How do I verify that an MCP server is working after installation?

Run `claude mcp list` to check the connection status of all MCPs (connected/error). Inside a Claude Code session, type `/mcp` to see real-time status. If you see an error, it's usually a missing API key or Node.js version below 18. Common issue: there's a known bug with project-level scope. Use `claude mcp add --scope user` to install persistently.

Token costs are too high. How can I reduce MCP token consumption?

5 proven methods: 1) Dynamic Toolsets (Speakeasy open-source), switching from static to on-demand tool loading reduces input tokens by 91-97%; 2) Hierarchical Router, exposing just 2 meta-tools instead of 10+ MCP servers saves 99.5% of context; 3) Use TSV instead of JSON output, saves 30-40% tokens; 4) Add schema filtering to Database MCPs, table_name filter reduces output by 95%; 5) Use CLI for infrequent operations, simple queries cost 32x less in CLI than MCP (Scalekit benchmark).

Top 10 MCP Servers for Developers (2026): Scene-Based Guide + Token Cost Breakdown

The MCP ecosystem continues to accelerate in 2026. As of May 2026, PulseMCP lists over 14,000 servers, and the MCP SDK has surpassed 97 million cumulative downloads. More importantly, a structural shift has taken place: Anthropic donated MCP to the Linux Foundation's Agentic AI Foundation (AAIF) in December 2025, with joint governance from Anthropic, OpenAI, Google, Microsoft, AWS, and others. MCP has evolved from a single company's open-source project into a cross-industry standard.

At the same time, security concerns have escalated. In April 2026, OX Security disclosed a systemic RCE vulnerability in MCP SDK's stdio transport, affecting all language SDKs (Python, TypeScript, Java, Rust) and an estimated 150 million+ downloads across 7,000+ public servers. This isn't an edge case; it's an architectural-level risk.

I've been continuously tracking this ecosystem in practice. This guide combines months of hands-on experience with benchmark data from Scalekit, pgEdge, and Speakeasy, giving you a scene-based selection of what's actually worth installing across Coding, Research, Database, and Productivity workflows, and when you should skip MCP entirely and use CLI instead.

TL;DR

MCP ecosystem now has 14,000+ servers as of May 2026, with governance transferred to Linux Foundation's AAIF
MCP lets AI call external tools directly, but costs 10-32x more tokens than CLI (Scalekit benchmark)
Coding: GitHub MCP + Context7 (54k+ stars) is the essential combo
Research: Brave Search MCP (v2.x streamlined to 7 tools) or Perplexity MCP (with citations)
Database: Postgres MCP, watch out for token explosion with large schemas
New entries: Playwright MCP (30k+ stars), Cloudflare's 13 remote MCPs, Anthropic's 9 creative tool connectors
Security escalation: April 2026 OX Security disclosed systemic RCE vulnerability in all MCP SDK language implementations

MCP vs CLI: Know When to Use Which

What MCP Actually Is

MCP (Model Context Protocol) was originally open-sourced by Anthropic in late 2024, built on JSON-RPC 2.0. In December 2025, Anthropic donated MCP to the Linux Foundation's Agentic AI Foundation (AAIF), with joint governance from Anthropic, OpenAI, Google, Microsoft, AWS, Cloudflare, and Bloomberg. Technical direction remains with the original maintainer team, accepting community proposals through the SEP (Specification Enhancement Proposal) process.

Claude Code spawns MCP servers as subprocesses and communicates via stdin/stdout. A major 2026 evolution is Streamable HTTP transport, replacing the legacy SSE transport and enabling MCP servers to run as remote services rather than local subprocesses. Figma, Cloudflare, and Vercel have already adopted this model for remote MCP servers.

The key difference from built-in tools like Bash/Read/Edit: MCP servers are independent processes, and every tool call carries the full tool schema definition. Claude Code now features MCP Tool Search and lazy loading, loading tool definitions on demand rather than injecting all at session start, reducing context usage by up to 95%. Additionally, April 2026 updates raised the per-result MCP tool output limit to 500,000 characters and enabled concurrent MCP server connections, significantly improving startup speed.

The Token Cost Reality

Scalekit ran a direct benchmark (Claude Sonnet, GitHub operations):

Operation	CLI (`gh` command)	MCP Direct
Simple query (repo language)	1,365 tokens	44,026 tokens (32x)
Complex query (merged PRs)	5,010 tokens	33,712 tokens (7x)
Success rate	100%	72% (28% timeout)
Monthly cost (10k operations)	$3.20	$55.20

This isn't an argument against MCP. It's context for making informed decisions.

