The MCP game the AI can't cheat at
I built a live MCP word game where Claude can host the round but cannot see the answer, then used it to explain the parts of the 2026 MCP ecosystem that actually matter.
TL;DR: I built a word game you play by chatting with Claude, but Claude cannot see the answer. The word stays on the server, the AI only calls tools, and the result is the cleanest MCP demo I know for one useful rule: put the truth in a tool, not in the prompt.
My favorite thing I built this year is tiny, slightly silly, and surprisingly hard to explain without sounding dramatic:
It is a game the AI can't cheat at.
Not won't cheat. Can't.
Secret Word Quest is a word-guessing game you play inside a chat with Claude. Claude hosts the round: it relays the clue, passes your guesses to the server, reads back the feedback, celebrates when you finally get one. But the word itself never touches the model. It sits on a server Claude can only reach through six tools, and nothing you type can pull it across.
If you've ever watched an AI confidently invent an answer, you already care about this. A model can't leak, spoil, or hallucinate a fact it never receives. That's the whole trick, and it is the part most MCP demos skip.
So this post is two things at once: a playable little demo of that idea, and a quick map of where MCP actually stands halfway through 2026.
Where the word lives
Start a round and the server picks a word, hides it, and gives Claude exactly three things: a category, a letter count, and a clue.
That's all the model ever knows about the round.
Here's a real round, played in Claude Code:

Claude can see the clue and the tool feedback, but never the hidden word.
The screenshot is the whole argument. You can see new_game return a clue and a length, never the word. You can see each guess leave the chat, hit the server, and come back as feedback the server computed.
Claude is not really playing the game. It is hosting it blind. The model moves information around, but the thing that matters never lives inside the model.
That means there is no magic prompt that gets the answer out. You can beg, threaten, jailbreak, ask it to "ignore all previous instructions," or make it reason step by step about what the word might be. It may still guess along with you (it's a language model, it has seen a lot of eight-letter tech words), but it cannot reveal what it was never given.
That is the useful lesson, and it applies way beyond games: when something must be true, put it in a tool, not in a prompt. Prompts are instructions. Tools can be boundaries. If you're worried about an AI quietly making things up, the answer is usually not a longer prompt. It is moving the source of truth somewhere the model can ask, but not overwrite.
The whole game is six tools:
| Tool | What it does |
|---|---|
new_game(player, difficulty, category) |
Start a round. The server hides a word. |
guess(game_id, word) |
Submit a guess, get 🟩🟨⬛ feedback. |
hint(game_id) |
Reveal the next hint (costs points). |
status(game_id) |
Current state, no spoilers. |
give_up(game_id) |
Reveal the word, end the round. |
leaderboard(top) |
Global high scores, shared across players. |
All six run on the server. Claude decides when to call them based on what you type, then reports back what the server says.
That is MCP in its simplest useful form: a model, a set of tools, and a boundary around the truth.
Why this pattern matters
A hidden word is a toy version of a serious architecture problem. The same pattern applies anywhere the model should help with a task without becoming the source of record:
- a support agent that can check account status without inventing account data
- an internal assistant that can query policies without rewriting them
- a pricing tool where the model can explain a quote but not decide the price
- a quiz, assessment, or game where the model should facilitate without seeing the answer key
The difference is subtle but important. The model is still useful. It can plan, explain, summarize, and route requests. It just does those things around a system that owns the truth.
The live server
The server is already hosted, so there is nothing to clone. In a client that supports remote MCP servers (Claude on a paid plan, Cursor, or VS Code), add a custom connector with this URL:
https://secret-word-quest.wonderfuldune-d3efe9ff.centralindia.azurecontainerapps.io/mcp
Then say:
let's play Secret Word Quest
You're now on the same global leaderboard as everyone else. The word list is not in the public code, so there is no answer key to peek at. You have to play.

The shared leaderboard at publish time: one solved round, 135 points, medium difficulty.
That is the real board as I publish this: one entry, mine, from the round in the screenshot above.
Prefer local? It's a normal stdio server too:
pip install -r requirements.txt
python server.py # then point Claude Desktop at it in the config
The registry
A protocol only gets you so far if the servers are scattered across GitHub READMEs, which is roughly what MCP discovery felt like for its first year.
