Claude MCP Ecosystem
Rolling dossier on MCP (Model Context Protocol) servers in the Claude ecosystem — what they do, install patterns, security/data implications, and emerging workflows. Tracked because MCPs are increasingly how Claude gets real-world capability (filesystem, third-party APIs, content generation, etc.) and the catalogue is moving fast. Every claim cites a synthesis. Append new sources at the bottom of each section.
Current state (as of 2026-05-11)
MCPs are positioned in popular content as “abilities” granted to Claude rather than passive context — Claude operates the tool, not just reads about it. [[2026-05-11-sf67-content-creation-mcps]]
The standard install pattern across user-facing guides is: a single shell command (typically npm install -g or npx -y @scope/pkg@latest) plus a mcpServers JSON block added to ~/.claude.json, optionally with an env block carrying API keys. [[2026-05-11-sf67-content-creation-mcps]]
Notable MCP servers (catalogued)
Content creation cluster (per SF67)
- NotebookLM MCP — drives Google NotebookLM (notebooks, audio overviews, infographics, mind maps, slides, study guides). Install:
npm install -g notebooklm-mcp.[[2026-05-11-sf67-content-creation-mcps]] - Remotion MCP (
@remotion/mcp) — programmatic video framework access; JSON key in SF67 isremotion-documentation, suggesting docs/scaffold scope rather than render execution (verify upstream).[[2026-05-11-sf67-content-creation-mcps]] - SupaData — transcript and metadata pulls from YouTube, TikTok, Instagram, X, Facebook. Setup uses an env file at
~/.config/supadata/.envwithSUPADATA_API_KEY; surfaced in Claude Code via a/transcriptskill.[[2026-05-11-sf67-content-creation-mcps]] - Stitch (
@_davideast/stitch-mcp) — generates full UI screens, design systems and mockups from prompts; requiresSTITCH_API_KEY.[[2026-05-11-sf67-content-creation-mcps]] - Magic / 21st.dev (
@21st-dev/magic) — generates production-ready React + Tailwind components; requires 21st.devAPI_KEY.[[2026-05-11-sf67-content-creation-mcps]]
Workflow patterns
- Multi-MCP chains in a single Claude conversation are presented as the high-leverage use case, not single-MCP point use. Example chains: transcript→KB→video (SupaData → NotebookLM → Remotion); layout→code (Stitch → Magic); multi-source competitive analysis (5 transcripts → NotebookLM → infographic).
[[2026-05-11-sf67-content-creation-mcps]]
Data egress and security observations
- Several content-creation MCPs require API keys (Supadata, Stitch, Magic), meaning prompts and content leave the local machine to vendor APIs. Audit per-MCP data handling before using on sensitive material.
[[2026-05-11-sf67-content-creation-mcps]] - Cost model for paid services not standardly disclosed in marketing one-pagers — verify pricing before chaining in agent loops.
[[2026-05-11-sf67-content-creation-mcps]]
Security considerations — MCP as enterprise attack-surface
CyberCX’s 2026 Hack Report is the first source in this KB to treat MCP from the attack side rather than the capability side. It is named in the “Hacking AI systems” chapter as one of the most common AI-vulnerability classes observed across AU/NZ AI pen-test engagements.
- Bidirectional data flow inverts the standard control model. “New standards like Model Context Protocol (MCP) are being adopted, but are not yet secure, enterprise-ready implementations. In some instances, data can flow bi-directionally between servers and clients, meaning that traditional security controls implemented on the server side of an application must now be implemented on the client side too. This is creating a rise in authentication-related issues with MCP implementations.”
[[2026-05-12-cybercx-2026-hack-report]] - Authentication is the named failure mode. The Hack Report does not specify whether the issues observed are missing client-side authentication, weak token handling, or scope-overcollection — the canonical pattern is unspecified but the trend is rising. Anyone shipping MCPs in regulated environments should treat client-side authentication as a first-class control surface, not a derivative of server-side auth.
[[2026-05-12-cybercx-2026-hack-report]] - MCP risk co-occurs with the wider AI vulnerability surface. CyberCX records MCP issues alongside in-model IAM / excessive agency, weak guardrails, prompt injection, lack of content filtering, system-prompt exposure, and implicit bias as the dominant AI-system findings in 2025. Threat modelling for an MCP deployment should anticipate these neighbouring failure modes rather than treating MCP-auth as the only AI-system concern.
[[2026-05-12-cybercx-2026-hack-report]] - AU regulators have not yet named MCP. APRA’s 30 April 2026 letter cites prompt injection, insecure integrations and agent misuse but does not name MCP specifically; the Hack Report’s framing is the first explicit AU/NZ industry-side treatment in this KB.
[[2026-05-12-cybercx-2026-hack-report]]
Verification cautions
- Promotional MCP catalogues may carry stale or wrong package names and JSON keys; verify against upstream docs before installing. Specific candidates to verify from SF67:
@_davideast/stitch-mcp, theremotion-documentationkey, and thenotebooklm-mcpglobal package.[[2026-05-11-sf67-content-creation-mcps]]
Open threads to watch
- First-party Anthropic-published MCPs vs. community MCPs — a comparison/curation source.
- Standard patterns for managing MCP secrets and rotation.
- Whether the “chain MCPs in one conversation” pattern degrades under longer sessions (context, error handling between MCPs).
- A reliable source for dated, audited MCP listings (rather than marketing one-pagers).
Sources
[[2026-05-11-sf67-content-creation-mcps]]— AI Basic Series SF67 setup guide. Promotional; technical pointers preserved but not independently verified.[[2026-05-12-cybercx-2026-hack-report]]— CyberCX STA 2026 Hack Report. First treatment of MCP from the attack-surface side in this KB; AU/NZ practitioner perspective on bidirectional-data-flow and rising authentication-related findings.