Claude.ai MCP servers auto-injected into Claude Code without opt-in — causes OOM crashes on resource-constrained systems
Bug Description
Claude Code 2.1.x silently syncs MCP servers from the user's Claude.ai web account into Claude Code sessions without any opt-in, notification, or consent. This creates duplicate MCP servers and significant memory overhead that causes OOM kills on resource-constrained systems.
Environment
- Claude Code version: 2.1.17
- Platform: Raspberry Pi 5 (16GB RAM, 2GB swap, aarch64)
- OS: Debian Bookworm (Raspberry Pi OS), kernel 6.12.62+rpt-rpi-2712
The Problem
After updating to 2.1.x, I discovered 6 "claude.ai" remote MCP servers were automatically loaded into my Claude Code sessions:
claude.ai Remote MCP Lookup Directory: https://mcp.remote-mcp.com - ✓ Connected
claude.ai PayPal: https://mcp.paypal.com/mcp - ✗ Failed to connect
claude.ai AWS Knowledge: https://knowledge-mcp.global.api.aws - ✓ Connected
claude.ai CORE Memory: https://core.heysol.ai/api/v1/mcp?source=claude - ✓ Connected
claude.ai Notion: https://mcp.notion.com/mcp - ⚠ Needs authentication
claude.ai Hugging Face: https://huggingface.co/mcp?login&gradio=none - ⚠ Needs authentication
I never asked for these to be added to Claude Code. These were MCP integrations I connected through the Claude.ai web interface for use in the web UI — not for CLI use.
Impact
1. Duplicate MCP servers consuming double memory
Three of the injected servers are duplicates of servers I already configured locally:
aws-knowledge(local) +claude.ai AWS Knowledge(injected)core-memory(local) +claude.ai CORE Memory(injected)notion(local) +claude.ai Notion(injected)
2. Unwanted servers I never intended to use in Claude Code
- PayPal MCP (why is this in my CLI coding tool?)
- Hugging Face MCP (never configured for CLI use)
- Remote MCP Lookup Directory (unnecessary overhead)
3. OOM kills crashing active sessions
On my Raspberry Pi 5 (16GB RAM, 2GB swap), the additional memory overhead from these injected servers pushed the system over the edge. The Linux OOM killer started killing Claude processes:
dmesg output:
oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,
oom_memcg=/user.slice/user-1000.slice/user@1000.service,
task_memcg=/user.slice/user-1000.slice/user@1000.service,task=claude,pid=XXXX
Swap was 100% exhausted (2.0Gi/2.0Gi, 5.7Mi free). Sessions were being SIGKILL'd mid-work.
4. Cannot be removed via CLI
claude mcp remove "claude.ai PayPal" returns "No MCP server found" — these servers bypass the normal MCP management system entirely.
Root Cause
The feature flag tengu_claudeai_mcp_connectors (in cachedGrowthBookFeatures) was set to True without user consent. This causes Claude Code to pull MCP integrations from the user's Claude.ai account and load them into every CLI session.
Workaround
Manually editing ~/.claude.json to set:
"cachedGrowthBookFeatures": {
"tengu_claudeai_mcp_connectors": false
}
However, this is a cached flag and may be overwritten on next update/startup.
Expected Behavior
- This should be opt-in, not opt-out. Users should explicitly choose to sync Claude.ai MCP servers to Claude Code.
- At minimum, there should be a
claude configsetting to disable this (e.g.,claude config set syncRemoteMcps false) - Duplicate detection — if a user already has
notionconfigured locally, don't also loadclaude.ai Notion - Resource awareness — on constrained systems, loading 6 additional MCP servers (each with HTTP connection overhead, memory for tool schemas, etc.) is not free
claude mcp removeshould work for these servers, or there should be aclaude mcp remove --remoteoption
Requested Fix
- Add a user-facing configuration option to disable Claude.ai MCP sync
- Make this feature opt-in rather than opt-out
- Implement duplicate detection to avoid loading the same MCP endpoint twice
- Allow removal of remote MCPs via the standard
claude mcp removecommand
38 Comments
Additional Issue: Selective/Inconsistent Sync
To make this even more confusing, the sync between Claude.ai and Claude Code is selective and inconsistent. Looking at the MCP integrations connected to my Claude.ai account, not all of them are being synced to Claude Code.
