Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(7632)

99
798
Medium Cost
zinja-coder icon

jadx-ai-mcp

by zinja-coder

Sec7

Facilitates AI-powered analysis of Android APKs within JADX for vulnerability assessment and reverse engineering via Model Context Protocol (MCP).

Setup Requirements

  • ⚠️Requires JADX GUI (version 1.5.1, r2333 or newer) as the host application.
  • ⚠️Requires an external Model Context Protocol (MCP) server (e.g., 'jadx-mcp-server' written in Python) to mediate communication with LLMs.
  • ⚠️The Python MCP server relies on 'uv' for dependency management and execution.
  • ⚠️Requires Java 11+ and Python 3.10+ for the full suite to operate.
Verified SafeView Analysis
The plugin exposes an HTTP server locally (127.0.0.1) to interact with JADX's internal state and GUI. It provides powerful APIs for retrieving sensitive application data (code, manifest, resources, debugger info) and performing actions like renaming classes, methods, fields, and packages within the JADX decompiled view. While the local binding mitigates network-based attacks, the direct modification capabilities (renaming) and the exposure of detailed application internals could be a risk if the connecting LLM client or the Model Context Protocol (MCP) server is compromised, or if the tool is used on unauthorized APKs. Reflection is used to access JADX's internal UI components for debugger integration, which is a fragile but not inherently exploitable practice in this context.
Updated: 2025-12-14GitHub
99
842
Medium Cost
neo4j-contrib icon

mcp-neo4j

by neo4j-contrib

Sec6

The Neo4j Cypher MCP server facilitates AI agent interaction with Neo4j graph databases by exposing Cypher query execution and schema retrieval as tools, supporting Text2Cypher workflows for data analysis and insights.

Setup Requirements

  • ⚠️Requires an external Neo4j database instance to function.
  • ⚠️Neo4j APOC plugin must be installed and enabled on the database for schema retrieval (`get_neo4j_schema` tool).
  • ⚠️The default Neo4j password is 'password'; it is critical to override this with strong credentials in production via environment variables or a secret manager.
  • ⚠️Local development typically requires `uv` for environment setup and running Python scripts.
Verified SafeView Analysis
The server includes robust network security features like CORS and DNS rebinding protection (TrustedHostMiddleware), which are configurable and default to secure settings. Cloud deployment examples correctly use AWS Secrets Manager for credentials. However, a significant vulnerability exists if the `NEO4J_PASSWORD` environment variable or CLI argument is not provided, as the server defaults to a weak 'password'. While a warning is logged, this default makes it easy to deploy with insecure credentials.
Updated: 2025-12-08GitHub
99
835
High Cost
svnscha icon

mcp-windbg

by svnscha

Sec8

This server allows AI models to analyze Windows crash dumps and connect to remote debugging sessions using WinDbg/CDB through natural language queries.

Setup Requirements

  • ⚠️Requires Windows operating system.
  • ⚠️Requires 'Debugging Tools for Windows' or 'WinDbg from Microsoft Store' to be installed.
  • ⚠️Requires Python 3.10 or higher.
Verified SafeView Analysis
The server wraps the powerful WinDbg/CDB debugger. While the Python code itself appears robust and does not contain obvious vulnerabilities like shell injection from arbitrary user input in `subprocess` calls or hardcoded secrets, the core functionality involves executing arbitrary debugger commands. This means a compromised or poorly constrained AI could perform powerful, potentially destructive, or information-gathering operations on the target system being debugged. Users should be aware of the inherent power exposed by the debugger and ensure proper access controls and AI safety measures are in place. The `cdb_path` and `symbols_path` arguments, if supplied maliciously, could also point to harmful executables or paths, but these are primarily configuration parameters for the user.
Updated: 2025-12-09GitHub
99
803
Medium Cost
golf-mcp icon

golf

by golf-mcp

Sec6

A Python framework for building Model Context Protocol (MCP) servers, streamlining the creation of AI agent backends with tools, prompts, resources, and integrations for authentication, monitoring, and LLM interactions.

