What's the difference between an MCP server and a plugin?

An MCP server is a single tool (e.g., a Slack integration). A plugin is a bundle that can include multiple MCP servers, slash commands, and skills. Plugins are the distribution unit; MCP servers are the capability unit.

How do I install a Claude Code MCP server?

Run 'claude mcp add ' to register an MCP server, or install via 'claude plugin install ' for marketplace plugins. Configuration lives in ~/.claude/settings.json. The official Anthropic docs at docs.claude.com/en/docs/claude-code list current commands.

Are MCP servers safe to install?

MCP servers run with the permissions you grant them. A poorly-vetted server can read files, exfiltrate data, or execute arbitrary code. For enterprise use, install only from approved marketplaces, run servers in sandboxes, audit permissions, and monitor calls. Clarista's MCP gateway enforces this automatically — every MCP call is logged, sandboxed, and policy-checked.

Claude Code MCP Servers & Plugins: The Complete 2026 Guide

Q: What is MCP (Model Context Protocol)?

MCP is Anthropic's open standard for connecting language models to external tools and data sources. An MCP server exposes capabilities (read a database, call a Slack API, query Jira) over a standardized protocol that any MCP-compliant client (Claude Code, Claude Desktop, Cowork) can invoke. Think of it as USB for AI — one protocol, many tools, many clients.

Q: What is a Claude Code plugin?

A Claude Code plugin is a bundled set of MCP servers, custom slash commands, and skill files that extend Claude Code's capabilities. Plugins can be installed from a marketplace and grouped into team-specific bundles. They're how organizations distribute internal tooling and workflows.

What is MCP?

Model Context Protocol (MCP) is Anthropic's open standard, released in late 2024, for connecting language models to external tools and data sources. Think of it as USB for AI: one protocol, many tools, many clients.

Before MCP, every AI client had to build a custom integration for every tool. Want Claude to read your Jira? Custom code. Want Cursor to query your Postgres? Custom code. With MCP, you write the integration once as a server, and any MCP-compliant client (Claude Code, Claude Desktop, Cowork, Cursor experimental) can call it.

MCP defines three primary capabilities a server can expose:

Resources — read-only data the model can fetch (file contents, database rows, API responses).
Tools — actions the model can invoke (create a Jira ticket, send a Slack message, run a SQL query).
Prompts — reusable prompt templates the user can trigger.

What is a Claude Code plugin?

A plugin is the distribution unit above MCP servers. A plugin bundles:

One or more MCP servers
Custom slash commands (e.g., /deploy, /runbook)
Skills (SKILL.md files that activate based on user intent)
Configuration and metadata

You install a plugin once, and you get all its capabilities. Plugins can be published to marketplaces — Anthropic's official one, third-party ones, or a private internal marketplace for your team.

Installing an MCP server (the basics)

The CLI command depends on your version of Claude Code. As of mid-2026:

# Install a community MCP server
claude mcp add github-mcp \
  --command="npx" \
  --args="-y,@modelcontextprotocol/server-github"

# Set required environment variables
claude mcp set-env github-mcp GITHUB_TOKEN=ghp_...

# Verify it's loaded
claude mcp list

For plugins from a marketplace:

# Install a plugin from the official marketplace
claude plugin install @anthropic/devops-toolkit

# Install from a private marketplace
claude plugin install --marketplace=internal @acme/finance-agent

Configuration lives in ~/.claude/settings.json. For up-to-date commands and CLI surface, check the official Anthropic docs at docs.claude.com/en/docs/claude-code — the protocol and CLI are evolving fast.

The most useful MCP servers in 2026

Server	What it does	Source
github-mcp	Read PRs, comment, manage issues	Anthropic official
filesystem	Sandboxed read/write to specified directories	Anthropic official
postgres / sqlite	Run queries, inspect schema	Anthropic official
slack-mcp	Read channels, search history, send messages	Community
jira-mcp / linear-mcp	Read tickets, create tasks, assign work	Community
browser-mcp	Drive a real browser for testing / scraping	Community (Playwright-based)
aws-mcp / gcp-mcp	Inspect cloud resources, run CLI commands	Community
datadog-mcp / sentry-mcp	Pull telemetry, errors, traces during debug sessions	Vendor / community
figma-mcp	Read design files, generate code from frames	Figma official (beta)
clarista-mcp	Deploy Claude Code output to enterprise production	Clarista

Most useful plugins (bundles)

Anthropic official

devops-toolkit bundles AWS, GCP, Datadog, and Sentry MCP servers with slash commands like /incident, /deploy, /rollback. The starting point for SRE workflows.

data-analyst bundles Postgres, Snowflake, BigQuery, and a SQL skill. Excellent for analytics teams.

Community plugins worth a look

fullstack-web — frontend + backend + DB MCP servers, plus build/test slash commands.

react-native-toolkit — mobile-specific tooling, simulator control, hot reload.

security-audit — wraps SAST/SCA tools, useful for code review sessions.

