Install guide · 2026-04-30

The MCP install shortlist — 19 community servers that earn an A in our 101-repo audit (April 2026)

If you're an indie developer or small team picking a Model Context Protocol server to drop into Claude Code, Cursor, Windsurf, or Codex this week, you do not need to read all 101 audit pages on our public board. Of the 101 most-installed community MCP servers in our April 2026 corpus, exactly 19 earned an A grade — clean across all six axes, no high-severity findings, no credential echoes, no SSRF in tool handlers. Here are all 19, grouped by what they actually do, with the trade-offs an indie buyer cares about.

TL;DR

The 19 A grades, grouped: 5 vector / embedding databases (Pinecone, Qdrant, Milvus, Vectara, Meilisearch), 4 operational databases (Redis, ClickHouse, Couchbase, Snowflake), 5 search and web-fetch (Exa, FireCrawl, DuckDuckGo, fetch-mcp, Microsoft Playwright), 3 backend platforms and files (Appwrite, Box, FastAPI-MCP), 1 voice / audio (ElevenLabs), 1 framework (LangChain MCP adapters).
Why these 19 and not the other 82: all 19 score 90/100 or higher, with one perfect 100 (LangChain). They have no high-severity SSRF, no command-execution primitives in tool handlers, no credential-echo on return paths, declared runtime versions, current maintenance, and at least a 3KB README. The other 82 fall short on at least one axis.
The grade distribution behind the shortlist: 19 A, 0 B, 30 C, 10 D, 42 F across 101 audited repos. Aggregate methodology and findings · the 29 vendor-official F grades · the team policy that gates installs at grade C.
How to use the shortlist: for safe-by-default install picks (the indie-dev case this post serves), pull from the 19 A's. For a broader install set with lower friction, drop the threshold to C (49 repos clear). For a hardened-lab context with regulated data, stay at A.
What this is not: not a feature comparison, not a benchmark, not a "best MCPs of 2026" listicle. This is a security shortlist: the subset of audited MCPs we would install on our own laptops today without hesitation. Picking the right MCP for your specific use case still means reading the upstream README and checking that the feature surface matches your need.

How the shortlist was built

SkillAudit v0.2.1 clones every audited repo at its default branch HEAD into an ephemeral sandbox, walks the source tree, and runs six static checks over the .js / .ts / .py sources: SSRF, command-exec, credential handling, permissions hygiene, maintenance signals, and documentation completeness. It also runs an LLM-assisted prompt-injection probe against the MCP tool surface — though that probe is currently gated on ANTHROPIC_API_KEY availability and is reported separately when active. Each axis gets a 0–100 score; the overall grade is the worst-axis floor (security-prioritised). A repo earns an A when every axis lands at 90 or above, no production-source findings exceed warn-level, and metadata signals (declared runtime, recent push, present README) check out. The methodology page at skillaudit.dev/methodology documents every cap and deduction.

The corpus is 101 of the most-installed community MCP servers as of April 2026 — sourced from the official modelcontextprotocol/servers registry, the punkpeye/awesome-mcp-servers list, the mcp-server-list aggregators, vendor-official releases (Cloudflare, Stripe, Heroku, GitHub, MongoDB, AWS, Azure, Anthropic, etc.), and the indie-author repos most cross-linked across the above. The roster is not "the top 101 by install count" — there is no public install counter for MCP — but it is the 101 a buyer in 2026 is most likely to encounter when searching "MCP server for X".

Of those 101: 19 A, 0 B, 30 C, 10 D, 42 F. The full grade distribution is visible on the public audit board. The 19 below are the entire A-grade set as of this scan.

Vector and embedding databases (5)

The largest A-grade category. Vector databases are typically narrow-surface MCPs — a tool to upsert, a tool to query, a few namespace and index management tools. Narrow surface means a small attack surface, which means it's easier to write correctly, which is why this category dominates the A grades. If you are building a RAG pipeline or agent memory, your safe-by-default vector backend is on this list.