That changed in September 2025, when the MCP project launched the official MCP Registry at registry.modelcontextprotocol.io. It is still technically a preview. The publish API is frozen at v0.1 while v1 general availability gets built, but it is already the index the ecosystem is standardizing around.
It listed around 9,600 servers in late May 2026 and was closing in on 10,000 by the end of June, when the road from that frozen API to full GA was getting real airtime at the AI Engineer World's Fair.
The mental model that helped me most is simple: the registry stores metadata, not code.
Your server still lives wherever code normally lives: PyPI, npm, GitHub, or a hosted URL. The registry holds a small server.json that points at it. Mine points at the live server, since Secret Word Quest is hosted:
{
"name": "io.github.jamaljm/secret-word-quest",
"description": "A word-guessing game you play through an AI. The server holds the hidden word so the AI can't cheat.",
"remotes": [
{ "type": "streamable-http", "url": "https://.../mcp" }
]
}
Two design choices make the registry more trustworthy than a random list of links.
First, namespaces are tied to identity. To publish under io.github.jamaljm, I log in with that GitHub account through a device flow, and the registry rejects names that do not match. Nobody can squat a namespace they do not own.
Second, it is a backbone, not a walled garden. The registry exposes an open API, GitHub built its own registry on top of it, and client marketplaces can pull from it. One source of truth, many storefronts.
Worth keeping separate in your head: the open registry is low-curation by design. Anyone can self-publish, and moderation happens after the fact, when someone flags spam or a malicious server. It is an index, not a seal of approval.
Claude's Connectors directory is the curated shelf on top: a reviewed, vetted set with a real bar to entry (privacy policy, tool annotations, OAuth for remote servers) that shows up for one-click install inside Claude. That directory alone lists over 300 connectors used by millions of people a day.
My server sits in the open index. Anyone can still add it to Claude by hand as a custom connector, which is perfect for a small demo like this.
What shipped in 2026
The registry matters more this year because the ecosystem around it grew up fast. Three useful things landed in June alone.
First, connector submission moved inside Claude. Team and Enterprise admins can now submit a remote connector to the Connectors directory from an admin portal in the app, instead of a separate web form. Small change, but it turns publishing from "there's a process somewhere" into part of the product.
Second, connector observability hit public beta. Own a connector and you now get a dashboard: installs, tool calls, error rates, latency, and your directory rank over time. Shipping a server stopped being a fire-and-forget exercise.
Third, enterprise-managed connectors arrived. Admins can provision MCP connectors across an organization through an identity provider, Okta first, so users get access on first login with no per-user OAuth dance. This is the piece that makes MCP deployable at big-company scale.
Two things I'm watching
Code execution with MCP. In November 2025, Anthropic showed that instead of the model calling each tool directly, it can write code that calls the tools, loading definitions only when needed. Their example cut a task from about 150,000 tokens to about 2,000. That's a 98.7% drop.
It sounds like an implementation detail until you wire up a dozen servers and notice the tool definitions alone are eating your context window.
MCP Server Cards. This is a draft proposal for exposing a server's capabilities at /.well-known/mcp/server-card.json, so clients, crawlers, and registries can see what a server does without connecting to it.
It has not shipped yet. But if it lands, it becomes the missing piece for making MCP servers discoverable the way websites are.
A toy, on purpose
Secret Word Quest is not a product. It is about 350 lines of Python and a words file.
But it is a complete, working tour of the loop that matters: a server that owns some truth, tools a model calls on your behalf, a registry entry tied to a real identity, and a hosted URL you can point your client at right now.
Read the code and notice how little magic there is. That was the point of building it.
FAQ
Can the AI cheat at Secret Word Quest?
No. The secret word lives only inside the server. The AI is just the host: it relays the clue and passes your guesses to a tool. It never receives the answer, so it cannot leak it or solve it for you.
Do I need to code to play?
No. In an AI client that supports remote MCP servers (Claude on a paid plan, Cursor, VS Code), you add the server URL once, then just chat. Say 'let's play Secret Word Quest' and start guessing.
Is it free to play?
Yes. Connect the hosted server as a remote MCP server in your AI client and play. It is a small demo, so treat the shared leaderboard as for fun.
What is MCP in one line?
The Model Context Protocol is an open standard from Anthropic (2024) that lets any AI client connect to any tool or data source through one shared interface, instead of a custom integration per pair.