DISPATCH
Wire
MCP in 2026: the protocol grew up The Dispatch Weekly: MCP momentum, lean infra, and the agent shakeout Shipping production MCP servers without the footguns MCP vs raw tool-calling: when the protocol earns its keep The MCP servers worth your stdio Context engineering ate prompt engineering The PaaS-on-a-VPS renaissance Git-push deploys for monorepos that don't fight you MCP in 2026: the protocol grew up The Dispatch Weekly: MCP momentum, lean infra, and the agent shakeout Shipping production MCP servers without the footguns MCP vs raw tool-calling: when the protocol earns its keep The MCP servers worth your stdio Context engineering ate prompt engineering The PaaS-on-a-VPS renaissance Git-push deploys for monorepos that don't fight you
AI & MCP

The MCP servers worth your stdio

A working engineer's survey of the mid-2026 MCP server ecosystem — the seven that ship in the reference repo, the third-party ones that earned their keep, and how to tell maintained from abandoned.

By Tishan David 6 min read

The list got shorter, and that’s good

If you cloned modelcontextprotocol/servers a year ago you got a sprawling monorepo: Postgres, Slack, GitHub, Google Maps, Puppeteer, a dozen integrations all sitting in one src/ tree. Clone it today and you get seven directories: everything, fetch, filesystem, git, memory, sequentialthinking, and time. Everything else moved to modelcontextprotocol/servers-archived over the course of 2025 — twelve servers retired or handed to vendors who actually use them.

That pruning is the most useful thing that happened to the ecosystem. The reference repo stopped pretending to be a marketplace and went back to being what it should be: a small set of implementations the steering group is willing to stand behind, plus pointers to the maintained forks. The signal-to-noise on “what should I actually install” improved overnight. So here’s the working-engineer’s read on what’s worth wiring into Claude Desktop and Claude Code right now, and how to judge the rest.

The reference seven

Treat these as the baseline, not the destination.

filesystem is the one you’ll reach for first and the one most worth understanding before you trust it. It takes allowed directories as arguments and refuses paths outside them — the access control is the whole point. Scope it to a project root, never your home directory. Distributed as @modelcontextprotocol/server-filesystem on npm.

git (uvx mcp-server-git) reads, searches, and stages changes in a repo. Pair it with filesystem and you’ve got a competent local code agent without touching a single remote API. fetch (uvx mcp-server-fetch) pulls a URL, strips it to markdown, and hands the model something token-efficient. Both are small, boring, and exactly what you want from a reference server.

The other four are more situational. time does timezone conversion — genuinely useful, zero risk. sequentialthinking exposes a structured “think step by step” tool; whether it beats the model’s native reasoning is debatable and workload-dependent, so benchmark before you commit. memory is a knowledge-graph store that the docs themselves flag as a reference implementation — real persistence belongs in a host-managed store, not this. And everything is not a product at all: it’s the conformance server that exercises every primitive in the spec, meant for people building MCP clients. If you installed it expecting features, uninstall it.

The third-party tier that earned it

The archived servers didn’t die — the good ones got better homes, and that’s where the real action is.

GitHub’s official server, github/github-mcp-server, is the clearest upgrade. It’s written in Go, ships as a hosted remote endpoint with one-click OAuth, and lets you toggle toolsets and a read-only mode so the agent can browse PRs and CI logs without write access to your org. The remote option means no long-lived PAT sitting in a config file, which is the right default. The old TypeScript server-github in the archive should not be running on anyone’s machine in 2026.

For databases, the archived server-postgres is the cautionary tale of the whole ecosystem: it was still pulling roughly 312k downloads a month well after being archived, per one analysis of the registry numbers — people install the first result and never check the pulse. The maintained answer is crystaldba/postgres-mcp (“Postgres MCP Pro”), which adds index tuning and query-plan analysis and, more importantly, an --access-mode=restricted flag that forces read-only transactions with execution-time limits. That access mode is the feature. Default to restricted, open it up only when you mean to.

Browser automation consolidated around Microsoft’s microsoft/playwright-mcp (@playwright/mcp), which drives a browser through accessibility-tree snapshots instead of screenshots — no vision model, far fewer tokens, deterministic selectors. One caveat worth knowing: as of 2026 Microsoft is steering coding agents toward the Playwright CLI over the MCP server for routine work, citing roughly a 4x token reduction per session. The MCP server still wins when the agent needs to reason interactively about a live page; the CLI wins for scripted runs. Pick per task.

On the observability side, getsentry/sentry-mcp is a good model of how a vendor server should ship: a remote endpoint at mcp.sentry.dev with OAuth 2.0 and streamable HTTP, sixteen tools, nothing on disk. Sentry runs it at over 50 million requests a month and dogfoods it for their own monitoring. Slack, similarly, now lives under Zencoder’s maintenance and Brave Search under Brave’s own org — both linked from the reference README rather than bundled.

How to judge anything else

The MCP registry went to preview in September 2025 at registry.modelcontextprotocol.io, backed by Anthropic, GitHub, Microsoft and PulseMCP. It’s the closest thing to a source of truth for discovery. But a registry listing is not a safety certificate, and the ecosystem right now rhymes uncomfortably with npm circa 2018: enormous, useful, and shipping faster than its security model. OWASP published an MCP Top 10 in mid-2025, and tool poisoning — instructions hidden in a tool’s description metadata that the model reads at boot but you never see — is the attack that should keep you honest. The server runs with your tokens against your filesystem; the blast radius is real.

So before you add a server, run the checklist:

  • Read-only by default. If it can write, can you restrict it? Postgres MCP’s restricted mode and GitHub’s read-only toolset are the bar.
  • Explicit scoping. Filesystem takes directory arguments; good database servers take an allow-list. A server that wants unscoped access is a no.
  • Maintenance pulse. Recent commits, dated releases, a named owner. The reference repo cuts dated releases like 2026.1.x — check that any third-party server shows the same signs of life.
  • Pin and audit. Pin versions (-y plus a fixed version, not floating latest), and read the tool descriptions before first run. Rug-pulls happen at update time.
  • Prefer remote OAuth to disk tokens where the vendor offers it.

Here’s a Claude Desktop / Claude Code config that reflects those defaults — local servers scoped tightly, GitHub over remote HTTP rather than a stored PAT:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/Users/you/Projects/app"]
    },
    "git": {
      "command": "uvx",
      "args": ["mcp-server-git", "--repository", "/Users/you/Projects/app"]
    },
    "github": {
      "type": "http",
      "url": "https://api.githubcopilot.com/mcp/",
      "headers": { "Authorization": "Bearer ${GITHUB_PAT}" }
    }
  }
}

The same scoping discipline carries over whether you run these on a laptop or a shared box — I keep a running setup for a local-first toolchain that assumes every server is hostile until configured otherwise.

Why it matters

The ecosystem matured by getting smaller and more honest about ownership. The reference seven are a safe floor; the third-party tier is where the leverage is, provided you check the pulse and clamp the permissions. The failure mode isn’t picking a bad server — it’s installing yesterday’s archived default because it ranked first, then granting it write access it never needed. The protocol gave us a clean way to plug capabilities into a model; the work now is treating each one like the supply-chain dependency it actually is. I dug into the trust boundaries this opens up in my book on building with MCP, because the config file is the easy part — the threat model is the job.

← Back to the feed