MCP servers and agent tools
Understand the Model Context Protocol — what it is, how it expands agent capabilities, and how to add MCP servers to Claude Code safely.
- Explain what MCP is and why it exists as a standard protocol
- Describe what categories of capability MCP servers can provide to an agent
- Add an MCP server to Claude Code using the settings file
- Apply the trust model for deciding whether to use a given MCP server
Claude Code can read files and run shell commands. That covers a wide range of coding tasks. But some tasks require reaching outside the local file system: query a database, call an external API, search the web with structured results, or control a browser. You could write shell scripts to do these things and let the agent call them. Or you could use MCP.
What MCP is
MCP (Model Context Protocol) is an open standard developed by Anthropic that defines how AI agents communicate with external tools and data sources. Think of it as a universal plug standard: an MCP server exposes a set of tools, and any MCP-compatible agent can use those tools without the agent needing to know how they are implemented.
Before MCP, every tool integration was a one-off: you would write a custom integration for each tool, in the agent's specific format, and it would only work with that agent. MCP standardises the interface so that a database MCP server, once written, works with Claude Code, Cursor, and any other MCP-compatible client.
The protocol works over stdio (a local process) or HTTP (a remote server). The agent discovers what tools an MCP server provides, calls them with structured arguments, and receives structured responses — just like calling a function.
What MCP servers can provide
The ecosystem is growing, but the main categories of MCP servers today:
Database access. A database MCP server lets the agent run queries against
a real database. Useful for: exploring schemas, generating migrations based on
current state, validating data, and debugging query performance. Examples:
@modelcontextprotocol/server-postgres, @modelcontextprotocol/server-sqlite.
File system and search. Extended file system operations beyond what the agent
has natively — searching across files, reading specific formats, accessing remote
file systems. Example: @modelcontextprotocol/server-filesystem.
Web and browser. Fetching web pages, running searches, automating browser
interactions. Useful when the agent needs to look something up or interact with
a web interface. Examples: @modelcontextprotocol/server-fetch,
@modelcontextprotocol/server-puppeteer.
API integrations. Pre-built connectors for external services: GitHub, Slack, Linear, Jira, and others. The agent can open issues, read pull requests, post messages — all through the MCP interface.
Custom servers. You can write your own MCP server. If your organisation has an internal API, a data warehouse, or a proprietary service, you can expose it to the agent through a custom MCP server without modifying the agent itself.
Adding an MCP server to Claude Code
MCP servers are configured in ~/.claude/settings.json under the mcpServers
key:
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "/path/to/project"]
},
"sqlite": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-sqlite", "--db-path", "./data.db"]
}
}
}Each entry has a name (used to identify the server), a command (the executable),
and args (arguments passed to it). When Claude Code starts, it launches the
configured MCP servers and discovers the tools they provide. The agent can then
call those tools as part of its normal workflow.
Claude Code also supports adding MCP servers via the CLI:
claude mcp add --name filesystem npx @modelcontextprotocol/server-filesystem /path
This is equivalent to editing the settings file directly. Use whichever is
more convenient — both produce the same configuration.
The trust model
Here is the thing you must understand about MCP servers before you add any:
MCP servers run code on your machine. When you add an MCP server, you are trusting that server's code with the same access it is configured to have. A database MCP server that points at your production database can run any query the agent asks it to. A file system MCP server with broad path access can read any file in that path.
The principle is the same as the principle for any dependency: only add servers you trust, from sources you can verify, with the minimum access needed.
Questions to ask before adding an MCP server:
- Who maintains this server? Is it from a reputable source (Anthropic, a major vendor, a well-known open source project) or an unknown package?
- What access does it need? A filesystem server that requires your entire home directory is asking for more than it likely needs for your project.
- What does it do with data it sees? A remote MCP server (HTTP, not stdio) could send your queries to a third-party service. Verify the server's code or its privacy policy.
Prompt injection through MCP is a real attack vector. If an MCP server fetches content from the web — a page, a file, an API response — that content could contain instructions designed to hijack the agent's behaviour. The next lesson covers this in depth. For now: be especially careful with MCP servers that fetch external content and feed it directly into the agent's context.
The expanding toolkit
The MCP ecosystem is growing rapidly. Capabilities that required custom scripting six months ago are available as published MCP packages today. This means the investment in learning MCP's model — understand what servers can provide, evaluate them on trust, configure them appropriately — pays dividends as the ecosystem expands.
When you encounter a task that requires something Claude Code cannot do natively, the first question to ask is: "Is there an MCP server for this?" Often there is. The second question is: "Do I trust it enough to add it to my environment?"
MCP servers and agent tools
- 1.What problem does the Model Context Protocol (MCP) solve?
- 2.Which of the following are appropriate questions to ask before adding an MCP server to your Claude Code configuration? Select all that apply.
- 3.An MCP server runs in an isolated sandbox and cannot access resources beyond what it is explicitly designed to query.
Where to go next
MCP expands what the agent can reach. The final lesson examines the full security picture — agent security and trust — covering prompt injection, the minimal-permission principle, and the operations that must always require human confirmation.
Hooks and automation
Use Claude Code hooks to run linters, tests, and guards automatically on agent events — making the agent's environment opinionated and safe.
Agent security and trust
Understand prompt injection, supply chain risks, the minimal-permission principle, and which operations must always require human confirmation.