Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(7756)

41
18
Medium Cost
JamesANZ icon
Sec9

Provide real-time prediction market data from Polymarket, PredictIt, and Kalshi for AI workflows.

Setup Requirements

  • ⚠️Requires Node.js 18+ and npm.
  • ⚠️Automated Claude Desktop setup is macOS-specific; manual configuration may be needed on other operating systems.
  • ⚠️Global npm package installation might require elevated permissions.
Verified SafeView Analysis
The server makes HTTP requests to external prediction market APIs (Polymarket, PredictIt, Kalshi). Input validation for the 'keyword' parameter is present, limiting its length to 50 characters. No hardcoded secrets, 'eval' usage, or obvious malicious patterns were found. The 'setup-claude.js' script modifies a local Claude Desktop configuration file for integration, which is a standard approach for such tools and runs during 'postinstall'.
Updated: 2025-12-10GitHub
41
21
Low Cost
flaviodelgrosso icon

fastify-mcp-server

by flaviodelgrosso

Sec9

Provides a Fastify-based HTTP transport layer for the Model Context Protocol (MCP), enabling AI assistants to securely interact with services.

Setup Requirements

  • ⚠️Requires Node.js version 22 or higher.
  • ⚠️Requires an initialized `McpServer` instance from `@modelcontextprotocol/sdk` to be passed during plugin registration.
  • ⚠️Bearer token authentication, if enabled, requires providing a custom `OAuthTokenVerifier` implementation.
Verified SafeView Analysis
The project uses a robust framework (Fastify) and explicitly implements Bearer token authentication with checks for expiration and required scopes. It also includes custom MCP-specific error handling to prevent sensitive information leakage. There are no readily apparent uses of `eval`, obfuscation, hardcoded sensitive credentials, or easily exploitable regex patterns in the provided source code snippets. Security relies on the `OAuthTokenVerifier` implementation provided by the user and the underlying `@modelcontextprotocol/sdk`.
Updated: 2025-12-15GitHub
41
21
Medium Cost
agntcy icon

identity-spec

by agntcy

Sec8

Provides comprehensive documentation and specifications for an identity platform for agents, including decentralized identifiers, verifiable credentials, and post-quantum safe cryptography.

Setup Requirements

  • ⚠️Requires Node.js >= 18.0
  • ⚠️Requires 'yarn' package manager
  • ⚠️Requires 'make' and tools for Protocol Buffer and JSON Schema generation during build ('npx docusaurus generate-proto-docs', './scripts/generate-json-docs')
Verified SafeView Analysis
The provided source code is primarily for a Docusaurus-based documentation website ('docs-src'), not the backend 'MCP Server' or 'Identity Node' itself. The website code uses client-side DOM manipulation (e.g., 'innerHTML' for SVG injection in the panzoom plugin), which is generally considered safe within the controlled environment of a static site generator's output, as the content source is expected to be trusted. No hardcoded secrets, obfuscation, or obvious malicious patterns were identified in the available documentation-focused code. A full security audit of the backend Identity Node server would require its actual implementation source code, which is not provided.
Updated: 2025-12-15GitHub
41
22
Low Cost
dtkmn icon
Sec9

Exposes OWASP ZAP security scanning functionalities as Model Context Protocol (MCP) tools, enabling AI agents to orchestrate security assessments and report generation.

Setup Requirements

  • ⚠️Requires secure ZAP API Key (default is 'changeme-zap-api-key') and MCP API Key/JWT Secret (defaults are 'changeme' values) to be generated and configured, with JWT requiring a minimum 256-bit length.
  • ⚠️Requires Docker Compose or Kubernetes/Helm for deployment, or Java 21+ for manual build.
  • ⚠️Designed for use with an AI agent (LLM) that supports tool calling (e.g., GPT-4o, Claude 3) for its primary functionality.
Verified SafeView Analysis
The project demonstrates strong security awareness: comprehensive URL validation prevents scanning internal networks by default; robust authentication methods (API Key, JWT with refresh and blacklist) are implemented with explicit warnings for development-only 'none' mode; JWT secret length is enforced; CSRF protection is intentionally disabled and well-justified for an API-only, token-based server following OWASP best practices. Default API keys and JWT secrets are 'changeme' values requiring user updates, which, if ignored, pose a configuration risk.
Updated: 2025-12-11GitHub
41
25
Low Cost
stagsz icon
Sec9

Facilitates context-efficient generation, branching, and searching of unconventional thoughts for AI problem-solving.

