The MCP Registry: GitHub's Play to Become the App Store for AI Tools

GitHub’s MCP Registry is a curated, centralized hub where AI agents and developers discover Model Context Protocol servers—the building blocks that give AI systems access to external tools, data, and APIs. Launched September 2025, it positions GitHub as the primary distribution layer for AI tooling, tackling the fragmentation problem that emerged as MCP’s ecosystem exploded past 5,000 servers in less than a year.

What Is the MCP Registry?

The Model Context Protocol originated as an Anthropic open-source project in November 2024: a standardized interface for connecting large language models to external data sources and tools. The framing that stuck was “USB for AI”—a single plug type that works regardless of which model or which tool sits on either end.

Growth was immediate and chaotic. Within months, developers had built thousands of MCP servers spanning code repositories, databases, productivity suites, and external APIs. PulseMCP, an independent community tracker, listed over 5,500 servers by October 2025.¹ The official registry managed by the MCP steering group counted nearly 2,000 entries by November—a 407% increase from its September launch batch.²

That growth created a genuine discovery problem. As GitHub’s own changelog framed it: “MCP servers are scattered across numerous registries, random repositories, and buried in community threads.”³

The GitHub MCP Registry, launched September 16, 2025, is GitHub’s structural answer: a curated index of verified MCP servers integrated directly into the GitHub developer experience. It launched with over 40 servers from partners including Figma, Postman, HashiCorp, and Dynatrace, with Microsoft and GitHub’s own servers among the first entries.⁴

How the GitHub MCP Registry Works

The architecture is deliberately layered. At the foundation sits the official MCP Registry—an open-source project with a published OpenAPI specification, maintained by a steering group including Toby Padilla (GitHub’s Head of MCP), Adam Jones (Anthropic), Tadas Antanavicius (PulseMCP), and lead maintainer David Soria Parra.⁵

Server maintainers publish to the community OSS registry. GitHub’s registry ingests from that source, applying its own curation layer on top. The result: publishing to the community registry automatically surfaces entries in GitHub’s platform—a meaningful distribution incentive that reduces multi-registry overhead for server developers.

From the developer side, the experience integrates with existing GitHub workflows: a custom repository view with README prominently displayed, one-click installation for VS Code and VS Code Insiders, GitHub star counts surfaced alongside server listings, and direct compatibility with GitHub Copilot.

// Example: MCP server configuration entry
{
  "name": "github",
  "version": "2.0.0",
  "description": "GitHub's official MCP Server",
  "tools": ["search_repositories", "create_issue", "get_pull_request"],
  "transport": ["stdio", "http"],
  "authentication": "oauth"
}

The official MCP Registry also supports a sub-registry model: clients can build their own marketplace-style discovery experiences on top of the central index, and enterprises can deploy private sub-registries for internal tools that shouldn’t appear in public listings.⁶

From Plugins to Protocol: What Changed

This is not the first attempt to build an app store for AI capabilities. OpenAI launched ChatGPT Plugins in March 2023, deprecated them in April 2024 in favor of GPT Actions, then adopted MCP in March 2025. Apple proposed App Intents for on-device AI. Microsoft built Copilot extensions. Each prior approach was proprietary, walled, and non-portable.

MCP represents a structurally different approach—and the industry has largely converged on it.

The portability difference is decisive. An MCP server built for GitHub Copilot runs identically in Claude Desktop, Cursor, or any other MCP-compatible client without modification. Asha Sharma, Microsoft’s President of CoreAI, captured this at MCP’s one-year anniversary: “It made write once integrate everywhere real.”⁷

OpenAI’s adoption in March 2025 was the clearest validation of MCP’s architectural approach—a direct signal that the proprietary plugin model had failed to achieve the distribution effects an open standard could. Srinivas Narayanan, OpenAI’s CTO, stated: “It’s now a key part of how we build at OpenAI, integrated across ChatGPT and our developer platform.”⁸

By November 2025, MCP’s SDK recorded 97 million monthly downloads, with the community at 2,900 contributors on Discord adding over 100 new members weekly.⁹

The Security Problem Nobody Can Ignore

Rapid, decentralized growth has a predictable downside: the same fragmentation the registry aims to solve has created a significant attack surface, and the threat vectors are specific to MCP’s architecture.

