Stop Searching. Start Trusting.

The curated directory of MCP servers, vetted for security, efficiency, and quality.

Browse DirectoryWhy Us?

Tired of the MCP "Marketplace" Chaos?

We built MCPScout.ai to solve the ecosystems biggest pain points.

No Insecure Dumps

We manually analyze every server for basic security flaws.

Easy Setup

Our gotcha notes warn you about complex setups.

Avoid "Token Hogs"

We estimate token costs for cost-effective agents.

Products, Not Demos

We filter out "Hello World" demos.

CATEGORIES:
SORT:

Vetted Servers(9120)

40
10
Low Cost
shinzo-labs icon

shinzo-py

by shinzo-labs

Sec9

Provides OpenTelemetry-compatible observability for Python MCP servers, offering insights into agent usage patterns, contextualized tool calls, and server performance analysis.

Setup Requirements

  • ⚠️Requires Python 3.10 or higher.
  • ⚠️This is an SDK, not a standalone server; it requires an existing MCP server (FastMCP or Traditional MCP) instance to instrument.
  • ⚠️For telemetry export to a backend, authentication (e.g., a bearer token or API key) must be configured in `exporter_auth` with a valid token/key.
Verified SafeView Analysis
The SDK is well-structured and includes PII sanitization as a security feature. It uses `httpx` for network communication to a configurable OTLP endpoint. Authentication (bearer, API key, basic) is handled using user-provided credentials within the configuration. No direct usage of `eval`, obfuscation, or hardcoded secrets were found. The primary security consideration is ensuring the user configures a trusted telemetry endpoint and securely manages their authentication tokens/keys, as is standard practice for observability tools.
Updated: 2025-12-10GitHub
40
2
Medium Cost
tm42 icon

mnemograph

by tm42

Sec8

Provides a persistent, event-sourced knowledge graph for AI coding agents to store, retrieve, and version durable collaborative knowledge across sessions, enabling semantic search and tiered context retrieval.

Setup Requirements

  • ⚠️Requires `uv` or `uvx` (a Python package installer/runner) for convenient installation and execution.
  • ⚠️Relies on the local `git` command-line tool for version control features such as committing, rewinding, and branching.
  • ⚠️A dedicated memory directory (e.g., `~/.claude/memory` or project-local `.claude/memory`) must exist and be configured via `MEMORY_PATH`.
  • ⚠️The embedding model (`sentence-transformers`) loads lazily on the first semantic search or indexing operation, which can introduce a 2-3 second cold-start delay.
Verified SafeView Analysis
The server uses standard Python libraries, including SQLite for data storage and `sentence-transformers` for embeddings. `subprocess.run` is utilized for git operations; while these commands are typically well-controlled, any execution of external processes carries an inherent, albeit low, risk. The server communicates via standard I/O (stdio), which limits direct network exposure. It includes checks (`_validate_memory_repo`) to prevent unintended git operations if the memory directory is nested within another git repository, enhancing its operational safety.
Updated: 2026-01-16GitHub
40
19
Medium Cost
peakflames icon

PolarionMcpServers

by peakflames

Sec3

Integrate Polarion Application Lifecycle Management (ALM) data with Model Context Protocol (MCP) clients and AI assistants.

Setup Requirements

  • ⚠️Requires .NET 9.0 SDK or later for building/local execution.
  • ⚠️Docker is required for the recommended server-based deployment.
  • ⚠️Crucial to secure Polarion credentials (username, password) using methods like .NET User Secrets or Azure Key Vault, *not* plaintext in `appsettings.json`.
  • ⚠️Configuration in `appsettings.json` is complex and needs careful tailoring for each Polarion project and its specific work item types/custom fields.
  • ⚠️Running with replica instances is explicitly unsupported due to session connection issues.
Verified SafeView Analysis
The provided `appsettings.json` examples and documentation clearly show and warn against hardcoding Polarion usernames and passwords in plaintext. While the project documentation explicitly states 'It is strongly recommended to use more secure methods for storing credentials (like User Secrets, Azure Key Vault, etc.)' and enforces a 'CRITICAL: appsettings.json Security Rule' against committing this file with sensitive data, the default configuration example itself presents this high-risk practice. Failure to secure these credentials will lead to severe security vulnerabilities. The instruction 'Do NOT run with replica instances of the server as the session connection will not be shared between replicas' also indicates potential session management issues in scaled deployments.
Updated: 2026-01-16GitHub
40
9
High Cost
NewToolAI icon

imgenx

by NewToolAI

Sec8

AI image and video generation and processing, functioning as a command-line tool or MCP server.