Setup Requirements

  • ⚠️Requires Python 3.8+ (3.10+ recommended).
  • ⚠️Requires `fastmcp==2.12.5` to be installed.
  • ⚠️OAuth proxy authentication (for non-DCR providers) requires the `golf-mcp-enterprise` package, which is a separate installation.
  • ⚠️Anonymous usage telemetry is collected by default (opt-out model), though it prompts for consent on `golf init` and can be disabled permanently via `golf telemetry disable`.
Verified SafeView Analysis
The example `calculator` tool in `src/golf/examples/basic/tools/calculator.py` uses `eval()` to evaluate mathematical expressions. While an attempt is made to limit allowed characters, `eval()` can be a significant security vulnerability if the `expression` input is not strictly sanitized against all forms of malicious code injection. This is a common pattern in frameworks, but its presence in an example requires careful consideration before adoption in production scenarios. Otherwise, the framework offers robust, enterprise-grade authentication mechanisms (JWT, OAuth, API key) and telemetry is anonymous and opt-out, with IP/geolocation collection disabled by default.
Updated: 2025-12-12GitHub
99
965
High Cost
openops-cloud icon

openops

by openops-cloud

Sec3

A no-code FinOps automation platform with AI orchestration capabilities, integrating various cloud and business tools to manage cloud costs and financial operations through customizable workflows and multi-tool AI agents.

Setup Requirements

  • ⚠️Requires PostgreSQL and Redis databases.
  • ⚠️Requires API keys for integrated AI providers (e.g., OpenAI, Anthropic, Google) for AI functionality, which may incur external API costs.
  • ⚠️The default code execution sandbox (`no-op-code-sandbox` using `Function()`) is insecure for untrusted code; users must explicitly set `OPS_CODE_SANDBOX_TYPE=V8_ISOLATE` for secure deployments.
  • ⚠️Requires cloud provider credentials (e.g., AWS IAM roles, Azure service principals, Google Cloud service accounts) for cloud automation blocks.
Review RequiredView Analysis
The server can execute user-provided code (e.g., in 'Code Blocks' or via AI agents). By default, the `engine` component might use a `no-op-code-sandbox` that executes code using the `Function()` constructor in the main Node.js process, which is a critical security vulnerability for untrusted code. While a more secure `v8-isolated-vm` sandbox is available, it does not appear to be the default configuration. CLI integration blocks (AWS, Azure, Google Cloud) execute external commands, which, despite some input sanitization (e.g., `shell-quote`) and explicit blocking of dangerous commands in the AWS CLI block, still present a risk of command injection or privilege escalation if inputs are not rigorously validated. Python-based MCP tools also imply external process execution. API keys and sensitive data are handled as 'SecretText' properties and are redacted from logs, which is a good practice. Overall, the default configuration for custom code execution is a high risk.
Updated: 2025-12-12GitHub
99
873
Medium Cost
containers icon
Sec9

The Kubernetes MCP Server exposes Kubernetes and OpenShift cluster functionalities as structured tools to AI agents, enabling programmatic and natural language interaction for managing cloud-native resources.

Setup Requirements

  • ⚠️Requires access to a Kubernetes or OpenShift cluster and `kubectl` configured.
  • ⚠️Correct `kubeconfig` setup is essential, especially for multi-cluster interaction or dedicated service accounts.
  • ⚠️If OIDC is enabled and HTTPS is used without `insecure=true`, a CA certificate file might be required.
Verified SafeView Analysis
The project demonstrates strong security practices. It's a native Go implementation, not a `kubectl` wrapper, which reduces shell injection risks. The `AuthorizationMiddleware` for HTTP/SSE endpoints supports robust OAuth2/OIDC, JWT validation (including audience and expiration), and Kubernetes TokenReview, enforcing authentication for protected resources. An `AccessControlRoundTripper` allows fine-grained denial of specific Kubernetes resources (GroupVersionKind) at the server level, providing a critical layer of defense beyond standard Kubernetes RBAC. The setup guides strongly recommend using dedicated, least-privilege ServiceAccounts. Development-specific hardcoded credentials are clearly isolated to `dev/config` and marked as such. Command execution via `npx` or `uvx` passes arguments directly to the Go binary, which is a standard pattern but relies on the binary's argument parsing for safety. The server also warns if an `authorization-url` uses `http://` instead of `https://`.
Updated: 2025-12-12GitHub
99
786
Medium Cost
microsoft icon

wassette

by microsoft

Sec9

A secure runtime for executing WebAssembly Components as tools for AI agents via the Model Context Protocol (MCP), focusing on sandboxed execution and fine-grained permissions.

