Snowflake MCP Connection
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Snowflake MCP setup guide, but it asks users to expose highly privileged Snowflake access and arbitrary SQL/object-management tools to an agent.
Install/use this only if you are comfortable giving an MCP client access to Snowflake. Do not use ACCOUNTADMIN for routine agent access; create a dedicated least-privilege role, restrict databases/schemas and SQL actions, protect PATs/passwords, and disable object-management or custom action tools unless you specifically need them.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is overprivileged, the agent could access or change far more Snowflake data and configuration than intended.
The setup asks for a highly privileged Snowflake role and a reusable token, then connects that authority to an MCP client/agent.
- Snowflake account with ACCOUNTADMIN role - Programmatic Access Token (PAT) from Snowflake
Use a dedicated least-privilege Snowflake role and PAT, preferably read-only for validation, restricted to specific databases/schemas/warehouses, and rotate/revoke it when no longer needed.
An agent with this tool and a privileged token could query sensitive tables or run destructive SQL if the Snowflake role permits it.
The managed MCP server exposes a raw SQL execution tool to the agent, and the docs do not clearly constrain it to safe/read-only statements in the main managed-server path.
| `SYSTEM_EXECUTE_SQL` | Execute arbitrary SQL queries |
Limit the Snowflake role to the minimum allowed SQL actions, prefer read-only views for agent access, and require human confirmation before any DDL/DML or administrative action.
If users copy this template as-is, the local MCP server may expose Snowflake object mutation tools to the agent.
The local-server template enables an object-management service by default, explicitly described as allowing create/drop/alter operations.
# Object management - create, drop, alter Snowflake objects object_manager: True
Disable object_manager unless it is specifically required, and keep DDL/DML permissions off for routine query or connectivity use.
A future or unexpected package version could behave differently from what the documentation implies.
The optional local setup runs an external package by name without pinning a version in the artifact; this is disclosed and related to the purpose but outside the reviewed skill files.
"command": "uvx",
"args": [
"snowflake-labs-mcp",Prefer the managed Snowflake MCP server when possible, or verify the package source and pin a known-good version for local use.
Plaintext credentials in project files or command arguments can be exposed through file sharing, source control, logs, or process inspection.
The local-server examples show Snowflake credentials being supplied in MCP configuration/command arguments, which is expected for the integration but sensitive.
"--password", "your_password"
Use Snowflake key-pair or token-based authentication where possible, restrict file permissions, avoid committing mcp.json or connection files, and prefer secret managers/environment-specific credential handling.