Connecting a server changes Claude Code’s reachable data and effects. Treat installation as dependency and permission review, not copying a command from a directory listing.
Review Before Connecting
Record owner, source, version, package integrity, transport, command/URL, requested credentials, tools/resources/prompts, data sent, write effects, network destinations, logs, update path, and uninstall/revocation path.
Prefer a server from the system owner or reviewed source. Pin a version where practical. Run local processes under a restricted OS identity. For remote servers, follow current MCP authorization and validate intended audience/scopes.
Add at the Correct Scope
Claude Code supports MCP configuration scopes and transports described in its current docs. Use project sharing only when every teammate should trust the same server and the configuration contains no personal secret. Keep credentials in supported secret/environment mechanisms, not committed JSON.
After adding, inspect the actual discovered capabilities. Test with synthetic data and read-only operations first. Remove unused servers.
Worked Example
A Lahore development team connects a Git issue search server. Review finds it requests repository read scope only. The team uses a test repository, pins the package, adds project configuration without a token, and supplies each developer’s authorized credential separately.
It confirms search cannot create, close, or comment on issues. The production repository is added only after a read audit. Revoking the credential and removing config are tested.
Failure Cases to Diagnose
- Directory popularity equals trust: review source and permissions.
- Token committed in config: rotate and use managed secrets.
- Server gains all repositories: scope the provider identity.
- Capability list not inspected: compare declared and observed actions.
- Auto-update changes behavior: pin and review updates.
- No removal drill: test credential revocation and process termination.
Operator Note
Create a clean-room connection test: a new user or machine follows only the documented configuration, receives only intended capabilities, and can remove everything without hidden state. This catches personal environment variables, globally installed packages, and undocumented trust prompts. Save sanitized evidence for future upgrades; do not store live token values in screenshots or logs.
🇵🇰 Pakistan Angle
Agency developers must not connect personal broad-scope GitHub, Drive, or CRM credentials to a client workspace. Use client-authorized accounts and repository-specific access.
Remote MCP processing can create cross-border data exposure and foreign-currency cost. Record the vendor, terms, and client approval before real data.
Hands-On Exercise
- Complete the server review record.
- Connect it at the minimum scope using synthetic data.
- Inspect capabilities and run read-only tests.
- Attempt a forbidden action.
- Revoke credential and remove the server.
Completion Rubric
- Source/version/integrity are reviewed.
- Credentials are uncommitted and scoped.
- Configuration scope matches ownership.
- Actual capabilities are tested.
- Real data waits for approval.
- Revocation and removal work.
Sources
Key takeaway: connecting an MCP server is granting a software dependency access; verify ownership, code, capabilities, credentials, data paths, and removal first.