Setup Requirements

  • ⚠️Requires Rust toolchain (1.90+) and `wasm32-wasip2` target installed.
  • ⚠️Requires `just` build automation tool for streamlined development workflows.
  • ⚠️Developing custom components may require additional language-specific tooling like `jco` (JavaScript), `uv` (`componentize-py` for Python), or `tinygo` (`wit-bindgen-go` for Go).
  • ⚠️Embedding WIT documentation into WASM binaries for AI agent discovery requires `wit-docs-inject`, which may need to be installed manually.
Verified SafeView Analysis
Wassette is explicitly designed with security as a core principle, leveraging Wasmtime for strong sandbox isolation of WebAssembly Components. It implements a 'deny-by-default' permission model with granular control over filesystem, network, and environment variable access enforced at runtime. Policy management tools (CLI, built-in MCP tools) enable dynamic, fine-grained permission grants and revocations. The documentation clearly outlines threat models (Confused Deputy, Over-Permissions, Supply Chain, Tool Poisoning) and architectural mitigations. While the server itself is robustly secured, its overall security posture relies on administrators correctly configuring component policies (e.g., adhering to the principle of least privilege) and securing the host environment. The `eval-py` example component demonstrates executing code with `eval()`, but this is a component designed to run *within* the server's sandbox, not part of the server's core logic, and its documentation warns of the inherent unsafety for untrusted input. The server's function is to contain such operations securely.
Updated: 2025-12-08GitHub
99
935
High Cost
steipete icon

claude-code-mcp

by steipete

Sec6

Provides an MCP server to allow LLMs to directly invoke Claude Code CLI for complex coding, file system, and Git operations, bypassing interactive permission prompts.

Setup Requirements

  • ⚠️Requires Node.js v20 or later.
  • ⚠️Requires Claude CLI to be installed locally.
  • ⚠️Crucial one-time setup: Must manually run 'claude --dangerously-skip-permissions' and accept terms before server use.
  • ⚠️macOS may require folder permissions on first use, causing initial failure.
Review RequiredView Analysis
The server's core function involves executing the Claude CLI with '--dangerously-skip-permissions', explicitly granting broad system access to the underlying LLM. While this is a documented feature and intended behavior, it inherently poses a significant security risk if not deployed in a controlled environment or if untrusted prompts are allowed. The `spawnAsync` function uses `shell: false`, mitigating direct shell injection vulnerabilities from command arguments. Input validation for `CLAUDE_CLI_NAME` prevents relative path execution, which is a good safeguard. However, a malicious prompt targeting the Claude CLI itself or the broader system via Claude's capabilities remains a possibility. Users must be fully aware of the elevated permissions granted.
Updated: 2025-11-25GitHub
99
947
Low Cost
doobidoo icon
Sec7

An AI-powered semantic memory service designed for intelligent agents, offering storage, retrieval, and autonomous consolidation of knowledge. It provides a token-efficient API for direct code execution and a FastAPI-based web interface for management and analytics.

