postgres mcp
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned, but it needs review because it can run very broad PostgreSQL commands and some guardrails around safe/direct execution are incomplete.
Install only if you want an agent to help manage a PostgreSQL database. Configure postgres-mcp with a dedicated least-privilege or read-only account first, pin and verify the external postgres-mcp package/container, carefully review every SQL statement before execution, and be especially cautious with DDL, DELETE/UPDATE, maintenance functions, and any scheduled checks.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected with a powerful database account, the agent could interrupt database sessions or run high-impact SQL under an overly broad 'safe SELECT' assumption.
The instructions classify SELECT as relatively safe and directly executable, while the same reference lists SELECT-based administrative functions that have side effects. This creates an unclear approval boundary for disruptive database actions.
Read Operations (SELECT) ... Does not modify data ... For simple queries, execute directly ... SELECT pg_cancel_backend(pid); -- Gentle termination SELECT pg_terminate_backend(pid); -- Force termination
Require explicit user confirmation for all DDL, DML, maintenance commands, and side-effecting/admin functions, not just non-SELECT statements. Use a read-only or least-privileged database role by default.
Database passwords or high-privilege accounts could be exposed through config files, shell history, or process arguments if configured carelessly.
The setup flow expects database credentials in connection strings or environment variables. This is normal for a database MCP integration, but it is sensitive credential handling.
postgres-mcp "postgresql://user:pass@host:5432/dbname" ... DATABASE_URL — Database connection string
Use a dedicated least-privilege database user, prefer read-only mode for analysis, protect MCP config files, and avoid placing production passwords in shell history or shared configuration.
Future package or image changes could alter the behavior of the MCP service used to access the database.
The user-directed setup installs an external package/container and uses an unpinned Docker 'latest' tag. This is purpose-aligned, but the reviewed artifact set does not verify that external code.
pipx install postgres-mcp ... ghcr.io/crystaldba/postgres-mcp:latest
Pin the postgres-mcp package/image version or container digest, verify the upstream project, and install from trusted sources.
Private schema names, relationships, or database design details could persist in agent context and influence later tasks.
The skill suggests caching database schema context for reuse. That is useful for this purpose, but the artifacts do not define storage location, retention, or clearing behavior.
Schema Caching — Cache frequently queried schema information to avoid repeated queries ... Subsequent queries: Use cached schema
Cache only the minimum schema information needed, avoid caching sensitive database internals, and clear or refresh cached schema data when the task or database changes.
A recurring task could continue querying the database after the original session if not explicitly managed.
The example supports a recurring health-check task. It is user-requested and purpose-aligned, but the schedule location, permissions, logs, and disable path are not specified.
User: Check database health every day at 9 AM Assistant: [Set up scheduled task to execute health check daily]
Only create scheduled checks with explicit user approval, document where the schedule is stored, use read-only credentials, and provide a clear way to disable it.