How many MCP servers should I install?

Three, in most setups. A single MCP server like mcp-omnisearch already burns 14,214 tokens on schema before user input (eclipsesource.com). Stacking 5–8 servers regularly pushes past 66,000 tokens — a third of Claude Sonnet 4.5's 200k window — leaving little room for code or conversation. Pick three that earn their place, deny the rest.

Are official Anthropic MCP servers safe to use?

Mixed. Anthropic archived 13 of their original 20 reference servers in 2025 (Postgres, GitHub, Slack, Puppeteer, Google Drive, SQLite, Brave Search, and 6 more). Only 7 reference servers remain: Everything, Fetch, Filesystem, Git, Memory, Sequential Thinking, Time. The archived Postgres server is still being installed despite a known SQL-injection bypass (the `COMMIT; DROP TABLE` pattern that the parameterized-query defense was supposed to prevent). Source: github.com/modelcontextprotocol/servers.

What MCP server should I use for Postgres now that Anthropic archived theirs?

We point readers to crystaldba/postgres-mcp as the maintained replacement, but with an explicit caveat: the read-only mode is what you want for any agent that can take instructions from an external source. The lethal-trifecta pattern (Simon Willison's term) means an attacker who can put text into your DB can talk to your agent, and an agent with write access can rewrite your tables. Read-only is not paranoia — it's table stakes.

What's the difference between a local and a remote MCP server?

Local servers run on your machine over stdio transport — process-spawned, no network. Remote servers run on someone else's infrastructure over Streamable HTTP (the new spec) or SSE (deprecated). Remote servers are easier to install (OAuth click-through) but you're trusting the operator with every query. The MCP spec's 2025-03-26 transports doc covers the wire format details.

Which MCP servers have first-party vendor support in 2026?

Vendor-maintained: GitHub (github/github-mcp-server), Microsoft Playwright (microsoft/playwright-mcp), Stripe (mcp.stripe.com), Linear (mcp.linear.app/mcp), Notion (makenotion/notion-mcp-server), Atlassian (Rovo), Sentry, Vercel, Supabase, Cloudflare, and 60+ servers under awslabs/mcp. First-party doesn't equal safe — but it usually means OAuth instead of bearer-tokens-in-config, and a security disclosure address.

Why did Snyk find security issues in 66% of MCP servers?

MCP grew faster than its security story. The reference SDKs default to trusting tool descriptions, so a server can advertise a tool called `read_file` that quietly exfiltrates anything it touches ("tool poisoning," per Practical DevSecOps). Snyk's January–February 2026 scans found 30+ CVEs across community servers, and Trend Micro found 492 servers exposed without auth or TLS. The protocol is fine; the implementations vary.

The 18 MCP Servers We'd Trust in 2026

# The 18 MCP Servers We'd Trust in 2026 There are 23,451 MCP servers on Glama. Snyk found security issues in 66% of the ones they scanned. Anthropic archived 13 of their own reference servers. The list of MCP servers a working developer should actually install in 2026 is closer to 18 than 23,451. We built this list the way we'd build it for ourselves: vendor-maintained where possible, security-disclosed where reachable, and ruthless on the ones that ship known bugs. Tool-overload is real — every server here is one we'd keep through a context audit.

How we picked 18 (and not 100)

Three filters, applied in order. First, vendor-maintained or community-trusted. A server with a real maintainer, a security.md, and signed releases beats a 4.4-star GitHub one-shot every time. We give weight to first-party vendor servers (Stripe, Linear, GitHub, Microsoft) because they have a security email and a name on the page. Second, the lethal-trifecta test. Simon Willison's framing: any agent that has (a) access to private data, (b) the ability to communicate externally, and (c) the ability to ingest untrusted content is a data exfiltration vector. If a server adds all three legs of the trifecta to your agent at once, we either skip it or restrict it. The classic example is the now-archived Anthropic Postgres server: full read-write SQL plus external connectivity plus the fact that database content is, by definition, untrusted-ish. Third, the token tax. A single MCP server like mcp-omnisearch consumes 14,214 tokens for its tool schemas before you type anything (per eclipsesource). Servers that ship 40 tools when you'd use 4 don't make this list — they belong behind a tool router like Composio or behind lazy schema loading (still a feature request as of writing).

The list

Code, repos, deploy (4)

github/github-mcp-server — official, OAuth, granular scopes. The only GitHub MCP server we'd trust with a real repo.

microsoft/playwright-mcp — official browser automation from the Playwright team. Beats Puppeteer-based community alternatives on stability.

vercel-mcp (deploy) and next-devtools-mcp (dev-time) — both first-party. The "two Vercel MCP servers" confusion is real; pick the one that matches your phase.

Sentry MCP — official, OAuth, remote. The exception that proves the remote-MCP rule: you already send Sentry your stack traces, MCP doesn't change the trust boundary.

Data (3)

crystaldba/postgres-mcp — the replacement for the archived Anthropic Postgres server. Read-only mode unless you have a written reason. The SQL-injection bypass that haunted the original (COMMIT; DROP TABLE smuggled through a parameterized query layer) is the kind of thing we expect maintained forks to actually fix, not paper over.

supabase-community/supabase-mcp — official, dev/testing only per the maintainers' own docs.