3 Questions to Decide Which to Use

Based on CircleCI's framework:

Do you need OAuth or per-user access control? Yes → MCP; inheriting shell env is enough → CLI
Is it high-frequency? Daily inner loop (build/test/lint) → CLI; occasional external queries → MCP
Does AI need to reason about the next step? Exploratory queries → MCP; predetermined operations → CLI

Simple rule: Use CLI for local dev workflows, MCP for external service integration.

If you're still unclear on the conceptual differences between MCP, Skills, and CLI, this primer helps: MCP vs Skill vs CLI: Complete Tool Selection Guide for Claude Code

Coding Scene: 3 Essential MCPs

GitHub MCP Server (PR/Issue Automation)

My most-used MCP. GitHub MCP lets Claude read PR diffs directly, analyze CI failures, and triage issues, eliminating a lot of switching between terminal and editor.

Install (Docker method, official recommendation, most secure):

claude mcp add github \
  --command docker \
  --args "run -i --rm -e GITHUB_PERSONAL_ACCESS_TOKEN ghcr.io/github/github-mcp-server" \
  --env GITHUB_PERSONAL_ACCESS_TOKEN=your_token_here

Supports 9 configurable toolsets: repos, issues, pull_requests, actions, code_security, discussions, notifications, deployments, team_management. Enable only what you need to limit token consumption.

Critical security note: Always use read-only PAT scope (contents:read, issues:read). Docker documented real-world Prompt Injection: a malicious issue can hijack agent actions via GitHub MCP. Read-only tokens dramatically reduce this risk.

CLI alternative: gh (GitHub CLI). For known operations (list PRs, download artifacts), gh is 7-32x cheaper than MCP.

Context7 MCP (Fix Stale LLM Training Data)

My top recommendation for frontend/fullstack developers, and it's completely free. Context7, open-sourced by Upstash, has over 54,000 GitHub stars and 890,000 weekly npm downloads as of May 2026, making it the most popular MCP server in the entire ecosystem. It dynamically fetches the latest version-specific docs for React, Next.js, Tailwind, and other libraries, injecting them into Claude's context.

The most noticeable improvement: Claude stops writing Next.js 15 App Router code using Next.js 12 Page Router syntax. That used to cost me a lot of debugging time.

Install (no API key needed):

claude mcp add context7 -- npx -y @upstash/context7-mcp@latest

Usage: Add "use context7" to your prompt to trigger it. Example:

"use context7, implement Server Component pagination with Next.js 15 App Router"

CLI alternative: No direct replacement (requires automated doc injection into AI context), but you can manually browse official docs.

Figma MCP (Essential for Frontend, Optional for Backend)

If your workflow involves turning Figma designs into code, this MCP saves significant time. The official Figma MCP Server gives Claude direct access to Dev Mode design information, including layer structure, auto-layout, variants, and design tokens. The April 2026 update added FigJam support, with a generate_diagram tool that creates architecture diagrams and ERDs (Entity Relationship Diagrams) directly in FigJam, making it useful for backend developers too.

Install (Remote MCP + OAuth, easiest method):

claude mcp add --transport http figma-remote-mcp https://mcp.figma.com/mcp
# Restart Claude Code, run /mcp, select figma-remote-mcp to complete OAuth

Token cost: Medium-high. Complex pages with detailed design info include large JSON payloads. Select specific frames or components rather than scanning entire pages.

CLI alternative: None. Figma REST API can be called manually, but the engineering cost far exceeds using MCP.

Research Scene: 3 Search MCPs

Brave Search MCP (Real-Time Search, No Ad Bias)

The most lightweight search MCP. Brave Search MCP uses Brave's own independent search index, not a Google wrapper, so there's no advertising rank bias. The 2026 v2.x release streamlined tools from 36 down to 7, reducing context consumption and improving LLM accuracy in selecting the right tool. Supports web search, local search, image/video/news search, and summarizer (Pro plan).

Install:

claude mcp add brave-search \
  --env BRAVE_API_KEY="your_key" \
  -- npx -y @modelcontextprotocol/server-brave-search

API cost: $5 per 1,000 queries (the free tier was discontinued in 2025).

CLI alternative: curl calling the Brave Search API directly. Better for batch or scripted searches, eliminates MCP schema overhead.

Perplexity MCP (Best for Research with Citations)

When you need citation-backed deep search for writing technical articles or competitive analysis, Perplexity MCP is the top choice. The perplexity_research tool is particularly suited for tasks requiring multi-source synthesis.

Install:

claude mcp add perplexity \
  --env PERPLEXITY_API_KEY="your_key" \
  -- npx -y @perplexity-ai/mcp-server

Token cost: Medium-high. Perplexity responses include full citations, making them longer, but the information density is also higher.

CLI alternative: curl calling the Perplexity API directly for batch queries.

Firecrawl MCP (Website Crawling, Structured Data Extraction)

Firecrawl MCP is the heavy-duty Research tool: JavaScript-rendering web crawling, batch processing, converting URLs to clean Markdown. Benchmarks show an average 7-second completion time with 83% accuracy. Provides 12 tools: scrape, map, search, crawl, extract, agent, and more.