Setup Requirements

  • ⚠️Requires API keys for Doubao (Volcengine) and/or Aliyun (Tongyi Qianwen) services (paid).
  • ⚠️Python 3.10+ is required.
  • ⚠️Specific environment variables (e.g., IMGENX_TEXT_TO_IMAGE, IMGENX_DOUBAO_API_KEY) must be configured for chosen providers and tasks.
Verified SafeView Analysis
API keys are handled via environment variables or HTTP headers, which is good practice. Network requests for external AI services and image/video downloads are performed, which inherently involves data transmission over the network. Input validation is present for some image operations but could be more robust. No 'eval' or obvious malicious patterns found.
Updated: 2025-11-24GitHub
40
21
Low Cost
OctoMind-dev icon

octomind-mcp

by OctoMind-dev

Sec8

This MCP server enables AI agents to create, execute, and manage end-to-end tests on the Octomind platform.

Setup Requirements

  • ⚠️Requires `APIKEY` environment variable for Octomind API access.
  • ⚠️Requires Node.js version >=22.0.0.
  • ⚠️Using `pnpm` as the package manager is implied by `packageManager` field in `package.json`.
  • ⚠️For production or horizontal scaling, Redis is recommended for session storage and requires `REDIS_URL` to be configured.
Verified SafeView Analysis
The server correctly uses environment variables for sensitive API keys (`APIKEY`) and Redis URLs (`REDIS_URL`), which is good practice. However, a `PUBLIC_MINTLIFY_API_KEY` is hardcoded in `src/search.ts` for documentation access. While labeled 'public' and likely low-risk, hardcoding any keys is generally discouraged. Session data, including `apiKey`, is stored in the configured session store (in-memory or Redis); securing the Redis instance is critical for production deployments. External API calls are made using `axios` to the Octomind platform and Mintlify search, which are standard operations but rely on the security of those external services.
Updated: 2026-01-19GitHub
40
18
Low Cost
ravitemer icon

mcp-registry

by ravitemer

Sec9

The Model Context Protocol (MCP) Registry centralizes and structures installation configurations for various MCP servers, enabling easy discovery and integration into MCP clients and hubs.

Setup Requirements

  • ⚠️Requires Node.js for registry build/validation scripts.
  • ⚠️Requires `npm install` to setup project dependencies.
Verified SafeView Analysis
The registry's internal scripts (build, validate, enrich) use `yaml.load` and `JSON.parse` for configuration parsing. These operations are generally safe within the context of data processing and are not executing arbitrary code from external sources. GitHub API calls for enrichment are handled with rate limiting and token-based authentication (if available). The primary security consideration for a *user* lies in the `command` and `args` defined within the `installations.config` of *registered servers*. These are blueprints for execution by external MCP clients, not executed by the registry itself. The registry enforces strict schema validation (Zod) on all server definitions, preventing malformed entries.
Updated: 2026-01-19GitHub
40
15
Low Cost
Axiomatic-AI icon

ax-mcp

by Axiomatic-AI

Sec7

Converts PDF documents to markdown format using advanced OCR technology for AI assistants.

Setup Requirements

  • ⚠️Requires an `AXIOMATIC_API_KEY`, which is obtained by filling out a Google Form.
  • ⚠️Requires 'uv' for installation, and it is recommended not to install it in a Conda environment.
  • ⚠️Requires Python 3.11+.
Verified SafeView Analysis
The server relies on external API calls to Axiomatic AI for document processing, meaning file content leaves the local environment. While the AxDocumentParser itself doesn't directly execute arbitrary code, other tools within the same repository (e.g., AxPhotonicsPreview in `axiomatic_mcp/servers/pic/services/circuit_service.py`) are designed to execute user-provided Python code. Users should be aware of data handling practices and the broader code execution capabilities of the repository if installing all servers.
Updated: 2026-01-13GitHub
40
21
Medium Cost
SylphxAI icon

rag-server-mcp

by SylphxAI

Sec4

Provides Retrieval Augmented Generation (RAG) capabilities to Model Context Protocol (MCP) clients by indexing project documents and retrieving relevant content for LLMs.

Setup Requirements

  • ⚠️Project is explicitly DEPRECATED and unmaintained; migration to CodeRAG is strongly recommended.
  • ⚠️Requires a running ChromaDB instance (default: localhost:8000).
  • ⚠️Requires a running Ollama instance (default: localhost:11434), and the 'nomic-embed-text' model must be pulled manually.
  • ⚠️Known E2E test failures indicate potential instability or bugs in Genkit's ChromaDB and Ollama plugin integrations.
Review RequiredView Analysis
CRITICAL: This project is explicitly marked as DEPRECATED in its README, with a recommendation to migrate to CodeRAG. Deprecated software is unmaintained and inherently poses significant security risks due to unpatched vulnerabilities. Additionally, the server interacts directly with the file system (indexing/deleting files relative to its current working directory) based on input from MCP clients. While intended for project RAG, a malicious MCP client could potentially manipulate or delete arbitrary files within the server's CWD. E2E tests indicate integration issues with ChromaDB and Ollama plugins, which might lead to unexpected behavior.
Updated: 2025-12-10GitHub
40
19
Low Cost
tektoncd icon

mcp-server

by tektoncd

Sec6

Provides a server implementing the Model Context Protocol (MCP) to manage Tekton CI/CD pipelines and tasks within a Kubernetes cluster, including discovery and installation of community artifacts from Artifact Hub.

