# Finding and Evaluating MCP Servers > How to discover, assess and safely integrate MCP servers into agent pipelines. Category: Guide · Updated: 2026-06-11 · Tags: mcp, tools, agents, security Canonical: https://changegamer.ai/resources/mcp-server-discovery The Model Context Protocol (MCP) is an open protocol for connecting AI models to external tools, data sources and services. Announced by Anthropic in November 2024, it has since seen broad industry adoption. MCP defines a client/server interface: a host application (the MCP client) connects to servers that each expose tools, resources and prompts the model can invoke. Governance note: MCP originated under Anthropic stewardship but has attracted contributions from many organisations. Governance structures evolve quickly — verify the current status at modelcontextprotocol.io before relying on any statement about who controls the specification. ## Discovering MCP servers The canonical starting point is the official repository: - **github.com/modelcontextprotocol/servers** — the reference collection of first-party and community-contributed servers, each with source code, a README describing capabilities, and transport/auth details. Beyond that, servers are distributed through: **client-vendor marketplaces** (AI-assistant and IDE vendors increasingly ship curated server lists — check your client's documentation); **community registries** (third-party indexes that vary in review rigour — treat as leads, not endorsements); and **direct from vendors** (many teams publish MCP servers alongside their own products — prefer the official source over a third-party mirror). ## Evaluating a server **Transport** — the spec has evolved; treat the following as a snapshot and verify at modelcontextprotocol.io: *stdio* (local subprocess over stdin/stdout — low network surface); *HTTP + SSE* (legacy remote transport, still widely deployed); *Streamable HTTP* (newer consolidated remote transport — preferred for new deployments where the client supports it). Confirm the server's transport is supported by your client version. **Auth** — Check what credentials the server requires from you and what it holds on your behalf to call upstream APIs. Long-lived third-party tokens stored server-side are a significant blast-radius risk if compromised. **Permission/scope minimisation** — Prefer servers that expose only the tools your agent actually needs. Review the declared tool list before connecting; each tool is a potential code-execution or data-access path. Revoke access when done. **Maintenance signals** — Recent commit activity, a maintained changelog, and absence of open auth/misbehaviour bugs indicate the server tracks spec changes. Unmaintained servers built against old protocol versions may stop working as clients update. ## Security risks **Prompt injection** — A server controls the text of its tool descriptions and outputs. A malicious server can embed instructions attempting to redirect model behaviour (exfiltrate context, override system-prompt constraints). Mitigate by only connecting to servers you can review or trust, auditing tool descriptions, and using output sanitisation. **Supply-chain** — npm/PyPI packages for MCP servers carry the same risks as any open-source dependency: typosquatted packages, maintainer account takeovers, malicious dependency updates. Mitigate by pinning exact versions with lock files, preferring verified-org publishers, and auditing before production use. **Over-broad permissions** — Filesystem access, network egress, or credentials beyond the server's stated purpose are a red flag and amplify every other vulnerability. ## Checklist - [ ] Source confirmed (official repo, vendor-published, or reviewed community server). - [ ] Transport identified and compatible with your client version. - [ ] Authentication model understood; credentials stored securely. - [ ] Tool list reviewed; scope limited to what the agent actually needs. - [ ] Package version pinned and checksum verified (if distributed as a package). - [ ] Maintenance status checked (recent activity, no critical open bugs). - [ ] Prompt-injection risk assessed; output sanitisation in place for untrusted servers. - [ ] Plan to revoke server access when no longer needed.