Pinecone — audit · pinecone-io/pinecone-mcp · 90/100. The vendor-official MCP for Pinecone's hosted vector DB. Index management, upsert, query, namespace tools. Authenticates with a Pinecone API key (declared in env, never echoed). Pick this if you want a managed vector backend and don't want to run infrastructure.
Qdrant — audit · qdrant/mcp-server-qdrant · 90/100. The vendor-official MCP for Qdrant. Self-host or Qdrant Cloud. Open-source MIT-licensed Qdrant server pairs cleanly with this MCP for indie devs who want full control of the vector store. Memory-and-recall pattern with semantic search over a single collection works out of the box.
Milvus — audit · zilliztech/mcp-server-milvus · 90/100. From ZillizTech, the company behind Milvus. Connects to either self-hosted Milvus or Zilliz Cloud. Same shape as Qdrant — choose between them on operational preference, not security preference; both clear at A.
Vectara — audit · vectara/vectara-mcp · 90/100. Vectara's hybrid search-and-RAG MCP. Higher-level than the raw vector backends above — it bundles retrieval, reranking, and generation into a single tool surface. Pick this if you want managed RAG-as-a-service rather than building the retrieval layer yourself.
Meilisearch — audit · meilisearch/meilisearch-mcp · 90/100. Vendor-official from Meilisearch. Meilisearch is a full-text search engine with vector hybrid support — pick this if your use case leans more "fast keyword search with semantic boost" than "pure vector similarity". Operates on a self-hosted or Meilisearch Cloud index.

Operational databases (4)

The four A-grade operational databases all share a careful pattern: connection strings live in environment variables (never logged), tools wrap parameterised queries (no string-concat SQL), and the surface area is intentionally narrow (a few schema-introspection tools plus an execution tool that the host application is expected to authorise). If your agent needs to read or write to a real database, these four are the safe-by-default picks.

Redis — audit · redis/mcp-redis · 90/100. The vendor-official MCP from Redis. Treats Redis as agent memory: get, set, hset, lrange, plus the JSON and Search modules. Connection via REDIS_URL. Indie devs running a single Redis container locally get a working agent memory backend in under a minute.
ClickHouse — audit · ClickHouse/mcp-clickhouse · 90/100. Vendor-official from ClickHouse. Schema introspection plus a parameterised query tool. Pick this if your agent needs to query analytical workloads — log data, event analytics, time series — over a real OLAP engine rather than slow Postgres scans.
Couchbase — audit · Couchbase-Ecosystem/mcp-server-couchbase · 90/100. From the Couchbase Ecosystem org (vendor-adjacent). Document store with N1QL query support — useful if your agent needs flexible schemas without giving up real query semantics.
Snowflake — audit · Snowflake-Labs/snowflake-mcp · 90/100. From Snowflake Labs (vendor-official). Connects an agent to a Snowflake warehouse with role-scoped query execution. The right pick when the underlying data is already in Snowflake and you want the agent to query it without a custom backend.

Search and web fetch (5)

This is the category most likely to fail an audit — fetching arbitrary URLs the LLM hands you is the canonical SSRF anti-pattern, and "give the agent a browser" is one of the broadest attack surfaces in the MCP ecosystem. The five A grades below all handle the URL-trust problem deliberately: either by restricting traffic to a vendor-managed search endpoint, by sandboxing browser execution, or by being honest about being a generic fetcher and documenting the operational expectation that you don't pipe LLM output to it without a layer in between.

Exa — audit · exa-labs/exa-mcp-server · 90/100. Vendor-official from Exa. Calls the Exa Search API, which is a managed neural search endpoint — the URL surface is fixed at the Exa API, so there is no SSRF surface to exploit. Pick this when you want high-quality web search results curated for LLM consumption without managing your own crawler.
FireCrawl — audit · mendableai/firecrawl-mcp-server · 90/100. Vendor-official from Mendable. FireCrawl is a managed crawler that converts web pages to clean markdown for LLM input — much like Exa, the SSRF surface is bounded by the FireCrawl API, not by what the LLM types in. Useful for "scrape this URL and tell me what's on it" agent loops.
DuckDuckGo — audit · nickclyde/duckduckgo-mcp-server · 90/100. Indie-author MCP wrapping the DuckDuckGo search API. Free, no API key required for basic usage, narrow surface — search and instant-answer endpoints only. Good fit when you want web search but don't want to provision an Exa or Tavily account.
fetch-mcp — audit · zcaceres/fetch-mcp · 90/100. Indie-author generic HTTP-fetch MCP. The audit notes that this is genuinely a generic fetcher — by design — and the README documents the operational expectation: you should treat it like a URL-fetch tool you'd give a browser plugin, not a free pass for the LLM to hit any URL. The author is honest about this; the engine flagged the URL passthrough as a warn (not high) once the README's intent declaration was found. Pick this when you want a lightweight fetcher and you understand the trust model.
Microsoft Playwright — audit · microsoft/playwright-mcp · 90/100. Vendor-official from Microsoft. Sandboxed browser automation via Playwright — agents can navigate, click, screenshot, scrape JS-rendered content. The Playwright sandbox is the thing keeping the SSRF surface from being unbounded; if you trust Playwright's sandboxing model (most teams do), the MCP wraps it cleanly.

