Top MCP Servers Used by Developers (and What to Check)
- MCP servers are the tool layer AI agents reach through, and a handful of well-known servers - filesystem, git and GitHub, databases, Slack, Google Drive, browser automation, and web fetch - show up across most developer setups.
- The official reference servers maintained under the Model Context Protocol project (filesystem, git, fetch, memory, sequential thinking, time) are the ones you will see most often, alongside vendor-published servers for GitHub, Slack, Postgres, and browser control.
- Every server matters for one reason: whatever access it grants runs with the agent's authority, so a filesystem server is file access, a database server is data access, and a fetch server is an egress channel.
- For each server a security team should verify three things - the scopes it holds, the transport it uses (local stdio versus a remote HTTP endpoint), and how it authenticates (static key versus OAuth).
- There is no fixed ranking of MCP servers by usage, and this guide names only real, published servers rather than inventing adoption numbers.
- You cannot check servers you cannot see, so an MCP server registry and continuous discovery are the prerequisite for governing any of them.
The Model Context Protocol turned a scattered problem - how do you connect an AI agent to your files, your database, your issue tracker, your browser - into one common interface. An MCP server exposes tools to an agent; the agent (the MCP client) calls those tools to actually get work done. In a year, a handful of servers became near-universal in developer setups, and every one of them is a door into something: a filesystem, a repository, a database, a SaaS account, the open web. This guide is a curated reference to the MCP servers developers actually reach for, what access each one grants, and the three things a security team should verify before allowing any of them.
Two ground rules up front. First, there is no official ranking of MCP servers by usage, so this is not a leaderboard - it names only real, published servers and groups them by what they do. Second, the point of listing them is not the list; it is the pattern. Once you can see why a filesystem server is file access and a fetch server is an egress channel, you can evaluate any server you encounter, including ones not named here. For the security foundations behind all of this, start with our MCP security explainer and the complete MCP server security guide.
How to read an MCP server as a security surface
Before the servers themselves, fix the mental model. An MCP server is not a passive data source. It is code that runs with some access and exposes that access to an agent as callable tools. Whatever the server can do, the agent can now do, and whatever untrusted input steers the agent can now be turned into calls against that server. So the security question for any server reduces to three checks.
- Scopes. What data, files, or actions can this server actually reach, and is that broader than the task requires? A filesystem server pointed at the home directory is very different from one pointed at a single project folder.
- Transport. Does it run locally over stdio, or is it a remote HTTP server? A remote endpoint is a network trust boundary that needs authentication and transport security; a local server avoids that but still runs with local access.
- Authentication. Does it hold a static long-lived API key, or does it use OAuth with short-lived, scoped tokens? This decides how much a stolen credential is worth. See OAuth for MCP servers explained.
Keep those three in mind - scopes, transport, auth - as we walk the categories. They are the columns in the reference table at the end, and they are the questions your MCP server registry should answer for every entry.
The official reference servers
The Model Context Protocol project maintains a set of reference servers that demonstrate the protocol and are widely used as-is. These are the servers you will encounter most often in developer configurations because they ship as the canonical examples.
- Filesystem - reads and writes files within configured directories. The access it grants is exactly the paths you point it at, so the whole risk is scope: a narrow project directory is reasonable, the home folder or the root is not.
- Git - runs read and write operations against a local git repository. It can read history and, depending on configuration, modify the working tree, so treat it as source-code access on the developer's machine.
- Fetch - retrieves content from URLs and returns it to the agent. This is an outbound network channel and a path for untrusted external content to enter the agent's context, which is the entry point for indirect prompt injection.
- Memory - a persistent knowledge store the agent can read and write across a session. The risk here is data at rest and cross-session state that can be poisoned, so treat what it holds as sensitive.
- Sequential Thinking - a reasoning-scaffolding server with no external access; low direct risk, but still worth inventorying so you know what is loaded.
- Time - returns time and timezone information; benign, listed here only so the picture is complete.
The lesson of this group is that legitimate is not the same as harmless. Filesystem and fetch are official, well-maintained servers, and they are also two of the most access-heavy tools an agent can hold. Local stdio servers like these carry their own failure mode too: a flaw in how a local server parses input can become code execution on the endpoint, the class of issue we document in the MCP stdio-by-design RCE writeup.
Code and repository servers
Beyond the local git reference server, most teams connect an agent to their hosted source platform. GitHub publishes an official MCP server that exposes repositories, issues, pull requests, and Actions to an agent. Community and vendor servers exist for other platforms in the same shape. The access this class grants is significant - it can read private source, open or modify pull requests, and in some configurations trigger CI - so the scopes on the underlying token are the whole game. Grant read where read is enough, keep write narrow, and never wire an agent to a token that can administer the org. The permission-scoping discipline is the same one we cover in least privilege for AI agents.
