github-mcp-server
Official GitHub MCP server. Browse, search, and modify repos, issues, PRs, and Actions from any MCP-aware agent. Mature, fast-moving.
If your agent touches code or repositories, this is the default. Maintained by GitHub themselves.
What it does
Exposes a wide set of GitHub operations as MCP tools— listing repos, reading files, searching code, opening issues, drafting PRs, reading workflow runs, and more. Probably the most-installed MCP server in 2026.
Why you’d install it
If your agent reads or writes code, github-mcp-server is the path of least resistance. The alternative — wiring octokit.js calls into a custom tool layer — duplicates work that GitHub now maintains officially.
Setup
- Generate a PAT (classic or fine-grained). Pick the smallest scope that covers your use case.
- Install the server:
# Claude Desktop (config.json under "mcpServers") "github": { "command": "npx", "args": ["-y", "@github/mcp-server"], "env": { "GITHUB_TOKEN": "ghp_..." } } - Restart Claude Desktop or your MCP host. Tools appear under “github”.
My take
Pending Sush’s real usage notes. Structure here reflects public information.
For reading and exploring repos — fine. For writes — always pair with a human-in-the-loop step until you’re confident. Don’t grant delete_repo scopes lightly.
Combinations
Works especially well with:
filesystem-mcp— for local + remote unified file accessslack-mcp— to post PR summaries to channelsplaywright-mcp— to verify deployed previews
Used in recipes:
- Automate YouTube SEO (peripheral)
FOR: Any agentic workflow that reads or writes GitHub resources.
Default for code-touching agents. Adopt with fine-grained PATs scoped to the smallest set of repos and permissions the task needs; never grant `repo` (full) scope to a long-running agent.
Maintained by GitHub itself. Staff team. Release cadence is weekly during active development.
Standard permissive licence.
PRs go through GitHub's internal review. Open-source repo with public history.
PAT or fine-grained token passed via env or stdin. Never persisted in tool output. Recommends fine-grained tokens with the smallest scope possible.
Runs as a subprocess of the MCP host. No additional sandboxing inside the server.
Server itself doesn't touch local filesystem. Repository contents flow through API calls only.
No shell tools exposed.
Only api.github.com (and uploads/downloads to github.com release assets).
Fine-grained PATs let you scope to specific repos and permission sets. Classic PATs work but tend to over-grant.
Depends entirely on PAT scope. A classic PAT with `repo` scope gives the agent everything across all your repos. Always use fine-grained tokens scoped to the smallest set of repos and permissions the task needs.
Tool responses include issue / PR / file content authored by third parties. Hostile content in any read result can attempt to redirect the agent. Treat all tool output as untrusted text.
Go binary; dep tree small relative to JS-based MCP servers. All major deps are first-party Go libraries or GitHub-maintained packages.
No active CVEs in the dep tree at last scan. GitHub Security Advisories monitors automatically.
GitHub primary rate limit is 5,000 req/h for authenticated requests; secondary rate limits trigger on bursty patterns. Long-running agents can hit secondary limits.
GitHub signs its release artefacts; binary releases verifiable.
GitHub's standard security policy applies (private vulnerability reporting via Security tab).
No telemetry beyond standard GitHub API request logs (server-side, governed by GitHub's privacy policy).
Data flows through GitHub's API endpoints. Repository data residency is GitHub-managed (regional for Enterprise; US for public).
Tokens live in process env. No on-disk credential cache.
7 present · human approval optional
create_or_update_filedelete_filecreate_branchmerge_pull_requestclose_issuedelete_workflow_runcancel_workflow_run
NOT A FORMAL SECURITY AUDIT · Adoption posture based on public-source review · See methodology for what's measured and what isn't