Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(7756)

41
3
Low Cost
Team-Off-course icon

MCP-Server-Vuln-Analysis

by Team-Off-course

Sec9

This project documents and provides proof-of-concept demonstrations for security vulnerabilities, specifically Server-Side Request Forgery (SSRF), found in Model Context Protocol (MCP) servers.

Setup Requirements

  • ⚠️Requires Python 3 and Flask to run the mock servers.
Verified SafeView Analysis
The repository's primary purpose is security analysis and vulnerability disclosure for *external* MCP servers, not to be a vulnerable or malicious application itself. The provided Python Flask code is a minimal, transparent mock server designed solely to demonstrate SSRF exploitation scenarios against *other* target applications. It does not contain 'eval', obfuscation, hardcoded secrets relevant to its own operation, or other malicious patterns.
Updated: 2025-12-13GitHub
41
23
Low Cost
7gugu icon

whistle-mcp

by 7gugu

Sec7

Manages a local Whistle proxy server and network requests through AI commands, enabling automated control of rules, groups, values, and request interception/replay.

Setup Requirements

  • ⚠️Requires the Whistle proxy server to be installed and running locally.
  • ⚠️Requires Node.js version >=18.20.0.
  • ⚠️Assumes global npm package installation for 'whistle-mcp-tool'.
  • ⚠️Requires explicit configuration of Whistle's host and port if different from the default 'localhost:8899'.
Verified SafeView Analysis
The server itself does not contain obvious hardcoded secrets or direct 'eval' of user input that would execute code on the host system. However, it acts as an interface to a local Whistle proxy. Arguments like 'ruleValue' for 'updateRule' and 'url', 'headers', 'body' for 'replayRequest' are taken directly from AI tool calls. A malicious AI prompt (or a malicious user interacting with an AI) could instruct the Whistle MCP server to send arbitrary, potentially harmful, configurations to the local Whistle proxy or replay malicious requests. The 'getInterceptInfo' tool uses 'new RegExp(url)' which could be vulnerable to ReDoS (Regular Expression Denial of Service) if the 'url' parameter contains a maliciously crafted regular expression, potentially causing high CPU usage locally, although the code includes a try-catch for invalid regex syntax. There's also a minor inconsistency where the tool 'toggleHttpInterception' is implemented to call 'whistleClient.toggleHttpsInterception', meaning it will toggle HTTPS interception despite its name suggesting HTTP. This could lead to unexpected behavior.
Updated: 2025-12-11GitHub
41
11
Low Cost
tuannvm icon

oauth-mcp-proxy

by tuannvm

Sec9

OAuth 2.1 authentication library for Go-based Model Context Protocol (MCP) servers, supporting multiple SDKs and providers.

Setup Requirements

  • ⚠️Requires an Okta developer account and API setup (for the provided examples, other providers require similar setup).
  • ⚠️Requires specific environment variables (e.g., OKTA_DOMAIN, OKTA_AUDIENCE, SERVER_URL) for OAuth configuration.
  • ⚠️Requires a Go runtime environment (Go 1.22+ as per go.mod).
Verified SafeView Analysis
The server demonstrates a very strong security posture. It uses `go-oidc` for OIDC validation, ensuring JWKS, key rotation, and standard OIDC claims checks (issuer, audience, expiry). Explicit audience validation is implemented for both HMAC and OIDC. State parameters are HMAC-signed to prevent tampering. PKCE support is automatic for public clients. Strict redirect URI validation (allowlist or localhost-only) and HTTPS enforcement are in place. Basic length validation on OAuth parameters prevents abuse. All secrets (JWT_SECRET, ClientSecret) are consistently sourced from environment variables, and the documentation strongly advises against hardcoding them. Security headers are automatically added to OAuth endpoints. The code is well-structured without 'eval' or obfuscation. Minor considerations include the hardcoded 5-minute cache TTL and a theoretical fallback to an insecure key if both JWT_SECRET is missing AND cryptographically secure random generation fails during initialization.
Updated: 2025-12-13GitHub
41
22
High Cost
clay-inc icon

clay-mcp

by clay-inc

Sec8

This server acts as a proxy for integrating Clay's relationship intelligence and contact management features with AI assistants via the Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires a Clay API Key (account required).
  • ⚠️Requires Node.js version 18 or higher.
Verified SafeView Analysis
The server primarily acts as a proxy, forwarding requests to the `https://nexum.clay.earth/tools` backend API. API keys are managed via environment variables (`CLAY_API_KEY`) or URL query parameters. While using URL query parameters for sensitive information like API keys is generally less secure than HTTP headers (due to potential logging or exposure), the actual `fetch` call to the backend uses the `Authorization` header, which is good. Input validation is robustly handled using `zod` schemas for all tool parameters, significantly reducing risks of malformed data or injection into the backend. There is no `eval` or direct arbitrary command execution based on user input in the provided source code. Dependencies like `execa` are used by the underlying `fastmcp` framework for managing the server process itself, not for dynamic command execution from user requests. The main security considerations would shift to the backend `nexum.clay.earth` API regarding how it processes the forwarded `query` and `keywords` fields.
Updated: 2025-12-02GitHub
41
10
Low Cost
diegorafs icon
Sec4

AI agents control and inspect a live Chrome browser for reliable web automation, in-depth debugging, and performance analysis.