For example:
There's no apparent logic to which integrations get pulled in and which don't. This makes it impossible for users to predict or control what will appear in their Claude Code MCP list.
This inconsistency compounds the original issue:
claude mcp listThe behavior should be all-or-nothing with explicit user control — not a mysterious partial sync that silently loads some integrations while ignoring others.
Additional Issue: Claude.ai Connector "Remove" Button Non-Functional
After discovering the auto-injected MCPs, I went to Claude.ai's Connectors settings to remove them entirely.
What I found:
Concern: If these "disconnected" connectors can still be synced to Claude Code when the
tengu_claudeai_mcp_connectorsfeature flag is active (which gets re-enabled server-side on every startup), then there is truly no way for a user to prevent unwanted MCP servers from being injected into their Claude Code environment.Expected behavior: The Remove button should permanently delete the connector registration, preventing any future sync to Claude Code regardless of feature flag state.
Current workaround: None. Users cannot permanently remove connectors from their account, and the local feature flag override gets refreshed from the server on every Claude Code startup.
yes the first is unacceptable, i saw my claude code performance diminish to the point of almost unusable until i figured out this was why. also, disabling them in the claude code CLI should disable them globally for the CLI, comparable to the user scope. this is a big issue.
This is a serious issue that breaks our project based MCP set up and management with team plan. Claude Desktop and Code are used by different teams with different policies, now we need to ask team members to disable Claude ai MCPs from each project one by one manually.
Workaround: SessionStart hook to auto-disable synced connectors
Until there's an official toggle, here's a workaround. This uses a
SessionStarthook to automatically add the synced connectors todisabledMcpServersfor every project on startup.1. Create the hook script (e.g.,
~/.claude/hooks/disable-claudeai-connectors.sh):Make it executable:
chmod +x ~/.claude/hooks/disable-claudeai-connectors.shHow it works:
Requirements: jq must be installed.
This won't prevent the connectors from syncing, but it ensures they're disabled before you interact with them. Still hoping for a proper opt-out setting.
Why is there no way of disabling the MCP servers by default across sessions? Suddenly, all of my claude code sessions show:
...and all I can do is disable each of the 15 connectors manually for EACH claude code project.
Using
ENABLE_TOOL_SEARCH=truehelps a lot with the performance issues, as it prevents the unwanted MCPs from being loaded into context until they're needed. But that's not the only issue here.For me, the issue is that I use Claude in different contexts. I have multiple user accounts on my dev server, with different configurations. For example: I use Linear both at work and at home, so my work and personal users both have Linear MCPs set up. This works fine until Claude Code auto-syncs the "Claude.ai Linear" in my personal projects and Claude starts trying to read (or worse, write!) issues in my work account.
I have to be able to turn this off, or at least globally disable an MCP server at the user level in
~/.claude.json. (Thetengu_claudeai_mcp_connectorssetting seems to have worked, at least temporarily.)MCP servers I use on Claude web have a different security perimeter than the ones I use on a given local machine. This has granted a local Claude on a controlled machine means to exfiltrate data or access the public Internet or tools like Zapier without my awareness.
No tool should be yoloing a Unix environment without the owner's explicit consent. Please revert this change immediately.
Dynamic MCP Loader: SessionStart hook + mcporter for on-demand loading
Building on @mpenza's excellent SessionStart hook workaround above, I packaged a more complete solution that not only disables the cloud connectors but also lets you call them on demand using mcporter — so you get the tools when you need them without the constant context token cost.
The problem this solves
The SessionStart hook disables the connectors, but then you lose access entirely. With mcporter, you can call any disabled connector's tools ad-hoc from the CLI without re-enabling them:
Setup
1. Create the hook at
~/.claude/hooks/disable-claudeai-connectors.sh:2. Register in
~/.claude/settings.json:3. Install mcporter (optional, for on-demand access):
Full skill package
I published the complete solution as a reusable AI skill (works with Claude Code, Cursor, Codex, etc.):
Gist: https://gist.github.com/nerveband/4d5ebc42444cc0abc04d5e33e982fb63**
Includes the hook script, setup guide, and a SKILL.md that teaches AI agents how to use mcporter to dynamically load disabled connectors when needed.
