crystaldba/postgres-mcp

Powerful capabilities — review before trusting.

View source ↗

Environment variables (config / keys) 2

Filesystem writes 1

Remote code execution 1

Shell / command execution 1

Sensitive credential files 1

AI review

This extension is a legitimate PostgreSQL MCP server for database management. The static findings show standard development patterns (remote code install in README, environment variable access for configuration, SQL testing patterns) that are expected for a database tool. No evidence of malicious intent or hidden instructions to exfiltrate data or manipulate agents.

low README contains curl-pipe-bash install pattern — The README includes 'curl -sSL https://astral.sh/uv/install.sh | sh' which is a common but risky install pattern. This is standard for the 'uv' package manager and not hidden or deceptive, but users should review scripts before piping to shell.
low Environment variable access for configuration — The code reads POSTGRES_MCP_INCLUDE_LANGFUSE_TRACE and DATABASE_URI from environment variables. This is expected configuration behavior for a database tool and not an attempt to exfiltrate credentials.
low Test file references pg_read_file('/etc/passwd') — This appears in a unit test file (test_safe_sql.py) as a test case for SQL injection/safety validation, not as actual execution. This is standard security testing practice.
low Safe SQL module references popen — The reference to 'popen' in safe_sql.py is likely part of a blocklist or safety check mechanism, not actual command execution. This is expected in a SQL safety validation module.

Model: deepseek-chat

Static findings

Remote code execution · Downloads and executes remote code

info README.md:631 curl -sSL https://astral.sh/uv/install.sh | sh

Environment variables (config / keys) · Reads environment variables (config / API keys)

low src/postgres_mcp/index/presentation.py:126 include_langfuse_trace = os.environ.get("POSTGRES_MCP_INCLUDE_LANGFUSE_TRACE", "true").lower() == "true"

low src/postgres_mcp/server.py:629 database_url = os.environ.get("DATABASE_URI", args.database_url)

Shell / command execution · Executes shell / system commands

medium src/postgres_mcp/sql/safe_sql.py:615 "popen",

Filesystem writes · Reads or writes the filesystem

info tests/integration/dta/test_dta_calc_integration.py:531 os.remove(sql_file_path)

Sensitive credential files · Reads sensitive credential files

info tests/unit/sql/test_safe_sql.py:365 "SELECT pg_read_file('/etc/passwd');",

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.