crystaldba/postgres-mcp

Minor capabilities, nothing alarming.

View source ↗

Environment variables (config / keys) 2

Filesystem writes 1

Remote code execution 1

Shell / command execution 1

Sensitive credential files 1

AI review

This extension is a legitimate Postgres MCP server for database management. The static findings show standard development patterns (remote code install in README, environment variable access for configuration, SQL testing patterns) that are expected for this type of tool. No evidence of malicious intent, hidden instructions, or deceptive behavior was found.

low README contains remote code execution pattern — The README includes `curl -sSL https://astral.sh/uv/install.sh | sh` which is a common but risky pattern. However, this is standard documentation for installing the 'uv' package manager and is not hidden or deceptive. Users should always verify installation scripts before running.
low Environment variable access for configuration — The extension reads DATABASE_URI and POSTGRES_MCP_INCLUDE_LANGFUSE_TRACE from environment variables. This is expected behavior for a database tool that needs connection credentials and configuration. No evidence of exfiltration or misuse.
low Test file contains pg_read_file reference — The test file references `SELECT pg_read_file('/etc/passwd')` which is a known PostgreSQL security concern. However, this appears in a unit test file testing SQL safety validation, not in production code. The safe_sql module likely blocks such queries.
low Safe SQL module references popen — The safe_sql.py file references 'popen' in what appears to be a blocklist or detection pattern, not an execution call. This is consistent with the stated purpose of providing safe SQL execution with access controls.

Model: deepseek-chat

Static findings

Remote code execution · Downloads and executes remote code

info README.md:631 curl -sSL https://astral.sh/uv/install.sh | sh

Environment variables (config / keys) · Reads environment variables (config / API keys)

low src/postgres_mcp/index/presentation.py:126 include_langfuse_trace = os.environ.get("POSTGRES_MCP_INCLUDE_LANGFUSE_TRACE", "true").lower() == "true"

low src/postgres_mcp/server.py:629 database_url = os.environ.get("DATABASE_URI", args.database_url)

Shell / command execution · Executes shell / system commands

medium src/postgres_mcp/sql/safe_sql.py:615 "popen",

Filesystem writes · Reads or writes the filesystem

info tests/integration/dta/test_dta_calc_integration.py:531 os.remove(sql_file_path)

Sensitive credential files · Reads sensitive credential files

info tests/unit/sql/test_safe_sql.py:365 "SELECT pg_read_file('/etc/passwd');",

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.