When to use mcporter vs re-enabling
| Scenario | Approach |
|----------|----------|
| One-off tool call |
npx mcporter call ...(no context cost) || Extended session with many calls | Re-enable via
/mcp|| Automation/hooks | mcporter programmatically |
Still hoping for a proper
"mcpConnectors": "disabled"setting, but this keeps things usable in the meantime.This keeps coming back after every login/re-auth. I have to patch
tengu_claudeai_mcp_connectorsback tofalsein.claude.jsonevery single time, and it gets silently overwritten again on the next auth sync.I'm running a file watcher as a workaround now. That's how bad this is - I need a background daemon to defend my CLI tool's configuration from itself 🤯
A few things that make this particularly frustrating:
claude mcp add/removefor managing MCP servers. That's the correct, explicit CLI workflow. But there's no equivalent command to manage or disable the servers being injected from claude.ai. You give us aproper tool, then bypass it.
This is a developer tool. Silently injecting MCP servers that users didn't ask for, can't disable through any official mechanism, and that keep reappearing after every login - that's not a feature, it's a hostile UX pattern.
Please give us a persistent opt-out or, better yet, make this opt-in.
+1 on this. I have my own locally-configured MCP servers for Atlassian and Slack via
.mcp.json, so the auto-injected "claude.ai" duplicates are unwanted. They show up in every new project and have to be manually disabled each time via/mcp.Attempted to use
deniedMcpServersin user settings to block them globally, but theserverNameregex (^[a-zA-Z0-9_-]+$) rejects the "claude.ai" naming format (dots and spaces). Related: #23838.Would appreciate either an opt-in toggle for the claude.ai MCP sync, or fixing
deniedMcpServersto accept these server names so users can selectively block them.+1 on needing a persistent opt-out for cloud MCP connector injection.
My use case: I have Hugging Face MCP enabled in claude.ai for research in the web UI chatbot. It works great there. But when I'm coding in Claude Code CLI, I don't need it — it just consumes context tokens and clutters the tool list. The two environments (web chatbot vs. local CLI) have fundamentally different needs, and the current behavior forces them to share the same MCP configuration with no separation.
I discovered the injected servers only after noticing Claude Code sessions engaging with Hugging Face tools I never configured locally. After investigating all local config files (
~/.claude.json,.mcp.json,~/.claude/settings.json) and finding nothing, I concluded they were being injected server-side. The official docs confirm this under "Use MCP servers from Claude.ai".What I'd like to see (in order of preference):
"mcpConnectors": "disabled"setting in~/.claude/settings.json— simple, persistent, doesn't affect claude.ai web UI. This was proposed in #22301 before it was closed as a duplicate of this issue."disabledMcpConnectors": ["claude.ai Hugging Face"]in settings.json, persisting across sessions and projects. This would also resolve the duplicate server problem others have reported.claude mcp removework for cloud connectors, or addclaude mcp disable --cloud <name>as a persistent toggle.The current workarounds (
/mcpper-session, feature flag hackingtengu_claudeai_mcp_connectorsthat gets overwritten on re-auth, SessionStart hooks) are all fragile and require ongoing maintenance. A first-class setting would resolve this cleanly.Additional workaround for others landing here: you can force-disable all MCP servers (including cloud connectors) for a session with:
This is a nuclear option (kills local MCPs too), but useful when you need a clean coding session with zero MCP overhead.
Also noting that
deniedMcpServersin managed settings can't block these servers because theserverNameregex rejects the"claude.ai ..."naming format (#23838) — so even the enterprise tooling can't address this.Another possible workaround might be to make a dedicated MCP config file and inject it with
But that's a brutish workaround that shouldn't be necessary.