Building your own MCP server

The protocol is simple. Anthropic publishes SDKs in TypeScript, Python, Kotlin, and Go. A minimal server in TypeScript:

import { Server } from "@modelcontextprotocol/sdk/server/index.js";
import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";

const server = new Server({ name: "my-server", version: "1.0.0" }, {
  capabilities: { tools: {} }
});

server.setRequestHandler("tools/list", async () => ({
  tools: [{
    name: "say_hello",
    description: "Say hello to someone",
    inputSchema: { type: "object", properties: { name: { type: "string" } } }
  }]
}));

server.setRequestHandler("tools/call", async (req) => ({
  content: [{ type: "text", text: `Hello, ${req.params.arguments.name}!` }]
}));

await server.connect(new StdioServerTransport());

Save as server.ts, compile, register with Claude Code:

claude mcp add hello --command="node" --args="./server.js"

This is a trivial example. Real MCP servers wrap APIs, query databases, run CLI tools, drive browsers — anything you'd normally script.

The enterprise problem with MCP

MCP is powerful — which means it's also dangerous in unmanaged environments. The risks:

Permissions sprawl. Each MCP server runs with its own credentials. Without central management, your engineers accumulate API keys across dozens of servers.
Audit blindness. A user-installed MCP server makes API calls that don't show up in your centralized logs. When a tool quietly leaks data, you don't know.
Supply chain risk. Community MCP servers come from npm and PyPI. The same supply-chain attacks that hit other ecosystems hit MCP.
BYO LLM friction. Most MCP setup assumes Claude API directly. Wiring through Bedrock, Azure OpenAI, or a private deployment adds complexity per-server.
Sandbox escape. An MCP server with filesystem access can read SSH keys, .aws credentials, ~/.netrc. A misconfigured one is a privilege escalation.

FOR ENTERPRISES

Clarista is the enterprise MCP gateway

Central MCP catalog with approved servers only. Every call sandboxed. Every action audited. BYO LLM enforced at the gateway. Claude Code + Cursor + internal agents all share the same governance layer.

See enterprise vibe coding →

Practical setup tips

1. Use scoped tokens

Give each MCP server the narrowest credential possible. A read-only GitHub token for github-mcp. A read-only Postgres user for the database server. If a server gets compromised, blast radius is limited.

2. Keep ~/.claude/settings.json in Git

Track your MCP configuration the same way you track dotfiles. Comment why each server is there. Review on every change.

3. Audit MCP server outputs

Claude Code can show every MCP call it makes. Watch them during early sessions. If a server returns more data than expected, restrict its scope.

4. Use plugins instead of one-off MCP installs

Plugins are versioned, distributable, and easier to roll back. A team-shared plugin bundle is much cleaner than every engineer installing different MCP servers.

5. For sensitive work, use a Clarista-style gateway

For regulated or sensitive workflows, route every MCP call through a gateway that enforces policy, logs everything, and isolates servers in sandboxes. This is what Clarista provides.

Claude Code SDK, hooks, router, subagents, remote control

Beyond MCP servers, Claude Code exposes several extension points worth knowing:

Claude Code SDK — programmatic API for embedding Claude Code into your own tools, CI pipelines, or internal platforms. Available in TypeScript and Python.
Claude Code hooks — PreToolUse, PostToolUse, UserPromptSubmit hooks let you intercept and modify behavior. Use for auto-format, lint, block dangerous bash, audit logging.
Claude Code router — community routing layer that lets Claude Code call multiple LLM backends (Anthropic, Bedrock, Azure, self-hosted) under one config. Useful for cost optimization and BYO LLM.
Claude Code subagents — spawn focused sub-tasks via the Task tool that run in isolated context. Best for codebase searches, test runs, multi-file refactors.
Claude Code remote control — running Claude Code on a remote machine and controlling it via SSH, web UI, or API. Enables headless agentic workflows.
Claude Code plugins — versioned bundles of MCP servers + slash commands + skills, distributed via marketplaces.

FAQ

Is MCP open source?

Yes — the protocol spec, the reference servers, and the SDKs are all open source under permissive licenses. Anthropic maintains them, but anyone can build clients or servers.

Can MCP servers run on remote machines?

Yes — MCP supports stdio (local) and SSE / HTTP (remote) transports. Remote MCP servers are common for shared team capabilities.

Does Cursor / VS Code support MCP?

Yes — Cursor added experimental MCP support in 2025. VS Code support is via extensions. The protocol is increasingly cross-client.

How is MCP different from OpenAI's function calling?

Function calling is per-request, per-model API. MCP is a persistent server-client protocol. Functions are defined inline; MCP servers are external processes with their own lifecycle. MCP also handles resources and prompts, not just tools.