Skip to content
Free Tool Arena

AI & LLMs · Guide · AI & Prompt Tools

How to Connect an Agent to MCP Tools

Install an MCP server, wire it into Claude Code, the Claude Agent SDK, or Cursor, and allow-list narrowly — plus the security rules that matter.

Updated April 2026 · 6 min read

Model Context Protocol — MCP — is an open standard for connecting AI agents to external tools and data. In 2026 it has become the default. Claude Code, the Claude Agent SDK, Cursor, and most agent frameworks speak it; there’s a growing ecosystem of MCP servers for GitHub, Slack, Postgres, Notion, Linear, your internal APIs, and hundreds of other systems.

This guide explains what MCP actually is, how to install and connect a server, how to allow-list only the tools you want, and how to avoid the security mistakes that bite people on the way in.

Advertisement

What MCP actually is (in plain terms)

MCP is a small JSON-RPC protocol that lets any agent talk to any compatible tool provider. The provider is called an MCP server; your agent is the MCP client. The server advertises a list of tools (and resources, and prompts). The client asks for a tool to be invoked with arguments. That’s it.

The payoff: the same Slack MCP server works with Claude Code, the Claude Agent SDK, and most other agent frameworks. You write the integration once, you use it everywhere.

Step 1 — Pick a server to start with

Pick something with a clear, low-risk tool set. Good first MCP servers:

  • Filesystem — scoped to a directory.
  • Fetch — fetches a URL and returns text.
  • GitHub (read-only) — list repos, read issues, read code.
  • Postgres (read-only) — against a dev DB, not prod.

Avoid starting with a server that can write — post to Slack, send email, merge PRs. Add those after you trust the agent.

Step 2 — Install an MCP server

Most MCP servers ship as npm or Python packages. Example — the filesystem server:

npx -y @modelcontextprotocol/server-filesystem /path/to/allowed/dir

That single command starts an MCP server over stdio, scoped to the directory you pass. It’ll list tools like read_file,write_file, list_directory.

Step 3 — Wire it into your agent

Claude Code

Create .claude/mcp.json in your repo:

{
  "mcpServers": {
    "fs": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "./docs"]
    }
  }
}

Restart Claude Code and the agent can call mcp__fs__read_file, etc. See our Claude Code setup guide for the full picture.

Claude Agent SDK (Python)

from claude_agent_sdk import ClaudeAgentOptions, query

opts = ClaudeAgentOptions(
    mcp_servers={
        "fs": {
            "command": "npx",
            "args": ["-y", "@modelcontextprotocol/server-filesystem", "./docs"],
        }
    },
    allowed_tools=["mcp__fs__read_file", "mcp__fs__list_directory"],
)

async for m in query(prompt="List files in docs and read README.md.", options=opts):
    print(m)

Notice the allowed_tools list — only those tools can be called. Even if the server advertises write_file, the agent can’t call it unless you list it.

Cursor

Cursor reads .cursor/mcp.json with the same shape. Add the server, restart, and the agent can use its tools in agent mode.

Step 4 — Allow-list narrowly

Default to read-only tools. Add write tools one at a time, each time asking: “if this tool is called wrongly, what does it take to recover?” Sending a Slack DM is recoverable. Dropping a Postgres table is not.

Step 5 — Hook for audit + spend

On the Claude Agent SDK, attach a pre_tool_use hook that logs every tool call and can veto ones that look wrong. Free sanity check, costs nothing, saves you once.

Step 6 — Environment variables, not prompts, for secrets

Never put API keys in an MCP server’s prompt or config visible to the agent. Pass them as environment variables to the server process. The agent should be able to use the tool without ever seeing the credential.

Step 7 — Run untrusted MCP servers with care

MCP servers are real code on your machine. A malicious MCP server can exfiltrate data, especially if the agent passes sensitive inputs to it. Rules of thumb:

  • Only run servers you’d trust as a regular npm/pip dependency.
  • Prefer official servers (Anthropic, GitHub, Vercel, etc.) when they exist.
  • For sketchy third-party servers, run them in a container or a scratch user.
  • Keep the filesystem server’s path scoped; don’t point it at /.

The clearest upside

MCP turns agent tool integration from a per-framework project into a plug-and-play exercise. If you’re still hand-coding REST clients inside a single framework, you’re paying a tax you no longer need to pay. Pick one MCP server, wire it in, and you’ll see why it flipped to being the standard.

For context on where MCP fits into the bigger agent picture, see our setup-an-AI-agent overview — MCP is the tools layer in almost every path on the decision tree.