Backend platforms and files (3)

Three A grades for "the agent needs to talk to a real product backend or file store" use case. Each one wraps a managed service whose own API surface defines the trust boundary, and each handles credentials with the careful pattern (env-var reads not echoed back into tool responses).

Appwrite — audit · appwrite/mcp · 90/100. Vendor-official from Appwrite. Database, storage, authentication, and function tools for the Appwrite BaaS. If you're already using Appwrite as your indie backend, this MCP gets your agent into your data layer without rolling a custom adapter. Project-scoped API key keeps blast-radius bounded.
Box — audit · box-community/mcp-server-box · 90/100. From the Box community org. Tools for searching, fetching, and (with the right scopes) writing files in a Box account. The right pick when your team's documents already live in Box and the agent needs to read or summarise them — far cleaner than a custom OAuth dance.
FastAPI-MCP — audit · tadata-org/fastapi_mcp · 90/100. From tadata-org (indie, well-maintained). Auto-generates an MCP server from any FastAPI app: every endpoint becomes a tool, with type-safe arguments derived from the Pydantic schemas. Pick this when you already have a FastAPI backend and want to expose it to an agent without writing per-endpoint MCP wrappers.

Voice and audio (1)

ElevenLabs — audit · elevenlabs/elevenlabs-mcp · 90/100. Vendor-official from ElevenLabs. Text-to-speech and voice-cloning tools backed by the ElevenLabs API. Clean surface — generation, voice listing, model selection. The right pick when an agent needs to produce audio and you don't want to host a TTS model. API-key-scoped, key never echoed.

Frameworks and adapters (1)

LangChain MCP adapters — audit · langchain-ai/langchain-mcp-adapters · 100/100. The only repo in the corpus to land at a perfect 100. Bidirectional adapters: turn LangChain tools into MCP tools and turn MCP tools into LangChain tools. Not an MCP for a specific service — it's plumbing between two ecosystems. The 100/100 reflects narrow plumbing surface, exhaustive type definitions, and a pattern of test coverage that few production MCPs hit. If you are bridging an existing LangChain agent into an MCP host, install this without hesitation.

Three indie-dev install scenarios — which to pick

The shortlist is most useful when you start from your actual use case rather than the catalogue. Three common indie shapes and the safe-by-default picks for each:

You're building a RAG agent for a Claude Code project

You need a vector backend, a web-fetch tool, and probably a search tool. The A-grade default stack is Qdrant or Pinecone for vectors (Pinecone if you don't want to run infrastructure, Qdrant if you do), FireCrawl for converting web pages to clean markdown, and Exa for high-quality search retrieval. All three pair well; none have overlapping responsibilities. If you also need a memory layer for cross-session context, drop Redis in for working memory and reserve the vector DB for long-term embeddings.

You're letting an agent query a data warehouse

You almost certainly already know which warehouse — pick the matching A-grade MCP. Snowflake, ClickHouse, Couchbase are all on the shortlist. Pair with FastAPI-MCP if you're standing up a thin API layer in front of the warehouse to let the agent run named queries instead of arbitrary SQL — that's the more conservative pattern for agent-data integration in 2026 and it pulls two A grades into the same stack.

You're building a research-and-summarise agent

The agent needs to navigate the web, scrape JS-rendered pages, and store its working notes. The A-grade default stack is Microsoft Playwright for browser automation, FireCrawl or fetch-mcp for direct HTTP fetches (Playwright handles JS-rendered pages, FireCrawl handles markdown conversion, fetch-mcp handles raw HTTP — they complement rather than compete), and Pinecone or Qdrant for the agent's note store. DuckDuckGo covers free web search. Vectara is a single-MCP alternative if you'd rather have managed RAG instead of assembling vector + retrieval + reranker yourself.