Pinecone Assistant MCP (remote) — official. Pinecone ships three (Assistant remote, Assistant local, Developer local); the remote one is the one most teams want.

Communication (3)

docs.slack.dev (official Slack MCP) — requires Bot Token Scopes you have to actually understand. The "stealth mode" third-party korotovsky/slack-mcp-server is interesting but trades audit-trail for convenience; we'd avoid it on a work Slack.

atlassian/atlassian-mcp-server (Rovo) — Cloud only. Data Center installs need sooperset/mcp-atlassian.

linear.app official MCP — mcp.linear.app/mcp, OAuth, solid.

Browser & search (2)

microsoft/playwright-mcp (listed above; doubles for both code and browser categories)

brave/brave-search-mcp-server — first-party. The Brave Search vs Exa vs Tavily vs SerpApi pick depends on whether you want commercial-grade results (Brave/SerpApi) or LLM-tuned results (Exa). For most agentic work, Brave is the safe default.

Productivity (3)

makenotion/notion-mcp-server — official, OAuth, 18 tools.

cyanheads/obsidian-mcp-server — the most-active of three competing Obsidian implementations. Note the Obsidian forum's reality check: large vaults (4,000+ notes) hit token limits fast, and most heavy users build a separate "mirror vault" for AI-touching content.

taylorwilsdon/google_workspace_mcp — three competing Google Workspace implementations exist. This one is the most clear-eyed about scope and OAuth.

Reference / utility (3)

modelcontextprotocol/server-filesystem — Anthropic reference. Make sure you're on a version past CVE-2025-53109 / 53110 (EscapeRoute path traversal).

modelcontextprotocol/server-fetch — Anthropic reference. The "give the agent the web" baseline.

modelcontextprotocol/server-sequential-thinking — Anthropic reference. Cheap to keep installed; helps on long-horizon work.

That's 18. The trick is not the list — it's the discipline to keep three of them active at a time. The /topic/mcp-tool-overload page covers the math on why three.

What we removed from earlier drafts

Three servers we considered and decided against. Naming them is more useful than another paragraph of generalities. @modelcontextprotocol/server-postgres (archived). The original Anthropic Postgres server. SQL-injection bypass via the COMMIT; DROP TABLE multi-statement pattern was the headline issue, and Anthropic archived the package in 2025. We see it in install configs anyway because old tutorials still link it. If you have it installed, swap to crystaldba/postgres-mcp today, read-only by default. @modelcontextprotocol/server-puppeteer (archived). Replaced by Microsoft's official Playwright MCP. The Playwright version is more reliable across modern web apps and is actively maintained by the Playwright team itself. Community Slack servers offering "stealth mode." A few third-party Slack MCP servers advertise the ability to act on Slack without the bot showing up in audit logs. We won't link them. The audit trail is a feature, not a bug, and any team using these on a work Slack is one compliance review away from a hard conversation. We didn't include every excellent server we considered. Sentry, Cloudflare, DigitalOcean, AWS's 60+ official servers, and several specialized Pinecone variants are all worth installing in their respective domains — they just weren't in the "Tuesday-afternoon, three-slot, general-purpose" rotation this list optimizes for.

Where this fails

We're not going to sell this list as definitive. Three honest caveats. 1. Vendor servers are not automatically secure. Ox Security's research team published 10+ high- and critical-severity CVEs for individual MCP servers between October 2025 and April 2026. Their disagreement with Anthropic about whether the protocol was at fault played out in The Register: Ox repeatedly asked for a patch to the root issue, Anthropic repeatedly said the protocol works as designed. We don't take sides here — but "first-party" doesn't mean "audited." 2. The list will be wrong in 6 months. MCP server churn is high. The reason Anthropic archived 13 reference servers in 2025 is the same reason this list will be outdated in 2026: the protocol is moving faster than the security tooling around it. We'll re-publish a refreshed version every quarter on /topic/mcp-security. 3. We didn't run every server in production. This list is built on vendor disclosures, GitHub issues, CVE databases, and our own light testing on Claude Code 2.x. If you find a server here that's broken under load, report it — we'll move it down.

Sources

Anthropic. modelcontextprotocol/servers — 85.5k stars; 13 reference servers archived in 2025.

Snyk. State of MCP server security, January–February 2026 scans — 66% of scanned servers had findings; 30+ CVEs.

Trend Micro. MCP security: network-exposed servers as backdoors — 492 MCP servers exposed without auth or TLS.

Eclipsesource. MCP context overload — single-server token cost figures.

The Register. Ox Security vs Anthropic on MCP design flaw, April 2026.

Anthropic / claude-code. Issue #20421: lazy MCP loading feature request.

crystaldba. postgres-mcp — replacement for the archived Anthropic Postgres server.

Glama. 23,451 MCP servers (count as of 2026-05-12).

Simon Willison. Lethal trifecta posts.

k2view. Awesome MCP servers summary — 97M monthly SDK downloads, March 2026.