Database servers
Servers that connect an agent to a database are among the most common and the most consequential. The reference and community ecosystem includes servers for PostgreSQL and SQLite, and vendors publish servers for their own data platforms. The access they grant is direct data access, and the difference between a read-only connection and a read-write one is enormous. A database server scoped to a read-only replica or a limited role is a query tool; the same server pointed at a production database with a broadly privileged account is a data-exfiltration and data-destruction risk waiting for a manipulated prompt. Always back a database server with a dedicated, least-privilege database role, not a shared admin credential.
Communication and SaaS servers
This category connects agents to the tools where work and data actually live. Slack, Google Drive, and vendor-published servers for platforms like Notion, Atlassian (Jira and Confluence), Sentry, Stripe, and Cloudflare all fall here. What they grant depends entirely on the OAuth scopes granted to the connection: a Slack server with read scope on public channels is very different from one that can post messages and read private conversations; a Google Drive server can range from listing metadata to reading and writing document content. Because these servers reach real SaaS accounts holding sensitive data, they are prime territory for the kind of exposure we describe in DLP for AI agents. Verify the exact scopes on each connection, and prefer OAuth over pasted long-lived tokens.
Browser and web servers
Browser-automation servers let an agent drive a real browser - navigate pages, click, fill forms, scrape content. Puppeteer and Microsoft's Playwright MCP servers are the well-known examples, alongside the reference Fetch server for simple retrieval and search servers such as Brave Search. The access this class grants is broad: a browser server can reach any site the machine can, act with whatever sessions the browser holds, and pull untrusted web content straight into the agent's context. That combination - external reach plus untrusted input - is exactly the risk surface we cover in securing computer use and browser agents. Treat any browser or fetch server as an egress channel and an injection entry point at the same time.
A quick-reference table
The table below pairs each category with the access it grants and the specific things to verify. Names in the first column are real, published servers used as examples of their category, not an exhaustive or ranked list.
| MCP server / category | Access it grants | What to verify |
|---|---|---|
| Filesystem (reference) | Read/write files in configured directories | Which directories are exposed; read-only vs read-write; never the home or root path |
| Git (reference) | Read and modify a local repository | Whether it can write the working tree; that it points only at intended repos |
| GitHub (official) and code-host servers | Repos, issues, pull requests, sometimes CI | Token scopes (read vs write vs admin); org-level reach; OAuth over static token |
| Postgres / SQLite and DB servers | Direct database query and, if allowed, writes | Read-only vs read-write role; least-privilege DB account; never a shared admin login |
| Slack, Google Drive, Notion, Atlassian, Sentry, Stripe (SaaS) | Read/write to the connected SaaS account | Exact OAuth scopes; private vs public data; send/post capability; token lifetime |
| Puppeteer / Playwright (browser) | Full browser control and any reachable site | Network egress reach; which browser sessions it inherits; untrusted-content handling |
| Fetch (reference) and Brave Search (web) | Outbound HTTP retrieval and search | Allowed destinations; that returned content is treated as untrusted input |
| Memory (reference) | Persistent, agent-writable knowledge store | Sensitivity of stored data; cross-session poisoning risk; where it persists |
The transport and auth choices that matter most
Two configuration decisions dominate the risk of any server above, regardless of category. The first is transport. A local stdio server runs on the developer's machine and cannot be reached over the network by an outside attacker, which removes one trust boundary - but it still runs with local access to files and credentials, and a parsing flaw in a local server can become local code execution. A remote HTTP server, by contrast, is a network endpoint that must be authenticated, must use HTTPS, and must be treated as a service you are trusting with whatever it can reach.
The second is authentication. Prefer OAuth with short-lived, narrowly scoped, audience-restricted tokens over static long-lived API keys. The MCP authorization specification requires OAuth 2.1 for remote server access, which mandates PKCE and HTTPS and drops insecure legacy flows. The practical difference is exploitation window: a stolen static key is useful indefinitely, while a minute-lifetime scoped token is worth very little to an attacker. Whatever credentials a server does hold should be managed, rotated, and redacted from logs - the discipline in secrets management for AI agents. The full auth walkthrough is in OAuth for MCP servers explained.
How Anomity helps govern MCP servers
Every check in this guide assumes you can see the servers in the first place, and most organizations cannot. Anomity closes that gap. Its category is agentic endpoint security, built on one principle: you can't govern what you can't see.
A lightweight, unprivileged Endpoint Sensor runs on every managed endpoint (Windows, macOS, and Linux) and discovers eight AI artifact types: AI agents, MCP servers, extensions, plugins, skills, secrets, hooks, and CLIs. For each MCP server it records the source, the transport, the authentication method, and what the server can reach - the exact registry this guide argues you need, populated automatically instead of by hand. The sensor sends metadata only over HTTPS to the Anomity Cloud; never source code, never prompts, and secrets are redacted on the endpoint.
