clickhouse-best-practices
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill implements essential defensive guardrails by requiring agents to use 'LIMIT', 'max_execution_time', and 'max_rows_to_read' on all generated queries to prevent resource exhaustion. It also correctly advises against hardcoding sensitive credentials, recommending the use of environment variables or OAuth mechanisms.
- [EXTERNAL_DOWNLOADS]: The skill suggests cloning the official ClickHouse plugin repository from GitHub and installing the 'mcp-clickhouse' package. These resources are traced to the verified vendor and are safe for use within the intended development context.
- [COMMAND_EXECUTION]: To facilitate database management, the skill guides the agent to use 'clickhouse-client' and 'curl' for executing queries and retrieving schema information. These operations are within the necessary scope of the skill's database administration functionality.
- [PROMPT_INJECTION]: The skill defines a schema discovery workflow that ingests metadata from ClickHouse system tables, creating a potential surface for indirect prompt injection from database content.
- Ingestion points: Database metadata is retrieved from 'system.tables' and 'system.columns' in 'rules/agent-discovery-schema.md'.
- Boundary markers: The skill establishes a procedural discovery sequence to be performed before query planning.
- Capability inventory: The agent has the capability to run SQL and shell commands via CLI or MCP tools.
- Sanitization: The instructions mitigate risk by requiring the agent to use 'EXPLAIN ESTIMATE' and 'LIMIT' to validate query costs and restrict results.
Audit Metadata