Skip to main content
Source verified · mcp · 20 picks

Source-verified MCP tools and listings

MCP servers and tool listings with visible source metadata for teams that want reviewable install paths and attribution before adoption.

Curated by @heyclaude-editors Updated 2026-07-18

MCP servers and tool listings with visible source metadata for teams that want reviewable install paths and attribution before adoption.

Compared at a glance

The top 5 picks side by side on trust, install, platform support, and disclosed notes — full rationale for each below.

3 trust signals differ across this comparison (Package trust, Source provenance, Submitter).

Field

Official GitHub MCP server providing comprehensive GitHub API access for repository management, file operations, and search functionality

Open dossier

Build applications, analyze traffic, and manage security settings through Cloudflare

Open dossier

Security analysis and vulnerability scanning for dependencies

Open dossier

Configure and manage Stytch authentication services and workspace settings

Open dossier

Remote MCP server that turns any GitHub repository or GitHub Pages site into a documentation and code context source for AI coding assistants.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustDiffersPackage verifiedPackage verifiedPackage verifiedPackage verifiedPackage not verified
Source provenanceDiffersNo submission linkNo submission linkNo submission linkNo submission linkSource-backed
SubmitterDiffersoktofeesh1
Install riskLow riskLow riskLow riskLow riskReview first
Notes Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓
BrandGitHub logoGitHubCloudflare logoCloudflareSocket logoSocketStytch logoStytchGitMCP logoGitMCP
Categorymcpmcpmcpmcpmcp
SourceFirst-partyFirst-partyFirst-partyFirst-partySource-backed
AuthorGitHubCloudflareSocketStytchidosal
Added2025-09-182025-09-182025-09-182025-09-182026-06-05
Platforms
Harness
Source repo
Safety notesUse a least-privilege GitHub token because repository, issue, pull request, and file operations can modify public or private projects.Use a least-privilege Cloudflare token because DNS, security, Worker, and deployment actions can affect production services.Treat dependency risk findings as triage input and verify impact before blocking releases or changing package policy.Restrict Stytch workspace and admin permissions because auth configuration changes can affect sign-in and account security.Repository-specific endpoints reduce the chance of an agent querying the wrong project, while the dynamic endpoint relies on correct target selection. Verify generated code against the upstream project documentation and changelog before applying it to production systems. Use caution with private, unreleased, or embargoed repositories unless you self-host and have reviewed access controls.
Privacy notesRepository contents, issues, pull requests, comments, org metadata, and user details may be sent through model context.Zone settings, analytics, logs, account identifiers, deployment metadata, and security configuration may be sent through model context.Package names, manifests, dependency graphs, repository context, and security findings may be sent through tool calls.User identities, authentication logs, session details, workspace settings, and security configuration may be sent through tool calls.GitMCP may receive repository choices, documentation queries, tool calls, and surrounding prompts through the MCP client. The README states that the hosted service does not collect personal information or store queries, but teams should still review the current privacy posture before sending proprietary context. Self-hosting may be preferable for private repositories, regulated work, or sensitive customer projects.
Prerequisites
  • GitHub account (sign up at https://github.com if needed)
  • GitHub Personal Access Token with repo scope (generate from GitHub Settings > Developer Settings > Personal Access Tokens)
  • Docker installed and running (verify with: docker --version)
  • Internet connection (remote GitHub API access required)
  • Cloudflare account with active zones
  • Cloudflare API Token from https://dash.cloudflare.com/profile/api-tokens
  • Cloudflare Account ID (found in Cloudflare dashboard)
  • Node.js and npm/npx available for running the @cloudflare/mcp-server-cloudflare package
  • Socket account (free or paid plan)
  • OAuth authentication setup (for mcp.socket.dev MCP connection)
  • Socket API key (for Socket API access, available in Socket Dashboard)
  • Network access to mcp.socket.dev (HTTPS required)
  • Stytch account (free or paid plan)
  • Stytch API key authentication (for mcp.stytch.dev MCP connection)
  • Stytch project_id and secret from Dashboard (test or live environment)
  • Network access to mcp.stytch.dev (HTTP transport, not HTTPS)
  • MCP client that supports remote MCP servers or an mcp-remote bridge.
  • GitHub repository owner and repository name, GitHub Pages site, or the dynamic GitMCP docs endpoint.
  • Network access to GitMCP and GitHub.
  • Team agreement on which repositories can be queried through a hosted MCP service.
Install
claude mcp add github -e GITHUB_PERSONAL_ACCESS_TOKEN=YOUR_TOKEN -- docker run -i --rm -e GITHUB_PERSONAL_ACCESS_TOKEN ghcr.io/github/github-mcp-server && claude mcp list
claude mcp add cloudflare --env CLOUDFLARE_API_TOKEN=YOUR_TOKEN --env CLOUDFLARE_ACCOUNT_ID=YOUR_ACCOUNT_ID && claude mcp list
claude mcp add --transport http socket https://mcp.socket.dev/ && claude mcp list
claude mcp add --transport http stytch http://mcp.stytch.dev/mcp && claude mcp list
npx mcp-remote https://gitmcp.io/{owner}/{repo}
Config
{
  "mcpServers": {
    "github": {
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_PERSONAL_ACCESS_TOKEN}"
      },
      "args": [
        "run",
        "-i",
        "--rm",
        "-e",
        "GITHUB_PERSONAL_ACCESS_TOKEN",
        "ghcr.io/github/github-mcp-server"
      ],
      "command": "docker",
      "type": "stdio"
    }
  }
}
{
  "mcpServers": {
    "cloudflare": {
      "env": {
        "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}",
        "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}"
      },
      "args": [
        "-y",
        "@cloudflare/mcp-server-cloudflare"
      ],
      "command": "npx",
      "type": "stdio"
    }
  }
}
{
  "mcpServers": {
    "socket": {
      "url": "https://mcp.socket.dev/",
      "type": "http"
    }
  }
}
{
  "mcpServers": {
    "stytch": {
      "url": "http://mcp.stytch.dev/mcp",
      "type": "http"
    }
  }
}
{
  "mcpServers": {
    "gitmcp": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://gitmcp.io/{owner}/{repo}"
      ]
    }
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool
  1. 01
    Why it made the cut