At runtime, on agents that expose a hook, Anomity evaluates each tool call an MCP server would execute and returns allow, deny, or log before it runs, so an over-scoped or manipulated call - an unexpected write to a database, an egress to an unknown host - can be denied rather than executed. Continuous policy means a server that changes transport or gains a new scope surfaces as a change event, violations route to your SIEM, Slack, email, and Jira, and every server added, removed, or modified lands in a queryable 90-day audit trail. Anomity is SOC 2 Type II and complements your EDR/XDR, DLP, network and gateway controls, and GRC program rather than replacing them. To turn this into a living inventory, pair it with how to build an MCP server registry.
You can't govern what you can't see.The Anomity principle
The bottom line
The MCP servers developers reach for most are not exotic - filesystem, git and GitHub, databases, Slack and Drive, browser automation, and web fetch cover the majority of setups. What matters is that each one is a specific kind of access running with the agent's authority, and the same three questions govern all of them: what scopes does it hold, what transport does it use, and how does it authenticate. Answer those for every server, scope each to the task, prefer OAuth over static keys, and treat any fetch or browser server as both an egress channel and an injection entry point. And do it from a place you can actually see, because a server you have never inventoried is one you cannot check. To see your own MCP server posture across the fleet, book a 30-minute demo.
Frequently asked questions
What is an MCP server?
An MCP server is a program that exposes tools, data, or prompts to an AI agent through the Model Context Protocol. The agent (the MCP client) connects to the server and can then call its tools - read a file, query a database, post a message, fetch a URL. The server runs with whatever access it was configured to hold, and the agent invokes it with that access. For the security foundations, see our MCP security explainer and the complete MCP server security guide.
Which MCP servers do developers use most?
There is no authoritative usage ranking, so treat any list as qualitative. In practice the servers you see most often are the official reference servers (filesystem, git, fetch, memory, sequential thinking, time), plus vendor-published servers for GitHub, Slack, Postgres and SQLite databases, Google Drive, and browser automation via Puppeteer or Playwright. This guide names only real, published servers and describes what each grants rather than inventing adoption figures.
Are the official reference MCP servers safe by default?
Safe is the wrong frame. The reference servers are legitimate and well-maintained, but a filesystem server still grants file access and a fetch server still grants outbound network access. The risk comes from the scope you point them at and the context they run in, not from the server being malicious. Verify the directories, credentials, and endpoints each server is configured with, and scope them to the task.
What should I check before allowing an MCP server?
Three things. First, scopes: exactly what data, files, or actions the server can reach, and whether that is broader than the task needs. Second, transport: whether it runs locally over stdio or as a remote HTTP server, since a remote endpoint is a network trust boundary. Third, authentication: whether it uses a static long-lived API key or OAuth with short-lived scoped tokens. See OAuth for MCP servers explained.
Is a local stdio MCP server safer than a remote one?
It removes the network trust boundary but not the access risk. A local stdio server cannot be reached by an outside attacker over the network, yet it still runs on the developer's machine with access to files, credentials, and tools. Local servers have their own failure mode - a design flaw in how a local server handles input can turn into code execution, which is exactly the class of issue we cover in the MCP stdio-by-design RCE writeup.
How should MCP servers authenticate?
Prefer OAuth with short-lived, narrowly scoped, audience-restricted tokens over static long-lived API keys. The MCP authorization specification requires OAuth 2.1 for remote server access, which mandates PKCE and HTTPS. A stolen static key is an open-ended liability; a minute-lifetime token that is scoped to one resource is far less useful to an attacker. The mechanics are in OAuth for MCP servers explained and least privilege for AI agents.
How does Anomity help govern MCP servers?
MCP servers are one of the eight AI artifact types Anomity's lightweight Endpoint Sensor discovers and inventories, alongside AI agents, extensions, plugins, skills, secrets, hooks, and CLIs. For each MCP server it records where it came from, how it connects, and what it can reach, which is the registry this guide argues you need. On agents that expose a hook, Anomity evaluates each tool call before it runs and returns allow, deny, or log, and every server added, removed, or changed lands in a queryable 90-day audit trail. It sends metadata only over HTTPS, never source or prompts, with secrets redacted on the endpoint.
Where should I start if I have never inventoried MCP servers?
Start with discovery. Build a registry of every MCP server configured across your endpoints - name, source, transport, auth method, and scopes - before you try to set policy. You cannot verify or restrict a server you have never seen. The practical walkthrough is in how to build an MCP server registry.