+1 on this. My use case is slightly different but related:
I need different authentication credentials for the same MCP server type across different Claude Code projects (different orgs/contexts), while still keeping the MCP server enabled for
claude.com web chats.
Current options are all bad:
What would solve this:
The duplicate tools issue is the main friction - if local configs could shadow global ones cleanly, this would be a non-issue.
This bug was costing me an extra 75% ON MY USAGE! FIX IT ALREADY. Thanks to everyone on the thread who help workaround it.
Set this environment variable in your Claude Code settings:
```
// In ~/.claude/settings.json, add to the "env" object:
"env": {
"ENABLE_CLAUDEAI_MCP_SERVERS": "false"
}
That completely removes the claude.ai MCPs instead of just deactivating them. I think most users would like the cluade.ai MCP servers available for activation when needed, but deactivate by default.
Adding my experience here. I had no idea this was happening until I ran
claude mcp listand saw three servers I never configured locally:I set these up on claude.ai months ago for the web UI — never intended them for CLI use. A terminal tool silently establishing outbound HTTP connections to third-party services based on web dashboard config set in a completely different context violates the principle of least surprise.
What makes this worse:
disallowedToolsto muzzle usage after they're already connected and consuming context)settingSources: []in the SDK doesn't block them either — confirmed via testingThis should require explicit local opt-in per environment, not silent auto-loading. Something like
disableAccountMcp: truein settings.json, or at minimum a first-session prompt: "Your account has 3 MCP integrations. Enable in CLI? [y/N]"https://claude.ai/settings/connectors
You probably have those added here. Just remove them
Warning to reporters and readers of this issue:
This issue has no assignee. Of the ~5,947 currently open issues in this repository, only ~96 have assignees. Unassigned issues are subject to automatic "stale" labeling and auto-closure after 14 days of inactivity via
sweep.ts. The "stale" label cannot be removed by the issue creator, and new activity does not remove it. Additionally, the duplicate-detection bot creates circular chains of duplicate references, leading to further automatic closures. See #19267 and this comment for documentation of this behavior.This means your privacy concern will likely be silently deleted from the record without being addressed.
If you believe that auto-installing OAuth connectors to your private email and calendar without consent is a privacy violation, you may want to pursue channels that cannot be auto-closed:
Anthropic's own privacy policy states: "You'll always be in control and can turn off these features in your account settings." Auto-installing connectors to private email via server-side feature flags, with no notification and no clean opt-out, contradicts this commitment.
This is incorrect. Disabling them in https://claude.ai/settings/connectors does NOT disable them or remove them from Claude Code. They still still be enabled because the local MCP settings are CACHED, so disabling connectors has ZERO effect.
Anthropic needs to set
ENABLE_CLAUDEAI_MCP_SERVERStofalseby default and stop angering their customers with this wasteful, sneaky behavior users did not ask for and did not expectI noticed unsolicited MCP auth prompts for gmail.mcp.claude.com appearing in claude code without explicitly configuring them, which set off alarm bells in my head.
These should be opt-in, and not just because they might be wasting resources.
Took me about twenty minutes to find a way to disable the two MCP servers (the Gmail and Calendar MCPs) that showed up one day without my consent.
/mcponly showed what they were but didn't let me disable them.Instead, I found out you can type
/plugin, tab to the Installed tab, and arrow all the way down to find the MCP servers and disable each using spacebar granularly (instead of theENABLE_CLAUDEAI_MCP_SERVERSenv var, which disables all of them at once).But my gripe is that I never consented to enabling these third-party MCPs in the first place. Furthermore, once I found out, I had a hard time finding how to disable them. They weren't enabled on my claude.ai account in the first place, nor were they found in my settings.json. I ended up finding the line
"tengu_claudeai_mcp_connectors": trueunder.claude.jsonwhich is a hidden config file.The behavior of claude code automatically trying to auth with services I didn't set up myself bypasses user consent and is also plain annoying, as "claude.ai connectors need auth" warnings kept popping up in my sessions. Hey, at least it's failing loudly, so I could tell that they're trying to access these servers in the first place. I don't want to imagine what would happen if they just all connected silently and claude's attempts to read my third-party data just got buried underneath a whole wall of rapid tool calls you'd need
ctrl+oand a sharp eye to find.Adding another use case: I want these MCP servers available in the claude.ai web app but not in Claude Code CLI sessions, where they add noise and context bloat.
