Install examples

MCP Install Examples for Claude Code, Cursor, and Agent Workflows

Install examples are useful only when they preserve source identity and permission boundaries. This guide shows command shapes for common MCP servers and pairs each command with a safer default and a verification step before a team uses it in a real coding or browser workflow.

Last reviewed against official project documentation on July 10, 2026.

Direct answer

What is the safe way to install an MCP server?

Install an MCP server by verifying the official source, choosing the narrowest useful permission scope, testing in the exact client, and running a read-only proof before allowing write actions. Do not treat a copied command as safe just because it uses npx, uvx, or Docker. The important questions are source, scope, credentials, and rollback.

Command examples with safer defaults

ServerCommand shapeSafer defaultVerify first
Filesystem MCPOfficial setup sourcenpx -y @modelcontextprotocol/server-filesystem /absolute/project/pathAllow one project folder, not the home directory or downloads folder.Ask the agent to list only the allowed directory and refuse access outside it.
Memory MCPOfficial setup sourcenpx -y @modelcontextprotocol/server-memoryUse a dedicated memory file and keep sensitive decisions out of automatic recall.Create a test memory, read it back, then delete or archive the test state.
Git MCPOfficial setup sourceuvx mcp-server-git --repository /absolute/repo/pathStart in a sandbox repository or read-only review workflow.List branches and status before allowing commits, tags, or workflow-triggering actions.
Chrome DevTools MCPOfficial setup sourcenpx chrome-devtools-mcp@latestUse a dedicated browser profile and avoid logged-in personal sessions.Capture a screenshot and performance trace without submitting forms or changing account state.

How to adapt an install example to your own client

MCP clients differ in how they pass command arguments, environment variables, working directories, and tool names to the server. A command that works in Claude Desktop may need a wrapper for Windows, a different path format in Cursor, or a separate config block in a CI-like coding agent. Keep the install command and the client config in the same review note so the team can reproduce the setup.

The safest install examples are explicit about what they do not cover. They do not claim that a server is safe for every repo, that a package name is permanent, or that a production token is appropriate. They show the command shape, list the permission surface, and tell the operator how to prove the first run without mutating anything important.

What to record after a successful install

Save the package name, source URL, client config, command, environment variable names, first-run output, blocked-action test, and rollback path. That evidence matters later when a teammate copies the setup, a package updates, a token rotates, or a security review asks why the server is allowed in the workflow.

When an install example is not enough

A command example does not replace a rollout plan. If the server can touch production databases, payment tools, messaging systems, browser sessions, or repositories with write access, the team needs a policy for approvals and logging. The command only proves that the server can start. It does not prove that the assistant will use it safely in every context.

For high-risk servers, require a sandbox first. Use a test repository, branch database, dedicated browser profile, or temporary API token. Run one intentionally blocked task and save the result. That blocked test is often more useful than a successful demo because it proves the boundary works when the agent asks for something it should not do.

How to choose between local, container, and hosted MCP installs

Local installs are usually the fastest way to test an MCP server, but they also inherit local filesystem, shell, and environment behavior. Container installs can make the runtime more repeatable and reduce path surprises, but they still need explicit mounts, token handling, and network limits. Hosted or managed MCP servers are easier for teams to share, yet they create a different review problem: who owns the server, how logs are retained, and whether the hosted layer can see sensitive inputs.

The safer choice depends on the workflow rather than the package manager. A filesystem server for a single repo can start locally with a narrow path. A browser QA server should use a dedicated browser profile. A database server should start against a read-only or branch database. A GitHub or deployment server should begin with repository-scoped or preview-only access. The install command is only one part of the decision; the permission boundary is the operational decision.

What to do when an MCP install guide is stale

MCP packages move quickly. If an install command fails, do not immediately search for a random replacement package and paste it into the same client config. Re-check the official project page, release notes, package registry, and client documentation. Record what changed: package name, command syntax, required runtime, environment variable names, or client config shape. Stale install guides become dangerous when teams keep the old permission assumptions while swapping in a new package source.

Version pinning and Windows launch notes

Official examples often use npx with the latest published package because that is the shortest setup path. For a repeatable team workflow, test the current release first, record the version that passed, and then pin that approved version in the shared client config. Re-run the read-only proof before accepting a later package update.

On Windows, the official Filesystem and Memory server documentation uses cmd /c npx in client configuration. Path quoting, drive-letter casing, and client-specific environment handling can also change the result. Treat the one-line commands above as command shapes, then copy the complete configuration from the linked official source for the operating system and MCP client you actually use.

Post-install verification matrix

Use this matrix before publishing an internal MCP setup note. The goal is to prove source, client, permission, and rollback behavior while the installation is still easy to undo.

CheckQuestionPass signal
Source identityDoes the package, repo, documentation, and maintainer identity match?The command comes from the official docs or a clearly maintained project page.
Client visibilityDoes the MCP client expose the expected tools and only those tools?The tool list matches the intended workflow and does not expose broad unexpected actions.
Read-only proofCan the server complete a useful task without writes or production credentials?The first task returns evidence while blocked writes remain blocked.
Rollback pathCan the team disable the server, remove tokens, and restore config quickly?The config file, token owner, and uninstall/revert path are written down.

FAQ

Can I copy MCP install commands directly from an AI answer?

Do not copy an MCP install command until the package source, maintainer, documentation, and permission scope are verified. AI answers can repeat stale package names or omit client-specific configuration details.

Should install examples include production credentials?

No. Install examples should use placeholders or sandbox credentials. Production tokens, customer data, and write-capable database roles should be introduced only after source review and read-only proof.

Why do some MCP servers use npx while others use uvx or Docker?

Different MCP servers are packaged through different ecosystems. The safer decision is not npx versus uvx by itself; it is whether the command matches the official source and whether the runtime permission scope is narrow enough.

What should I test after installing an MCP server?

Test source identity, client visibility, read-only behavior, blocked write behavior, log output, rollback path, and whether the assistant exposes the expected tool names without leaking environment values.

Related pages