What's NOT on this list (and why)

Several MCPs you might expect to see here didn't land at A. The honest reasons:

The 30 C grades — useful, installable, but with one or more axis warnings that kept them out of the A bucket. Common shapes: an SSRF in a generic fetch tool that's documented as intentional but not bounded by an allowlist, a missing engines declaration in package.json, a stale README under the 3KB threshold, or a maintenance gap (last commit > 180 days). C-grade MCPs are fine to install if you read the audit page first; they're just not the default pick. The install-gate playbook argues for a min-grade-C team policy as the working choice set.
The 10 D grades and 42 F grades — the install set the install gate is meant to block. 29 of those F grades are vendor-official releases from companies you would otherwise trust on brand alone — Cloudflare, Stripe, Heroku, MongoDB, GitHub, AWS, Azure, Auth0, Sentry, PostHog, Anthropic's own SDKs, and 18 more. Vendor brand is not a security signal in MCP; the per-vendor breakdown post explains the file paths and why each one earned the F.
Anthropic's official Skills Directory picks — the directory's editorial allowlist and our automated audit cover overlapping but not identical ground. Some directory-listed MCPs are A here, some are C, some have not been audited yet. The SkillAudit vs Anthropic Skills Directory comparison has the structural differences. Treat the directory as one trust signal and the audit grade as another; both can be useful.

Honest caveats

Three things to keep in mind when using this shortlist as a buying signal.

First, the rubric is calibrated toward MCP-shape risk: SSRF in tool handlers, command-exec primitives, credential echo on return paths, prompt-injection susceptibility on the tool-output channel. It does not certify that the underlying service is bug-free, that the MCP is feature-complete, or that the upstream product is well-priced. A repo can earn an A and still be the wrong tool for your use case; that's a feature-fit decision the audit doesn't make for you.

Second, grades are time-bound. This list reflects the April 2026 scan of the corpus. A botched maintainer commit can drop a repo from A to D in a single week — it has happened in the corpus already. The install-gate post recommends a 30-day re-scan cadence; for an indie dev installing once and living with it for months, sanity-checking the audit page before each upgrade is a 30-second hygiene step.

Third, the engine has a known calibration question. The current pass over a repo treats a finding in examples/ or scripts/ the same way it treats a finding in src/, with one exception (the tests/ down-weight). Engine v0.3 will subdivide further — runtime tool surface vs examples vs scripts vs benchmarks — at which point a handful of repos at the C / D edges will likely move. The 19 A grades on this list are unaffected by the calibration update because they have no high-severity findings anywhere in the source tree, in any context. The shortlist is the most stable corner of the rubric.

FAQ

Why are there only 19 A grades and zero B grades?

Score-distribution property of the current rubric. A repo with no high-severity findings on any axis lands at 90+ across the board (= A). A repo with a single high-severity finding takes a -30 on that axis and lands at 70 on it (= C). The intermediate case (high finding plus successful mitigation evidence) is rare in the corpus. v0.3 is expected to introduce more B grades; until then, B-and-up is functionally equivalent to A-and-up.

Is the shortlist exhaustive — could a great MCP not be on it?

Yes — the corpus is 101 repos, not the entire MCP ecosystem. Submit any MCP you'd like to see audited via the audit form and we'll add it to the next scan. If you're an MCP author, embed the badge on your README so future visitors see the grade at install time.

Should I just install all 19?

No. Each MCP added to a Claude Code or Cursor session expands the tool surface the LLM has to reason about, which dilutes prompt quality and increases the prompt-injection blast radius. Pick the smallest set that covers your use case — the three indie scenarios above suggest 3–5 MCPs is usually the right number. The audit is a "safe to install if needed" signal, not a "you should install this" signal.

How often is the corpus re-scanned?

Currently re-scanned on demand — when a maintainer flags a fix, when a new repo is submitted, or when the engine itself is updated (v0.2.1 → v0.3 forthcoming). The public board shows the scan date for each report card. A cron-driven weekly re-scan is on the roadmap; for now, treat April 2026 as the snapshot date for everything on this list.

Can I trust the grade for my own use case?

The grade summarises six axes that matter for most agent use cases. For specialised contexts (regulated finance, healthcare PHI, government workloads), pair the audit grade with whatever vendor-side compliance attestations you require — SOC 2, HIPAA BAAs, FedRAMP. The audit doesn't speak to those; it speaks to the source-code shape the MCP's tool handlers actually have. Both signals matter.

Is this list paid placement?

No. SkillAudit's free tier audits any public repo, the rubric and methodology are open, and grade placement is mechanical from the engine's score. The 19 entries above earned A grades because their source code passed the rubric — not because anyone paid for the placement. The same engine ran on the 42 F grades, with the same deductions.