Skip to main content
Safe MCP installs · mcp · 18 picks

Safe MCP install checklist resources

MCP servers and install resources that help teams review source, credentials, file access, network behavior, and package trust.

Curated by @heyclaude-editors Updated 2026-07-18

MCP servers and install resources that help teams review source, credentials, file access, network behavior, and package trust.

Compared at a glance

The top 5 picks side by side on trust, install, platform support, and disclosed notes — full rationale for each below.

3 trust signals differ across this comparison (Package trust, Source provenance, Submitter).

Field

Build applications, analyze traffic, and manage security settings through Cloudflare

Open dossier

Security analysis and vulnerability scanning for dependencies

Open dossier

Configure and manage Stytch authentication services and workspace settings

Open dossier

AWS-maintained proxy and Python library that lets MCP clients and agent frameworks connect to IAM-secured MCP servers on AWS by signing requests with AWS SigV4 credentials.

Open dossier

Official Snyk Studio MCP Server for connecting Claude Code, Codex CLI, Cursor, Gemini CLI, and other local MCP clients to Snyk Code, Open Source, IaC, container, SBOM, AI-BOM, package-health, authentication, and secure-at-inception workflows.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustDiffersPackage verifiedPackage verifiedPackage verifiedPackage not verifiedPackage not verified
Source provenanceDiffersNo submission linkNo submission linkNo submission linkSource-backedSource-backed
SubmitterDiffersoktofeesh1oktofeesh1
Install riskLow riskLow riskLow riskReview firstReview first
Notes Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓
BrandCloudflare logoCloudflareSocket logoSocketStytch logoStytchMCP Proxy for AWS logoMCP Proxy for AWS
Categorymcpmcpmcpmcpmcp
SourceFirst-partyFirst-partyFirst-partySource-backedSource-backed
AuthorCloudflareSocketStytchawsSnyk
Added2025-09-182025-09-182025-09-182026-06-062026-06-04
Platforms
Harness
Source repo
Safety notesUse a least-privilege Cloudflare token because DNS, security, Worker, and deployment actions can affect production services.Treat dependency risk findings as triage input and verify impact before blocking releases or changing package policy.Restrict Stytch workspace and admin permissions because auth configuration changes can affect sign-in and account security.MCP Proxy for AWS signs MCP requests with local AWS credentials, so tool calls can inherit the AWS permissions of the selected profile or role. Multi-profile mode injects an `aws_profile` parameter into auth-requiring tools; restrict the profile list to accounts and roles an agent may safely use. The `--read-only` flag disables tools that require write permissions when the upstream tool annotations identify them, but it is not a substitute for IAM least privilege. The `--skip-auth` option can bypass request signing when credentials are unavailable; avoid it unless the endpoint is intentionally unauthenticated. Docker examples mount AWS credential directories read-only; keep mounts scoped and avoid sharing long-lived credentials with untrusted containers.Snyk documents this as a local MCP server that runs through the Snyk CLI so it can access local project files. Do not treat it like a hosted remote endpoint or expose it to untrusted clients. The official examples use `snyk@latest`; this listing pins the currently observed npm package version for reproducibility. Re-check Snyk's docs and npm package metadata before updating the pinned runner. Authenticate with the least-privilege Snyk account that can inspect the target project. Do not commit Snyk tokens, generated MCP configs, CLI auth state, Claude configs, Codex configs, or copied scan output that contains sensitive findings. Snyk requires trusting the current project directory before scanning. Treat that trust step as a real access decision, especially for monorepos, regulated codebases, customer projects, and worktrees containing secrets. The `snyk_sca_scan` tool can execute third-party ecosystem tools such as Gradle or Maven to build dependency trees. Run scans only in projects where dependency resolution commands are acceptable. Container, IaC, SBOM, AI-BOM, and package-health tools may require extra local files, network access, preview feature access, or container image references. Review each tool call before letting the assistant expand the scan surface. Treat generated remediation guidance as advisory. A human should review code changes, dependency upgrades, IaC edits, Dockerfile changes, and suppressions before they are committed or deployed.
Privacy notesZone settings, analytics, logs, account identifiers, deployment metadata, and security configuration may be sent through model context.Package names, manifests, dependency graphs, repository context, and security findings may be sent through tool calls.User identities, authentication logs, session details, workspace settings, and security configuration may be sent through tool calls.The proxy may process AWS access keys, session tokens, profile names, regions, SigV4 headers, MCP endpoint URLs, metadata, prompts, tool names, tool arguments, tool results, logs, telemetry, and framework session data. AWS profile names and metadata can reveal account structure, environment names, regions, and service ownership. Logs from clients, containers, or frameworks can expose endpoint URLs, selected profiles, tool arguments, and AWS error details. Store AWS credentials through standard credential providers or IAM roles, rotate temporary sessions, and avoid committing MCP client configs with real endpoints or profile names.Snyk MCP can read local source code, dependency manifests, package lock files, IaC definitions, Dockerfiles, container image references, SBOM files, AI project metadata, and scanner results from the connected project. Scans can send project metadata, dependency information, vulnerability context, code-analysis data, organization identifiers, authentication state, and package-health requests to Snyk services according to the configured product and account. Claude, Codex, IDE logs, MCP client transcripts, screenshots, shell history, and tickets can retain Snyk findings outside Snyk's normal access controls and retention settings. Security findings may reveal vulnerable dependencies, vulnerable code paths, internal package names, container base images, cloud resources, application structure, and remediation priorities. Avoid pasting raw findings into public issues or unaudited chat systems. The `snyk_send_feedback` tool can send issue-fix feedback to Snyk. Use it only when that feedback path is approved for the project and organization.
Prerequisites
  • Cloudflare account with active zones
  • Cloudflare API Token from https://dash.cloudflare.com/profile/api-tokens
  • Cloudflare Account ID (found in Cloudflare dashboard)
  • Node.js and npm/npx available for running the @cloudflare/mcp-server-cloudflare package
  • Socket account (free or paid plan)
  • OAuth authentication setup (for mcp.socket.dev MCP connection)
  • Socket API key (for Socket API access, available in Socket Dashboard)
  • Network access to mcp.socket.dev (HTTPS required)
  • Stytch account (free or paid plan)
  • Stytch API key authentication (for mcp.stytch.dev MCP connection)
  • Stytch project_id and secret from Dashboard (test or live environment)
  • Network access to mcp.stytch.dev (HTTP transport, not HTTPS)
  • Python 3.10+ and `uv`, or Docker for the public ECR image path.
  • AWS credentials configured through AWS CLI profiles, environment variables, or IAM roles.
  • The SigV4-protected MCP endpoint URL, AWS region, and optional AWS service name for signing.
  • Least-privilege AWS profiles prepared before enabling multi-profile switching for agents.
  • Snyk account and approval to connect the local project to Snyk security scanning.
  • Node.js and `npx`, or a locally installed Snyk CLI executable available to the MCP client.
  • MCP-capable client such as Claude Code, Codex CLI, Cursor, Gemini CLI, or another local stdio-compatible client.
  • Browser-based Snyk authentication, or an approved token-based authentication flow for the target organization.
Install
claude mcp add cloudflare --env CLOUDFLARE_API_TOKEN=YOUR_TOKEN --env CLOUDFLARE_ACCOUNT_ID=YOUR_ACCOUNT_ID && claude mcp list
claude mcp add --transport http socket https://mcp.socket.dev/ && claude mcp list
claude mcp add --transport http stytch http://mcp.stytch.dev/mcp && claude mcp list
uvx mcp-proxy-for-aws@latest SIGV4_MCP_ENDPOINT_URL
npx -y snyk@1.1305.1 mcp -t stdio --profile=lite
Config
{
  "mcpServers": {
    "cloudflare": {
      "env": {
        "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}",
        "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}"
      },
      "args": [
        "-y",
        "@cloudflare/mcp-server-cloudflare"
      ],
      "command": "npx",
      "type": "stdio"
    }
  }
}
{
  "mcpServers": {
    "socket": {
      "url": "https://mcp.socket.dev/",
      "type": "http"
    }
  }
}
{
  "mcpServers": {
    "stytch": {
      "url": "http://mcp.stytch.dev/mcp",
      "type": "http"
    }
  }
}
{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "mcp-proxy-for-aws@latest",
        "SIGV4_MCP_ENDPOINT_URL",
        "--region",
        "AWS_REGION",
        "--profile",
        "AWS_PROFILE",
        "--read-only"
      ],
      "env": {
        "AWS_MCP_PROXY_PROFILES": "prod-readonly dev staging"
      }
    }
  }
}
{
  "mcpServers": {
    "Snyk": {
      "command": "npx",
      "args": [
        "-y",
        "snyk@1.1305.1",
        "mcp",
        "-t",
        "stdio",
        "--profile=lite"
      ],
      "env": {},
      "type": "stdio"
    }
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool
  1. 01
    Why it made the cut

