MCP ClickHouse Server
vmcp-clickhouse 0.4.0 (2026-06-03); Cloud Remote MCP; Managed ClickStack MCPClickHouse (Official)
Official ClickHouse MCP family: open-source mcp-clickhouse (PyPI, v0.4.0) plus ClickHouse Cloud Remote MCP at https://mcp.clickhouse.cloud/mcp with OAuth 2.0 and a Managed ClickStack MCP endpoint for observability. The local server is read-only by default; writes require CLICKHOUSE_ALLOW_WRITE_ACCESS=true, and destructive operations (DROP/TRUNCATE) need a second opt-in flag, CLICKHOUSE_ALLOW_DROP=true. Cloud remote tools are strictly read-only (readOnlyHint).
Trust Vector Analysis
Dimension Breakdown
๐Performance & Reliability+
Query execution capability review
Connection stability assessment
Large result handling review
Error handling review
Managed endpoint reliability review
๐ก๏ธSecurity+
Default-posture review; secure-by-default read-only stance on both local and remote variants
Write-gate design review; the graduated two-flag model separating writes from destructive DDL is a good practice other database MCP servers should adopt
Authentication mechanism review; strong OAuth on remote, but local deployments can be misconfigured with the auth-disabled bypass
Credential security analysis; scored on the local path since it is the most common deployment
Injection and prompt-injection exposure analysis
๐Privacy & Compliance+
Data flow analysis
PII protection assessment
Self-hosting options review
Data sharing analysis
๐๏ธTrust & Transparency+
Documentation completeness review
Source code and maintenance review
Query logging assessment
Community engagement analysis
โ๏ธOperational Excellence+
Setup complexity assessment
Performance review of the underlying engine for agent workloads
Deployment options review
Cost analysis
Community support assessment
- +Read-only by default with a graduated write-gate: writes need CLICKHOUSE_ALLOW_WRITE_ACCESS=true and destructive DDL needs a second flag (CLICKHOUSE_ALLOW_DROP=true) โ exemplary secure-by-default design
- +Managed Cloud Remote MCP with OAuth 2.0 and strictly read-only tools (readOnlyHint on all 13 tools)
- +Excellent analytical query performance for agent-driven data exploration
- +Flexible deployment: stdio, HTTP/SSE, managed remote, ClickStack observability endpoint, and embedded chDB
- +Open source (Apache 2.0) under the official ClickHouse org with active releases
- +Managed ClickStack MCP extends the same model to logs, metrics, and traces for incident-investigation agents
- !Query results are exposed to the LLM provider with no built-in PII detection or filtering
- !Local stdio deployments store database credentials in environment variables or client config
- !Development-only auth bypass flag (CLICKHOUSE_MCP_AUTH_DISABLED) can be dangerously misused on exposed HTTP transports
- !Once both write flags are enabled, the agent can perform destructive DDL within the DB user's grants
- !Prompt-injection via untrusted data in query results remains possible; read-only mode limits damage but not data exfiltration
- !Large result sets require query-side LIMITs to avoid flooding model context
- !Cloud Remote MCP requires ClickHouse Cloud; feature is disabled per service until explicitly enabled
Use Case Ratings
code generation
Strong for generating and validating ClickHouse SQL against live schemas
customer support
Useful for querying product analytics behind support questions
content creation
Limited fit; data-backed reporting and dashboard narratives
data analysis
Primary use case: fast agent-driven exploration of large analytical datasets
research assistant
Great for iterative hypothesis testing over large datasets
legal compliance
No PII filtering; requires scoped database users and read-only mode
healthcare
Telemetry/analytics fit, but PHI exposure to the LLM needs strict controls
financial analysis
Excellent for market/event analytics; keep write flags off for production data
education
SQL Playground preset makes it easy to teach analytical SQL with agents
creative writing
Minimal applicability beyond data lookups