Setup Requirements

  • ⚠️Requires Node.js v20.19+ (or v22.12.0+ for Node 22) LTS version.
  • ⚠️Requires Chrome current stable version or newer to be installed.
  • ⚠️Some MCP clients' sandboxing features (e.g., macOS Seatbelt, Linux containers) may prevent the server from launching Chrome, requiring `--connect-url` to a manually started Chrome instance or disabling sandboxing for the MCP server.
Verified SafeView Analysis
The `evaluate_script` tool allows arbitrary JavaScript execution within the browser context, which is a significant security risk if the controlling AI agent or MCP client is compromised. The `upload_file` tool also exposes local file system access. The server explicitly warns in its disclaimers about exposing browser content and sensitive information to MCP clients, requiring responsible usage.
Updated: 2025-11-30GitHub
41
25
Medium Cost
mcpc-tech icon

mcpc

by mcpc-tech

Sec7

Build agentic MCP servers by composing existing MCP tools, enabling powerful AI agents and multi-agent systems for tasks like coding, web analysis, or document processing.

Setup Requirements

  • ⚠️Requires Node.js / Deno / Bun runtime environment.
  • ⚠️GitHub Personal Access Token (with `repo`, `read:org`, `user` scopes) is often required for GitHub integrations.
  • ⚠️Full interaction often requires an MCP-compatible client like VS Code, Claude Code, or Cursor.
Verified SafeView Analysis
The framework allows `eval` in an example plugin, explicitly warning against production use. It handles sensitive credentials via environment variables, not hardcoded. The `code_execution` plugin provides Deno sandboxing with configurable permissions to mitigate risks from user-generated code, which is a strong security feature. However, extensive network and filesystem access through dependent MCPs (like `desktop-commander`, `github`) means that the overall security posture heavily depends on the specific agent's configuration and the permissions granted. Misconfiguration by the agent developer could expose powerful capabilities.
Updated: 2025-12-14GitHub
41
23
Medium Cost
allsmog icon

mcp-pentest

by allsmog

Sec2

An AI-driven middleware to orchestrate and manage penetration testing tools and engagements.

Setup Requirements

  • ⚠️Requires Python 3.10+.
  • ⚠️Requires Nmap and Gobuster (and other integrated tools like Hydra, John, Nikto, Metasploit for full functionality) binaries to be installed and in the system's PATH.
  • ⚠️Metasploit RPC daemon (msfrpcd) must be running with hardcoded default credentials ('msf'/'password') for Metasploit functionality, which is a significant security risk.
  • ⚠️Assumes existence of common wordlists (e.g., /usr/share/wordlists/dirb/common.txt) for tools like Gobuster and Hydra.
Review RequiredView Analysis
CRITICAL security risks identified. The server is highly vulnerable to command injection in its tool plugins (Nmap, Gobuster, Hydra, John, Nikto). The 'options' parameters in `execute_task` methods directly append user/LLM-supplied input to shell commands without sanitization, allowing arbitrary command execution on the host running the MCP server. Additionally, the Metasploit plugin uses hardcoded default credentials ('msf'/'password') for its RPC connection, posing a significant risk if Metasploit is active and exposed. There is also a general lack of robust input validation for parameters passed to external tools.
Updated: 2025-12-05GitHub
41
25
Medium Cost
pratikjadhav2726 icon

Unified-MCP-Tool-Graph

by pratikjadhav2726

Sec4

The Unified MCP Tool Graph aggregates and structures tool APIs from diverse Model Context Protocol (MCP) servers into a centralized Neo4j graph database, enabling LLMs and agentic AI systems to dynamically retrieve the most relevant tools for any task.