Setup Requirements

  • ⚠️Requires a running Kubernetes cluster for deployment and operation.
  • ⚠️Requires extensive Kubernetes RBAC permissions (ClusterRole for Tekton CRUD, read access to core K8s resources like Pods, Secrets).
  • ⚠️The `install_artifacthub_` operations rely on external network access to `artifacthub.io`.
Verified SafeView Analysis
The server's container itself is deployed with good security practices (runAsNonRoot, readOnlyRootFilesystem, dropped capabilities). However, the ClusterRole granted to the server's ServiceAccount provides extensive permissions: full CRUD operations on all `tekton.dev` resources (Pipelines, Tasks, Runs, StepActions) and read-only access to core Kubernetes resources (Pods, Namespaces, ConfigMaps, Secrets). This allows the server, and any authorized client using it, to execute arbitrary code on the Kubernetes cluster via Tekton PipelineRuns/TaskRuns. A significant trust dependency exists on `artifacthub.io` when using the installation tools, as they fetch and apply YAML definitions from external URLs; a compromise of Artifact Hub or a hosted repository could lead to the deployment of malicious Tekton resources on the cluster.
Updated: 2026-01-16GitHub
40
17
Medium Cost
bivex icon

kanboard-mcp

by bivex

Sec9

This server integrates AI assistants with Kanboard, allowing natural language management of projects, tasks, users, and workflows.

Setup Requirements

  • ⚠️Requires Go 1.21+ installed locally.
  • ⚠️Requires a running Kanboard instance with API access.
  • ⚠️Critical environment variables (KANBOARD_API_ENDPOINT, KANBOARD_API_KEY/USERNAME/PASSWORD) must be correctly configured.
  • ⚠️RBAC configuration can be complex; misconfiguration can lead to 'access denied' errors, potentially requiring enabling KANBOARD_DEBUG or KANBOARD_SKIP_RBAC for troubleshooting (with caution).
Verified SafeView Analysis
The server uses environment variables for sensitive credentials (API key, username/password), which is a good practice. It implements role-based access control (RBAC) to enforce permissions at both application and project levels, with a clear hierarchy and access maps defined internally. Debugging flags (`KANBOARD_DEBUG`, `KANBOARD_SKIP_RBAC`) are provided for troubleshooting, with a warning for `KANBOARD_SKIP_RBAC` which, if enabled in production, would bypass all permission checks. API calls include retry mechanisms and handle various authentication methods (global token, user token, bearer, username/password). There are no signs of code obfuscation or direct 'eval'-like constructs. The primary security considerations are the secure configuration of the Kanboard instance itself and the environment variables where credentials are stored.
Updated: 2025-12-12GitHub
40
16
Medium Cost
RedHatInsights icon

insights-mcp

by RedHatInsights

Sec9

Interacting with Red Hat Lightspeed services like Advisor, Image Builder, Inventory, Planning, Remediations, and Vulnerability to manage RHEL systems and services via a Model Context Protocol (MCP) server.

Setup Requirements

  • ⚠️Requires Podman (or Docker) to run the containerized server.
  • ⚠️Requires a Red Hat Service Account with specific RBAC permissions configured for each toolset.
  • ⚠️Requires network access to Red Hat's console.redhat.com and sso.redhat.com.
  • ⚠️Python 3.10+ required for direct execution.
Verified SafeView Analysis
The server uses environment variables or headers for API credentials, avoiding hardcoding. OAuth implementation includes PKCE and scope validation. Detailed error messages guide users on authentication/RBAC issues. The README explicitly warns users about local deployment security and credential handling.
Updated: 2026-01-19GitHub
40
15
Medium Cost
PinMeTo icon
Sec9

Connects PinMeTo location data to AI assistants to provide insights from Google, Facebook, and Apple in natural language.

Setup Requirements

  • ⚠️Requires an MCP-compatible client (e.g., Claude Desktop, VS Code, Cursor).
  • ⚠️Requires an active PinMeTo account with API access to obtain `PINMETO_ACCOUNT_ID`, `PINMETO_APP_ID`, and `PINMETO_APP_SECRET`.
  • ⚠️AI-powered review analysis (`pinmeto_get_google_review_insights`) requires client-side MCP Sampling support and can incur significant token costs, with large datasets requiring explicit confirmation or sampling strategies.
Verified SafeView Analysis
The server uses standard `axios` for external API requests and `zod` for robust schema validation, which are good security practices. Sensitive credentials (`PINMETO_APP_SECRET`) are handled via environment variables and marked as sensitive in the MCP manifest. PII redaction is implemented for review text before AI processing. There are no `eval` or obvious code execution vulnerabilities. Build scripts may use `execFileSync`, but this is outside the runtime server logic.
Updated: 2026-01-19GitHub
PreviousPage 92 of 760Next