Tried adding
disabledMcpServersto~/.claude/settings.jsonwith the server display names (e.g."claude.ai Fathom","claude.ai Slack", etc.) but it has no effect on OAuth-connected servers — only locally-configured ones seem to be affected by that setting.A per-client toggle (web vs. CLI) or making
disabledMcpServerswork for OAuth servers (with documented name format) would solve this.Another data point: this is not just cosmetic/noisy on my machine.
Environment:
What I am seeing:
~/.claude.json, the current project already hasdisabledMcpServersset to"claude.ai Gmail"and"claude.ai Google Calendar".claude mcp liststill shows both connectors in Claude Code asNeeds authentication.claude mcp get/removecannot target them by name, so they are still in a weird half-managed state.More importantly, I am also seeing Claude Code occasionally drop straight back to the shell after a turn with the red footer showing
1 MCP server failedimmediately beforehand. I cannot prove causality from logs yet, but in practice this feels correlated with unexpected session termination, not just an annoying status warning.So from this setup: per-project disable state is already present, but the
claude.aiGmail/Calendar connectors still surface as failed, and the bug appears severe enough to coincide with sessions unexpectedly ending.A
Notificationhook onstartcan detect and warn about duplicate MCP servers:To proactively prevent OOM, add a memory monitor:
Until there's an official opt-out for cloud-synced MCP servers, you can also remove them from the settings file on session start:
Adding a use case: I run Claude Code across multiple project directories, each with different needs. I want each project to act as a sandbox where I explicitly allowlist which MCP servers are available — opening access case by case.
But cloud connectors get injected into every project uniformly, with no per-project control.
A proper
allowedMcpServersordisabledMcpServerssetting at project scope (in.claude/settings.json) would solve this cleanly.For now, using
ENABLE_CLAUDEAI_MCP_SERVERS=falseas a workaround.adding on, having MCP's injected in from the desktop app into a claude code session is really annoying, and chews up so many tokens for no reason. I added gmail, calendar and slack because i wanted the desktop app todo stuff, that added 10K tokens to every session i opened in claude code, which i never used.
need a real fix for this.
Endorsed. This eats away tokens like crazy. 60k tokens just for a "session init" per each new chat in claude code is insane.
+1 — adding a data point + a workaround that's a bit different from the
SessionStarthook approach upthread.Use case: two-tier default by path
/home/me/WORKSPACE/**→ only Linear + Mixpanel enabled (team workflow)claude.aiMCPs off (context bloat + different trust boundary — cf. @sunir upthread)What I tried
disabledMcpServers: [...]in~/.claude/settings.json→ schema validator rejects the field (not declared in settings schema)deniedMcpServers: [{serverName: "claude.ai Linear"}]→ regex^[a-zA-Z0-9_-]+$rejects dots/spaces so actual server names never matchSessionStarthook writing~/.claude.json→ fires after MCP connect — too late for current session--strict-mcp-config --mcp-config <file>→ doesn't affectclaude.aiOAuth first-party serversENABLE_CLAUDEAI_MCP_SERVERS=false→ too nuclear (per @nick-youngblut — removes instead of deactivating, losing per-project granularity)Workaround: wrapper function that pre-populates state BEFORE
clauderunsWorks — but I'm mutating Claude Code's internal state file from bash, which shouldn't be my job. Also likely subject to @mattheworiordan's observation that
tengu_claudeai_mcp_connectorsgets silently reset on re-auth.API proposal
A unified policy field, applied before MCP connections initialize:
Properties wanted:
.mcp.json, plugin-provided) — not 5 overlapping fields/mcpchanges still work but reset to policy on next session startallowedMcpServers/deniedMcpServers/disabledMcpjsonServers— doesn't collide with the existing enterprise surfacesCurrent field surface is (as far as I can tell) 5 overlapping layers with inconsistent semantics:
| Field | Applies to | Scope | Takes OAuth names? |
|---|---|---|---|
|
enabledMcpjsonServers/disabledMcpjsonServers|.mcp.jsonsourced | user/project | No ||
allowedMcpServers/deniedMcpServers| Enterprise policy | managed | No (regex blocks./) ||
disabledMcpServers| Runtime state | per-abs-path in~/.claude.json| Yes (but not in settings schema) ||
pluginConfigs.*.mcpServers| Plugin-provided | plugin | N/A ||
ENABLE_CLAUDEAI_MCP_SERVERSenv | All claude.ai | global on/off | N/A |It'd be great if one unified mechanism could replace the ad-hoc state file dance.