Install:

claude mcp add firecrawl \
  --env FIRECRAWL_API_KEY="your_key" \
  -- npx -y firecrawl-mcp

Best for: Crawling competitor sites, fetching SPA dynamically-rendered docs, batch extraction of structured data (prices, specs).

CLI alternative: curl + pandoc or lynx for Markdown conversion, but no JavaScript rendering support.

Database Scene: Token Cost Traps and Best Practices

Postgres MCP (Powerful, But Handle With Care)

Postgres MCP lets Claude execute SQL directly, explore schemas, and analyze data structures. Sounds convenient, but there's a real pitfall to understand first.

The token explosion in practice: According to pgEdge's engineering report, get_schema_info without filtering will dump every table and column definition into context. An enterprise database with 200+ tables can consume tens of thousands of tokens just for the schema. The context window fills before any real work starts.

Install:

claude mcp add postgres \
  -- npx -y @modelcontextprotocol/server-postgres \
  postgresql://username:password@localhost/dbname

3 practices to control tokens:

Always use schema_name or table_name filters (reduces output by 90-95%)
Never run SELECT * without LIMIT. Set default limit of 100
Consider removing the MCP after exploratory sessions to prevent schema definitions from occupying context

CLI alternative: psql. For known queries, psql -c "SELECT ..." is faster and cheaper than MCP.

Google Cloud Managed MCP (Enterprise Production Environments)

Google Cloud's Managed MCP is the evolved Database MCP: no local infrastructure to deploy, direct connections to Cloud SQL (PostgreSQL/MySQL), AlloyDB, Spanner, Firestore, Bigtable, with enterprise-grade audit and governance. It doesn't consume your local context window.

Enable (GCP environment):

gcloud beta services mcp enable sqladmin.googleapis.com --project=PROJECT_ID

Best for: GCP production databases, enterprise scenarios requiring audit trails, teams that don't want to manage local MCP servers.

Productivity Scene: 2 Supplementary Tools

Filesystem MCP (Best Token Efficiency of Any MCP)

Filesystem MCP is the most basic local operation server: read/write files within allowed directories, list directories, search content. It has the best token efficiency of any MCP because the tool definition is simple and schema overhead is minimal.

Install:

npx -y @modelcontextprotocol/server-filesystem /path/to/allowed/dir

CLI alternative: Claude Code's built-in Bash, Read, Edit tools already cover most of what Filesystem MCP does. This MCP is better suited for scenarios requiring a standardized MCP interface (e.g., integration into other AI frameworks).

Sequential Thinking MCP (Complex Reasoning Enhancement)

Sequential Thinking MCP is the only tool on this list with no CLI alternative. It provides a structured multi-step reasoning framework, letting AI decompose complex problems into traceable thought chains with support for branching and revision.

Install:

npx -y @modelcontextprotocol/server-sequential-thinking
# or Docker
docker run --rm -i mcp/sequentialthinking

Best for: System design decisions, complex debugging reasoning, multi-step tasks where "think before acting" matters.

Token note: The schema itself is lightweight, but output tokens increase (full thought chain output).

Security Risks: 3 Threats You Can't Ignore

MCP ecosystem security issues have continued to escalate through 2025-2026. In April 2026, OX Security disclosed a systemic RCE vulnerability affecting all MCP SDKs (Python, TypeScript, Java, Rust), impacting over 150 million downloads and 7,000+ public servers. Anthropic responded that this behavior is "expected" and declined to modify the protocol architecture. Before installing any third-party MCP, understand these threats.

Threat 1: Prompt Injection (Most Common, Hardest to Prevent)

The attacker embeds malicious instructions in content that MCP tools will read. A real case: a Supabase AI agent processing support tickets executed SQL commands embedded in user-submitted ticket content by an attacker, leaking sensitive integration tokens to a public support thread.

GitHub MCP is high-risk. Anyone can open an issue, and a malicious issue can hijack agent actions via GitHub MCP.

Defense: GitHub PAT with read-only scope only. Letting Claude "read" GitHub is relatively safe; letting it "write" requires extreme caution.

Threat 2: Tool Poisoning (Hidden Instructions in Descriptions)

Per Invariant Labs research, a malicious MCP server can embed hidden instructions in tool description fields, invisible to users but visible to AI. These can make legitimate tools silently read ~/.ssh/id_rsa, redirect emails to attacker inboxes, or change description after approval (rug pull).

Defense: Only install official or widely-trusted MCP servers with clear maintainers. Periodically use claude mcp list to verify installed server sources.

