Lessons from Scaling GitHub's Remote MCP Server — Sam Morrow, GitHub
Sam Morrow (GitHub) details hard lessons scaling GitHub’s remote MCP server to 8 million tool calls per week, including tool overload, OAuth pitfalls, and stateless architecture.
- GitHub’s stdio MCP server hit 11M+ Docker downloads and ~8M tool calls/week after one year public.
- Adding 100+ tools made agents worse, not better; default tool set was cut to ~40, reducing initial context load ~49%.
- Tailoring list-pull-requests output alone cut that tool’s token usage by over 75%.
- Tool call success rate is now over 95%, improved by encoding agent intent server-side and batching multi-step API calls.
- GitHub rejected OAuth dynamic client registration: unbounded app DB growth, no reliable app identity, rate-limit bucketing unsolvable.
- Invariant Labs published a correct prompt-injection exfil attack against GitHub MCP; Morrow says the vulnerability applies to nearly every agent setup, not just GitHub’s.
- PAT tokens in the wild are frequently long-lived, over-privileged, and stored in agent-accessible plaintext — structural security problem across the ecosystem.
- Morrow predicts thousands of tools will be normal soon as compositional tool use (piping, streaming) matures, reversing today’s fewer-tools decisions.
2026-04-27 · Watch on YouTube