Setup Requirements

  • ⚠️Requires Node.js & npm for building and execution.
  • ⚠️Requires manual configuration of Claude Desktop's `claude_desktop_config.json` with an absolute path to the compiled server binary.
  • ⚠️Server uses `process.cwd()` for data storage, so its behavior depends on the directory from which it is launched by Claude Desktop.
Verified SafeView Analysis
The server communicates via standard I/O (stdio) instead of network ports, significantly reducing direct network attack surface. It primarily performs local file operations within a dedicated '.thoughts' directory relative to its working directory. No 'eval' or similar dangerous functions are present. No hardcoded secrets or sensitive API keys are found in the source. The file system access is constrained and transparent, posing minimal risk when run as intended by a trusted parent process like Claude Desktop.
Updated: 2025-11-24GitHub
41
2
Low Cost
AnandChowdhary icon
Sec8

An MCP server that allows AI assistants to manage GitHub Stars contributions and profile links through natural language interaction.

Setup Requirements

  • ⚠️Requires Node.js v18 or later
  • ⚠️Requires a GitHub Stars API token, obtained from stars.github.com/profile
Verified SafeView Analysis
No direct source code for the main application logic (`github-stars-contributions-mcp.mjs`) was provided, limiting a full deep dive. However, analysis of `package.json` and `package-lock.json` reveals standard, reputable dependencies, including `express-rate-limit` for API protection. Secrets (GitHub Stars Token) are configured via environment variables, which is a good security practice. No obvious malicious patterns, obfuscation, or hardcoded secrets were found in the provided files.
Updated: 2025-12-02GitHub
41
2
Medium Cost
Shin-sibainu icon
Sec9

Analyze iOS/macOS app performance, sales, reviews, and TestFlight data via App Store Connect API.

Setup Requirements

  • ⚠️Requires manual setup of an App Store Connect API Key (Issuer ID, Key ID, .p8 file download - a one-time process).
  • ⚠️Requires Node.js version 18.0.0 or higher.
  • ⚠️Requires specific environment variables for authentication: APP_STORE_CONNECT_ISSUER_ID, APP_STORE_CONNECT_KEY_ID, and either APP_STORE_CONNECT_PRIVATE_KEY_PATH (path to .p8 file) or APP_STORE_CONNECT_PRIVATE_KEY (content of .p8 file).
  • ⚠️The APP_STORE_CONNECT_VENDOR_NUMBER environment variable is required for sales and finance reports.
Verified SafeView Analysis
The server uses environment variables for sensitive API keys, employs Zod for robust input validation, and correctly handles API authentication including special cases like S3 signed URLs for analytics data without sending unnecessary headers. It utilizes standard and well-audited libraries for JWT generation and HTTP requests. No critical vulnerabilities like 'eval' or hardcoded secrets were identified.
Updated: 2025-11-30GitHub
41
26
Medium Cost
vectara icon

vectara-mcp

by vectara

Sec9

Vectara MCP Server enables AI systems to interact seamlessly with Vectara's RAG platform for reduced hallucination, functioning as an open standard Model Context Protocol server.

Setup Requirements

  • ⚠️Requires `VECTARA_API_KEY` environment variable for Vectara API access.
  • ⚠️Requires `VECTARA_CORPUS_KEYS` environment variable (comma-separated) for RAG queries.
  • ⚠️Requires Python 3.11 or higher.
  • ⚠️For local development with Claude Desktop, `STDIO` transport must be explicitly enabled and configured in Claude's `mcpServers` settings.
Verified SafeView Analysis
The server demonstrates a strong 'secure by default' approach. It includes comprehensive documentation on security best practices (`SECURITY.md`), enforces bearer token authentication by default for HTTP/SSE transports, and warns explicitly against disabling authentication or using STDIO transport in production. It utilizes secure SSL contexts for API calls, runs as a non-root user in Docker, and supports CORS configuration and rate limiting. No direct 'eval' or obvious malicious patterns were found.
Updated: 2025-12-05GitHub
41
23
Low Cost
joehaddad2000 icon

claude-todo-emulator

by joehaddad2000

Sec8

Provides persistent task management for AI coding assistants within IDEs like Cursor and Windsurf by emulating Claude Code's todo system.