Setup Requirements

  • ⚠️Requires PyTorch (or ONNX Runtime) and Sentence-Transformers; initial setup may involve significant model downloads if not pre-cached, potentially leading to timeouts if not configured for offline mode or extended timeout.
  • ⚠️If using Cloudflare or Hybrid storage, requires Cloudflare API Token, Account ID, and Vectorize/D1/R2 resource IDs.
  • ⚠️Windows users may experience longer initial setup and potential timeouts, for which specific compatibility patches and timeout adjustments are implemented.
Verified SafeView Analysis
The server includes robust OAuth 2.0 authentication for HTTP APIs and uses secure practices like `tempfile` for uploads and SHA256 verification for model downloads. However, it defaults to listening on `0.0.0.0` which is a network risk if not secured by a firewall. The MCP `tools/call` endpoint relies on careful internal function mapping; any vulnerability in argument validation could be critical. Monkey patching to support LM Studio adds complexity and a potential point of failure for future library updates. Hardcoded secrets are not evident.
Updated: 2025-12-14GitHub
99
789
Medium Cost
inkeep icon

agents

by inkeep

Sec8

The Inkeep Agents Management MCP Server acts as a gateway for the Inkeep Agent Framework. It exposes the core management API functionalities (such as creating/listing agents, projects, credentials, tools, and managing their relationships) as Model Context Protocol (MCP) compatible tools. This allows external clients or other agents to interact with and manage the Inkeep Agent Framework programmatically via the MCP standard. It also includes capabilities for handling OAuth flows for third-party MCP servers.

Setup Requirements

  • ⚠️Requires PostgreSQL database setup.
  • ⚠️Requires API keys for major LLM providers (Anthropic, OpenAI, Google Generative AI), which are typically paid services.
  • ⚠️Integrates with Nango for OAuth, requiring Nango server configuration and secret keys.
  • ⚠️Optional integration with Signoz for observability, requiring Signoz URL and API key.
  • ⚠️Built with Node.js and uses `pnpm` as the package manager.
Verified SafeView Analysis
The system employs sandboxing (Vercel Sandbox or native Node.js child processes) for executing user-defined function tools, which is a good practice for mitigating risks associated with dynamic code execution. API key and JWT authentication are implemented for accessing API endpoints. Sensitive credentials like API keys and JWT secrets are managed via environment variables. Default PostgreSQL credentials in `docker-compose.yml` are a minor concern for production deployment without modification.
Updated: 2025-12-13GitHub
99
903
Low Cost
rohitg00 icon
Sec10

A curated list of Model Context Protocol (MCP) servers focused on DevOps tools and capabilities, enabling AI models to interact with various local and remote resources.

Verified SafeView Analysis
This repository is a curated list (an 'awesome list') of links to other MCP servers. It contains markdown files (`README.md`, `CONTRIBUTING.md`) and no executable source code. As such, it does not pose direct security risks like 'eval', obfuscation, or hardcoded secrets within its own codebase. The security of the actual MCP servers listed within this repository would need to be assessed independently.
Updated: 2025-12-10GitHub
99
939
Medium Cost
cgoinglove icon

better-chatbot

by cgoinglove

Sec8

An open-source AI chatbot template built with Next.js and Vercel AI SDK, supporting multiple LLMs, advanced tools, image generation, automation, and real-time voice assistance for individuals and teams.

Setup Requirements

  • ⚠️Requires at least one LLM provider API Key (e.g., OPENAI_API_KEY, GOOGLE_GENERATIVE_AI_API_KEY, ANTHROPIC_API_KEY) for core functionality.
  • ⚠️Requires a PostgreSQL database URL (`POSTGRES_URL`) for persistent storage of threads, users, agents, and workflows.
  • ⚠️Full web search capabilities require an EXA_API_KEY. Using Ollama models requires a local Ollama server running (`OLLAMA_BASE_URL`).
Verified SafeView Analysis
The server features client-side JavaScript and Python code execution via `safeJsRun` and `safePythonRun` (using Pyodide), which include sandboxing mechanisms (e.g., blacklisting keywords, using `vm.runInNewContext`). However, no sandbox is foolproof. The `httpFetchTool` allows arbitrary HTTP requests, which is a powerful feature and a potential data exfiltration vector if not carefully controlled by the LLM's reasoning. Integration with external MCP servers inherently introduces trust considerations regarding the remote services. API keys are expected to be environment variables, reducing hardcoded secret risks. Overall, the project demonstrates an awareness of security implications for code execution and external integrations, but the extensive capabilities necessitate careful deployment and monitoring.
Updated: 2025-12-08GitHub
PreviousPage 9 of 636Next