Threat 3: Supply Chain Attacks (Ongoing in 2025-2026)

Supply chain attacks in the MCP ecosystem have continued to escalate:

CVE-2025-6514 (July 2025): mcp-remote (OAuth proxy) OS command injection vulnerability disclosed by JFrog. Malicious MCP servers could inject shell commands via authorization_endpoint for RCE.
CVE-2026-30623 (April 2026): LiteLLM allowed users to add MCP servers via JSON config specifying arbitrary command and args, executed without validation, enabling authenticated remote command execution.
CVE-2026-5058: aws-mcp-server critical command injection vulnerability enabling unauthenticated remote code execution.
CVE-2026-26118 (CVSS 8.8): High-severity vulnerability in Microsoft MCP server deployments, enabling AI tool hijacking.
OX Security systemic vulnerability (April 2026): MCP SDK's stdio transport has an architectural RCE risk, where any process command passed to the STDIO interface executes on the host system regardless of whether it initializes a valid MCP server. Impact: 150M+ downloads, 7,000+ public servers.

Defense principles:

GitHub PAT with minimal required scope (prefer read-only)
Local MCP servers bind to 127.0.0.1 only, never 0.0.0.0
Lock npm package versions, don't use @latest in production
Only install official or reputable MCPs (check PulseMCP verification badges)
Regularly check CVE status of installed MCPs, especially high-exposure packages like mcp-remote and aws-mcp-server

Token Cost Quick Reference: All 10 Servers

MCP Server	Scene	Token Cost	CLI Alternative	Free Option
GitHub MCP	Coding	Medium (7-32× CLI)	`gh` CLI ✅	Needs GitHub PAT
Context7 MCP	Coding	Medium (1k-5k/query)	No replacement ❌	Completely free
Figma MCP	Coding/Frontend	Medium-high	None (manual API)	Figma Pro users
Brave Search	Research	Medium	`curl` Brave API ✅	No ($5/1k queries)
Perplexity MCP	Research	Medium-high (w/ citations)	`curl` Perplexity API ✅	Needs API key
Firecrawl MCP	Research	Medium	`curl` + pandoc (no JS)	Free tier available
Postgres MCP	Database	High (schema explosion risk)	`psql` ✅	Open source
Google Cloud MCP	Database/GCP	Managed (no local context)	`gcloud` + `psql` ✅	GCP pricing
Filesystem MCP	Productivity	Very low (best efficiency)	Claude Code builtins ✅	Open source
Sequential Thinking	Productivity	Low input / high output	No replacement ❌	Open source

Notable New MCP Servers in 2026

Beyond the Top 10 above, these MCP servers launched or received major updates in April-May 2026 and are worth watching:

Playwright MCP (Microsoft Official, Browser Automation)

Playwright MCP is Microsoft's official browser automation MCP server, with over 30,000 GitHub stars as of May 2026, making it the second most popular MCP server in the ecosystem. It uses accessibility snapshots rather than screenshots to understand page structure, supports Chromium, Firefox, and WebKit engines, and provides 22 tools. Ideal for frontend testing, UI validation, and web interaction automation.

Cloudflare MCP Servers (Infrastructure Management)

Cloudflare released 13 remote MCP servers in April 2026, covering D1 databases, R2 object storage, Workers Logs, Containers, and more. This is a showcase for the remote MCP model: no local installation required, with MCP clients connecting directly to Cloudflare's remote services.

Anthropic Creative Connectors (Blender, Adobe, Ableton)

Anthropic released 9 creative tool connectors on April 28, 2026, including Blender (3D modeling), Adobe Creative Cloud (50+ tools including Photoshop and Premiere), Autodesk, Ableton (music production), and Splice. These connectors are built on MCP protocol, meaning other LLMs can also connect. Available across all Claude plans, including Free.

Conclusion

The MCP ecosystem has evolved from 2025's "wild proliferation" into 2026's "infrastructure phase." Protocol governance moved to the Linux Foundation, Streamable HTTP made remote MCP mainstream, and 14,000+ servers are available. But growth has brought more serious security challenges: the OX Security systemic RCE disclosure, multiple new 2026 CVEs. These all remind us to be more careful when selecting MCP servers.

The core logic of this guide remains: start with the scene, pick the tool, then measure the cost.

Not every MCP is worth installing. GitHub MCP + Context7 covers most backend developers; add Figma MCP and Playwright MCP for frontend work; add Brave Search or Perplexity for research. Database MCPs require careful token management. Sequential Thinking is the only tool here with no real substitute.

More importantly: some operations simply don't need MCP. For known, deterministic operations, gh pr list, psql -c, and curl are more efficient and far cheaper. Don't use MCP just for the sake of using MCP.

Pick one scene, get it working properly, and that's worth more than installing 10 MCPs you half-use. What's the most repetitive task in your current workflow? That's probably where MCP will give you the best return.