Setup Requirements

  • ⚠️Requires Python 3.11 or higher.
  • ⚠️Relies on 'uvx' (uv install) to be available in the environment for easy execution.
  • ⚠️Automatically modifies project files like `.gitignore`, `.cursor/rules/`, and `AGENTS.MD` in the workspace directory.
Verified SafeView Analysis
The server primarily operates on local files within the detected workspace. It writes to a specific JSON file (.mcp-todos.json), updates .gitignore, and copies/prepends content to .cursor/rules/ and AGENTS.MD. Content written is static from package resources, not user-controlled input, reducing injection risks. While modifying project files automatically could be seen as a risk by some, it is explicitly documented and core to its functionality. No 'eval' or other highly dangerous functions are used.
Updated: 2025-11-21GitHub
41
7
Medium Cost
yandex-cloud icon

mcp

by yandex-cloud

Sec7

Provides AI applications with the ability to interact with Yandex Cloud services, perform web searches, and access Yandex Cloud documentation through the Model Context Protocol.

Setup Requirements

  • ⚠️Requires a Yandex Cloud folder for the Yandex Search API.
  • ⚠️Requires Yandex Cloud IAM tokens for authorization for Toolkit and Search servers, which must be manually retrieved using Yandex Cloud CLI and expire every 12 hours.
  • ⚠️Manual updates to the AI assistant's configuration are currently needed for installation.
  • ⚠️The 'npx' package must be installed for the 'stdio' configuration option.
Review RequiredView Analysis
The provided source code consists only of documentation (README files), not executable application code. Therefore, a comprehensive security audit for 'eval', obfuscation, network risks, hardcoded secrets, or malicious patterns within the server's implementation cannot be performed. Based on the documentation, authorization relies on Yandex Cloud IAM tokens or the metadata service, which are standard cloud security practices. No hardcoded secrets or immediate security vulnerabilities are apparent in the documentation itself. The primary friction point, the manual retrieval and 12-hour expiration of IAM tokens, is an operational risk that users must manage carefully.
Updated: 2025-12-08GitHub
41
18
Low Cost
lensesio icon

lenses-mcp

by lensesio

Sec9

An MCP (Model Context Protocol) server that enables AI agents to interact with Lenses.io, a DataOps platform for Apache Kafka, by exposing tools for managing Kafka topics, consumer groups, connectors, and executing SQL queries.

Setup Requirements

  • ⚠️Requires Python 3.12+ for local execution.
  • ⚠️Requires 'uv' for dependency management and execution.
  • ⚠️An active Lenses.io instance (v6+) is required to connect to.
  • ⚠️Requires a Lenses API Key to be configured via environment variables.
Verified SafeView Analysis
The server uses standard Python libraries (httpx, websockets) for API communication. API keys are loaded from environment variables, which is a good security practice. There is no usage of 'eval' or other dynamic code execution functions identified. Error details are masked by default ('mask_error_details=True'), preventing information leakage. Endpoints are constructed using f-strings, but the components are derived from internal configurations or validated tool arguments, reducing injection risks. The overall design appears robust against common injection vulnerabilities.
Updated: 2025-11-20GitHub
41
14
High Cost
Dwsy icon
Sec8

Provides a Model Context Protocol (MCP) server to enhance Magic-API development workflows, enabling advanced interactions for script writing, API management, debugging, and deployment.

Setup Requirements

  • ⚠️Requires an existing Magic-API backend server to connect to.
  • ⚠️Python 3.10+ is required (3.11/3.12 recommended).
  • ⚠️The 'uv' tool is recommended for dependency management and execution.
  • ⚠️Network access from the MCP server to the Magic-API server is essential for functionality.
Verified SafeView Analysis
The server handles sensitive information like usernames, passwords, and tokens via environment variables, which is a good practice. It interacts with a backend Magic-API that executes scripts, but the MCP server itself does not directly execute arbitrary user-provided scripts in its own process. Default URLs are localhost, limiting direct network exposure without explicit configuration. The graceful shutdown mechanism also contributes to stability.
Updated: 2025-12-15GitHub
PreviousPage 84 of 647Next