Happy to help test if this gets picked up.
I did create an additional - duplicate issue #57235. Sorry for that. I just closed it. But perhaps you'll find some additional information that help solving the problem!
I can reproduce this issue on Claude Code v2.1.133 (Linux, Ubuntu 24.04) with a Claude Pro subscription and API key auth.
Findings:
Normal startup: System tools: 2.9M tokens (1454%) — context is full before any user input
With --bare flag: System tools: 1.4k tokens (0.7%) — completely normal
What I ruled out:
No MCP servers configured (claude mcp list returns empty)
No active VS Code Extension connection (IDE lock directory empty)
All plugins moved to backup directory — 2.9M tokens persist
No credentials.json (logged out) — 2.9M tokens persist with API key
Without any auth (no API key, no OAuth) — 721 tokens (normal)
Key observation: The 2.9M tokens appear whenever any authentication is active (API key or OAuth), regardless of whether MCP servers, plugins, or VS Code are running. The --bare flag is the only workaround that produces a clean context.
The ENABLE_CLAUDEAI_MCP_SERVERS=false flag from #50062 does not resolve the issue in v2.1.133.
Environment:
Claude Code version: 2.1.133
Platform: Ubuntu 24.04 LTS, linux-x64
Model: claude-sonnet-4-6
Auth: Claude Pro OAuth + API key (both tested separ
Additional comment for Issue #20412:
After extensive debugging, I found that the root cause of the 2.9M token "System tools" bloat in my case is the sandbox block in .claude/settings.json.
Reproduction:
Start claude in any directory without a .claude/settings.json → System tools: ~13k tokens (normal)
Add a .claude/settings.json with "sandbox": { "enabled": true } → System tools: 2.9M tokens
Even a minimal sandbox config triggers the issue:
json{
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true
}
}
What I ruled out:
Plugins (moved entire plugin directory to backup — 2.9M persists)
MCP servers (claude mcp list returns empty)
VS Code Extension (closed VS Code — 2.9M persists)
Project files (renamed .claude directory — drops to 13k)
credentials.json / OAuth login (API key only — same result)
ENABLE_CLAUDEAI_MCP_SERVERS=false flag — no effect
Workaround: Remove the sandbox block entirely from settings.json.
Environment:
Claude Code version: 2.1.133
Platform: Ubuntu 24.04 LTS, linux-x64
Model: claude-sonnet-4-6
TurboTax Connector suddenly started like an MCP today and attempted to prompt inject my subagent...
any update? hello??
export ENABLE_CLAUDEAI_MCP_SERVERS=falseon your .bashrc or equivalent fixes this.@cardoso-neto Unfortunately that disables everything, rather than just specific MCP servers.
Thank you all for the reports and workarounds here.
As of v2.1.182:
"disableClaudeAiConnectors": truein.claude/settings.json(project, user, or managed-policy level) opts out before any connection is attempted. A project-levelfalsecannot override a user- or policy-leveltrue.deniedMcpServersaccepts connector display names with spaces and dots (e.g.,{"serverName": "claude.ai Slack"}) for per-connector denial. Match is exact and case-sensitive.ENABLE_CLAUDEAI_MCP_SERVERS=0and--safe-modecontinue to work. Tool-search deferral is now on by default, so connector schemas aren't loaded into context until used.The default is unchanged — connectors still load unless disabled. Closing as completed for the opt-out controls; please open a fresh issue for opt-in default, first-run consent, or per-project credentials.