, limiting direct network attack surface from the server itself. Configuration loading and file system access involve path validation and use of standard, well-vetted libraries (e.g., `config`, `shellexpand`). Input validation is applied to dates and priorities. There are no obvious hardcoded secrets or malicious patterns (e.g., `eval` of arbitrary code). The project is marked as 'Work in Progress', which may mean not all security aspects are fully audited, but the current codebase appears robust.
Updated: 2025-12-12GitHub
42
38
Low Cost
Dark-Kernel icon

tuisic

by Dark-Kernel

Sec6

A terminal-based online music streaming application that provides an MCP (Model Context Protocol) server for AI integration, allowing AI clients to control music playback and search.

Setup Requirements

  • ⚠️Requires 'yt-dlp' to be installed for track download functionality (though not directly exposed by MCP tools).
  • ⚠️Optional MPRIS support requires 'sdbus-cpp', which may need manual building and installation.
  • ⚠️Requires a TUI-compatible terminal for the main application mode, but the MCP server runs headless.
Verified SafeView Analysis
The underlying MusicPlayer module, utilized by the MCP server, contains 'system()' calls for features like downloading tracks (via 'yt-dlp') and clipboard operations, which are vulnerable to command injection if input is not robustly sanitized. While the current MCP server tools do not directly expose these specific vulnerable paths to AI client commands, the presence of such methods in the codebase warrants caution. Additionally, 'execl()' is used for daemon mode, which could be exploited if arguments are not sanitized. There's a minor risk from 'notify-send' calls if messages contain shell metacharacters.
Updated: 2025-12-05GitHub
42
22
Medium Cost
onkernel icon
Sec8

The Kernel MCP Server enables AI assistants to securely interact with the Kernel platform for cloud-based browser automation, app deployment, and documentation search.

Setup Requirements

  • ⚠️Requires specific environment variables (e.g., CLERK_SECRET_KEY, REDIS_URL, API_BASE_URL, MINTLIFY_ASSISTANT_API_TOKEN) which are not publicly documented and appear to be internal to the Kernel team.
  • ⚠️Requires access to a Redis instance for token and organization context storage.
  • ⚠️Requires a Clerk account and configuration for OAuth 2.0 authentication.
  • ⚠️Requires a Kernel platform account and API key to interact with its services.
Verified SafeView Analysis
The server employs OAuth 2.0 with Clerk for authentication and stores sensitive tokens (JWTs, refresh tokens) securely hashed in Redis using HMAC-SHA256 with `CLERK_SECRET_KEY`. It explicitly checks for and requires critical environment variables for sensitive IDs and keys. CORS is set to `Access-Control-Allow-Origin: *` for public API endpoints, which is acceptable given the authentication mechanisms. The `/mcp` endpoint supports both JWT-based (Clerk) and non-JWT (API key) authentication paths; the security of the API key path relies heavily on the `Kernel` SDK's backend validation. User-provided Playwright code is executed via the `Kernel` platform API, implying execution in a sandboxed, managed environment rather than directly on this server.
Updated: 2025-12-08GitHub
42
25
Medium Cost
StacklokLabs icon

osv-mcp

by StacklokLabs

Sec8

An MCP (Model Context Protocol) server that provides access to the OSV (Open Source Vulnerabilities) database for LLM-powered applications.

Setup Requirements

  • ⚠️Go 1.21 or later is required for building from source.
  • ⚠️Relies on the external OSV (Open Source Vulnerabilities) database API for data retrieval.
  • ⚠️`Task` is optionally recommended for simplified build and run commands.
Verified SafeView Analysis
The server uses standard Go HTTP client practices with appropriate timeouts when interacting with the external OSV API. It includes input validation for its MCP tools, preventing obvious injection vectors for package names, versions, or IDs. Configuration through environment variables is handled with type conversion and range checks. No direct 'eval' or arbitrary code execution from user input is apparent in the provided source code. The project has documented security policies for responsible disclosure, indicating a proactive stance on security. Primary external risks are tied to the reliability and security of the OSV API itself and the underlying `mark3labs/mcp-go` library.
Updated: 2025-12-12GitHub
42
13
Medium Cost
codescene-oss icon

codescene-mcp-server

by codescene-oss

Sec9

The server exposes CodeScene's Code Health analysis as local tools to augment AI prompts with code quality insights, facilitate refactoring, and safeguard against technical debt.

Setup Requirements

  • ⚠️Docker is required to run the server as a self-contained image.
  • ⚠️A CodeScene subscription and `CS_ACCESS_TOKEN` are mandatory for accessing CodeScene analysis capabilities.
  • ⚠️Correct configuration of `CS_MOUNT_PATH` as a Docker bind mount is crucial for enabling the server to access local code files, including careful path normalization for Windows/POSIX environments.
Verified SafeView Analysis
The server runs locally in a Docker container, using a read-only bind mount for the codebase, which significantly limits local file interaction risks. Secrets like `CS_ACCESS_TOKEN` are read from environment variables. Outbound network calls are restricted to CodeScene APIs for analysis results and refactoring services. The execution of local CLI tools (`cs` and `git`) via `subprocess.run` is present, but arguments are constructed with validated paths, mitigating injection risks. No 'eval' or obvious obfuscation is found.
Updated: 2025-12-12GitHub
42
32
High Cost
JustasMonkev icon
Sec5

This Model Context Protocol (MCP) server provides automated web accessibility scanning and browser automation using Playwright and Axe-core, enabling LLMs to perform WCAG compliance checks, interact with web pages, and generate detailed accessibility reports.

Setup Requirements

  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️Playwright browser binaries must be installed (can be done via `playwright install` or the `browser_install` tool).
  • ⚠️The `browser_evaluate` tool allows arbitrary JavaScript execution on targeted web pages, posing a significant risk if given untrusted input.
Verified SafeView Analysis
The `browser_evaluate` tool allows for arbitrary JavaScript execution on web pages. While this is a powerful feature for browser automation, it introduces a significant security risk if the LLM client is compromised or provided with malicious instructions, potentially leading to cross-site scripting (XSS) or data exfiltration from the browsed content. The server implements network origin filtering (`allowedOrigins`, `blockedOrigins`) which helps mitigate some network-based risks. The `browser_install` tool downloads browser binaries, relying on the trustworthiness of the Playwright project.
Updated: 2025-12-12GitHub
PreviousPage 81 of 647Next