    Cloudflare MCP Server - MCP Servers is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  2. 02
    Why it made the cut

    Socket MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  3. 03
    Why it made the cut

    Stytch MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  4. 04
    Why it made the cut

    MCP Proxy for AWS is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  5. 05
    Why it made the cut

    Snyk MCP Server for Claude is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  6. 06
    Why it made the cut

    AWS IAM MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  7. 07
    Why it made the cut

    Bifrost MCP Gateway is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  8. 08
    Why it made the cut

    CVE MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  9. 09
    Why it made the cut

    ENScan_GO MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  10. 10
    Why it made the cut

    Microsoft MCP Gateway is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  11. 11
    Why it made the cut

    Pentest AI MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  12. 12
    Why it made the cut

    SonarQube MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  13. 13
    Why it made the cut

    ToolHive MCP Platform is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  14. 14
    Why it made the cut

    Wassette MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  15. 15
    Why it made the cut

    Airtable MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  16. 16
    Why it made the cut

    Asana MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  17. 17
    Why it made the cut

    AWS Services MCP Server - MCP Servers is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  18. 18
    Why it made the cut

    Box MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

Missing a pick? Propose an edit to this list — every change goes through the same review queue as new entries.

Suggest a pick
Weekly · Sundays

Get the weekly brief

One calm read on Claude workflows. Sundays. No tracking pixels.

Unsubscribe any time. No tracking pixels. No partner blasts.