Tool poisoning attacks embed malicious instructions inside server tool descriptions—the metadata AI agents read to understand what a tool does and how to use it. Because agents often trust this metadata without human review, a compromised or malicious server can redirect agent behavior invisibly. Security researchers at Invariant Labs demonstrated this concretely: a malicious MCP server combined with a legitimate whatsapp-mcp server in the same agent context could silently exfiltrate a user’s entire WhatsApp conversation history.¹⁰

Supply chain risk is equally concrete. CVE-2025-6514, disclosed in 2025, identified a critical OS command-injection vulnerability in mcp-remote—a popular OAuth proxy for connecting local MCP clients to remote servers—with over 437,000 downloads. An unpatched install effectively became a supply-chain backdoor.¹¹ Independent security research identified 492 publicly exposed MCP servers lacking basic authentication or encryption.¹²

The official MCP Registry addresses this partly through community moderation—flagging spam, malicious code, and impersonation—but these mechanisms are reactive, relying on human review after publication. GitHub’s curation layer provides an additional filter by restricting its registry to partners and verified servers. This meaningfully reduces (but does not eliminate) risk, and it comes at the cost of coverage.

GitHub’s Strategic Bet

GitHub’s registry is not a neutral infrastructure play. It is a deliberate positioning of GitHub as the distribution layer for AI agent tooling—structurally analogous to how npm became essential to JavaScript distribution, or DockerHub to container distribution. Both achieved that status not through technical features alone, but through network effects: developers published there because users looked there, and users looked there because packages were there.

GitHub has structural advantages here that no other player in the MCP ecosystem currently matches. It already hosts the source code for the large majority of publicly available MCP servers. Its developer toolchain—Copilot, Codespaces, Actions, IDE integrations—is where the target audience works. One-click installation directly into VS Code from the registry is a qualitatively different kind of gravity than a JSON config snippet in a community README.

Mario Rodriguez, GitHub’s Chief Product Officer, framed the broader ambition directly at MCP’s one-year milestone: “MCP has evolved from an experiment to a widely adopted industry standard…unlock real benefits of agentic development in production workflows.”¹³

What’s less certain is whether the curation model scales. With community registries already listing 5,500+ servers and the official registry passing 2,000 entries, GitHub’s curated catalog of 40+ servers reflects a deliberate quality-over-quantity bet. That serves the current moment of ecosystem maturation. It becomes a constraint if developers looking for niche integrations consistently find them only in community registries—maintaining parallel discovery workflows rather than using GitHub as the single home base.

What Practitioners Need to Know Right Now

For teams integrating MCP tooling into production workflows, several practical considerations follow directly from how the registry ecosystem is structured.

Distribution strategy: Publishing to the official community registry at registry.modelcontextprotocol.io automatically surfaces servers in GitHub’s registry. If you’re building an MCP server for public distribution, this is currently the most efficient path to reach the widest client base across multiple platforms.

Client compatibility: As of late 2025, GitHub Copilot, Claude Desktop, Cursor, and Zed all support MCP. VS Code’s one-click install from the GitHub registry substantially reduces friction for tools targeting developers working in that environment.

Security posture: Treat third-party MCP servers as you would third-party npm packages: review source code, pin versions, monitor for unexpected updates, and isolate from sensitive systems. The community-flagged moderation model shifts responsibility to users more than the pre-publication review model of prior plugin architectures did.

Enterprise sub-registries: The official registry’s private sub-registry capability allows enterprises to maintain internal catalogs without public exposure. This is the appropriate path for proprietary tools or sensitive integrations.

Protocol evolution: MCP’s November 2025 spec release added task-based workflows (experimental), simplified OAuth flows via URL-based client registration, and cross-app authorization extensions. Tools built against earlier specs may need updates to use newer features like sampling-with-tools or URL-mode elicitation.¹⁴

Frequently Asked Questions

Q: Is the GitHub MCP Registry the same as the official MCP Registry? A: No. The official MCP Registry at registry.modelcontextprotocol.io is the community-maintained source of truth for all MCP servers. GitHub’s registry is a curated consumer of that data, layered with GitHub-specific features like one-click VS Code installation and integration with Copilot.

Q: How do I publish my MCP server to appear in the GitHub registry? A: Publish to the official community OSS registry following its submission documentation. Servers listed there are automatically eligible to appear in GitHub’s registry. Direct self-publishing to GitHub’s curated index is not yet available at time of writing.

Q: Does installing an MCP server from the registry expose my codebase or data? A: Potentially, depending on the server’s declared permissions and your configuration. MCP servers can be granted access to local files, execute commands, and make network requests. Review each server’s tool descriptions and permissions before deployment, and use network-level isolation for production environments.

Q: Which AI clients support MCP-based tool discovery? A: At time of writing, GitHub Copilot (with VS Code integration), Claude Desktop, Cursor, Zed, and ChatGPT (since March 2025) all support MCP. The open protocol means the client list is expanding—check individual client documentation for registry integration specifics.

Q: Is MCP stable enough for production use? A: The core protocol is stable and broadly adopted, but specific features like task-based workflows and cross-app authorization remain experimental as of the November 2025 spec. For stable production workloads, pin to specific server versions and monitor the MCP changelog. The steering group processes Specification Enhancement Proposals actively—17 were handled in approximately one quarter—so the protocol surface continues to evolve.¹⁵