    GitHub MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  2. 02
    Why it made the cut

    Cloudflare MCP Server - MCP Servers is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  3. 03
    Why it made the cut

    Socket MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  4. 04
    Why it made the cut

    Stytch MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  5. 05
    Why it made the cut

    GitMCP Docs Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  6. 06
    Why it made the cut

    Octocode MCP is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  7. 07
    Why it made the cut

    Git MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  8. 08
    Why it made the cut

    Bifrost MCP Gateway is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  9. 09
    Why it made the cut

    Codacy MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  10. 10
    Why it made the cut

    ENScan_GO MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  11. 11
    Why it made the cut

    Gitleaks is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  12. 12
    Why it made the cut

    MCP Proxy for AWS is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  13. 13
    Why it made the cut

    Microsoft MCP Gateway is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  14. 14
    Why it made the cut

    NVIDIA SkillSpector is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  15. 15
    Why it made the cut

    Pentest AI MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  16. 16
    Why it made the cut

    Searchcode MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  17. 17
    Why it made the cut

    Semgrep is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  18. 18
    Why it made the cut

    Snyk MCP Server for Claude is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  19. 19
    Why it made the cut

    SonarQube MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  20. 20
    Why it made the cut

    ToolHive MCP Platform is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

Missing a pick? Propose an edit to this list — every change goes through the same review queue as new entries.

Suggest a pick
Weekly · Sundays

Get the weekly brief

One calm read on Claude workflows. Sundays. No tracking pixels.

Unsubscribe any time. No tracking pixels. No partner blasts.