Setup Requirements

  • ⚠️Requires Neo4j database (Docker recommended) for full dynamic tool retrieval capabilities; otherwise, it runs in fallback mode.
  • ⚠️Requires `uv` (modern Python package manager) for easy dependency installation and running scripts.
  • ⚠️Requires `mcp-proxy` for exposing stdio-based MCP servers as HTTP endpoints.
  • ⚠️Requires `GROQ_API_KEY` for agent examples utilizing Groq models (paid API usage).
  • ⚠️Requires Python 3.12+.
Review RequiredView Analysis
The system dynamically fetches and executes server configurations from potentially arbitrary GitHub repositories for new tools. The `MCPServerManager` uses `subprocess.Popen` with commands and arguments derived from these configurations. While `extract_config_from_github_async` attempts to filter commands (to 'npx' or 'python'), these can still execute arbitrary code if a malicious configuration is provided (e.g., from a compromised GitHub repository or a crafted JSON in a README). This introduces a significant supply chain and remote code execution risk, as the integrity of external configurations cannot be fully guaranteed. No direct `eval()` or `os.system()` with unsanitized user input was found, but the dynamic execution of external commands is a high-risk pattern.
Updated: 2025-12-02GitHub
41
10
Low Cost
Sec9

Demonstrates building Model Context Protocol (MCP) servers in TypeScript and Java for integrating with developer platforms and services like GitHub, specifically for a workshop using Visual Studio Code and GitHub Copilot.

Setup Requirements

  • ⚠️Requires Node.js 24.
  • ⚠️Requires Java 25.
  • ⚠️Full workshop experience leveraging Visual Studio Code and GitHub Copilot may require a GitHub Copilot subscription (though the README states 'free tier is more than enough').
Verified SafeView Analysis
The provided content is a workshop README, not executable code. It outlines how to build and run MCP servers locally for learning purposes. Security risks are minimal from the documentation itself but depend on the specific implementation of the servers. Interactions described are local (localhost) or with external services (GitHub API) when implemented.
Updated: 2025-11-17GitHub
41
17
High Cost
CognitionAI icon

metabase-mcp-server

by CognitionAI

Sec2

Provides AI assistants with programmatic access to Metabase's analytics platform, enabling data querying, dashboard management, and content organization.

Setup Requirements

  • ⚠️Requires a running Metabase instance accessible from the server.
  • ⚠️Authentication requires either METABASE_API_KEY or METABASE_USERNAME and METABASE_PASSWORD environment variables to be set, otherwise insecure hardcoded defaults may be used.
  • ⚠️Recommended Node.js 20.19.0+ and npm 8.0.0+.
Review RequiredView Analysis
The `sse-server.js` file, which can act as a bridge for the MCP server, contains hardcoded default Metabase admin credentials (`admin@metabase.local` / `MetabaseAdmin2024!`) that are passed to the spawned MCP server if environment variables are not explicitly set. This presents a critical vulnerability if the server is run without proper environment variable configuration, or if `sse-server.js` is unintentionally exposed. Additionally, the SSE endpoint uses `Access-Control-Allow-Origin: '*'`, which is overly permissive and can introduce risks if not strictly confined to local host or controlled environments.
Updated: 2025-12-02GitHub
41
22
Medium Cost
jentic icon

jentic-sdks

by jentic

Sec7

The Jentic MCP Plugin enables AI-agent builders to discover, load, and execute external APIs and workflows via the Model Configuration Protocol (MCP), generating LLM-compatible tool definitions.

Setup Requirements

  • ⚠️Requires `JENTIC_AGENT_API_KEY` (obtained from Jentic dashboard).
  • ⚠️Requires `uv` installed (`brew install uv` or `pip install uv`).
  • ⚠️Requires Python 3.11+.
Verified SafeView Analysis
The server explicitly handles `JENTIC_AGENT_API_KEY` from environment variables, which is good practice. However, the `submit_feedback` tool, while attempting to remove sensitive data, also explicitly includes the `JENTIC_AGENT_API_KEY` in the feedback payload if present. This is a potential security risk as the agent API key is sensitive and its inclusion in feedback could lead to compromise if the feedback endpoint or its handling is insecure. The server relies on the security of the remote Jentic API Knowledge Hub for its core functionality. No 'eval' or obvious malicious code patterns were found.
Updated: 2025-11-26GitHub
41
21
Low Cost
cqfn icon
Sec2

A server for AI agents to identify the most critical design issues in Java code using the Aibolit static analyzer.

Setup Requirements

  • ⚠️Requires Node.js (>=18.0)
  • ⚠️Requires npm (>=8.0)
  • ⚠️Requires Python
  • ⚠️Requires pip
  • ⚠️Requires Aibolit Python package (version >=1.3.0) installed globally
Review RequiredView Analysis
The `aibolit` function (src/aibolit.ts) directly passes the `path` argument, which originates from user input through the MCP server's `find_the_most_critical_design_issue` tool, into a shell command executed via `child_process.execSync`. This is done without proper sanitization or escaping of the path. This creates a severe command injection vulnerability, allowing an attacker to execute arbitrary shell commands if they can control the `path` input (e.g., by injecting shell metacharacters).
Updated: 2025-12-02GitHub
PreviousPage 87 of 647Next