Evaluation record ยท mcp-server-clickhouse

MCP ClickHouse Server

vmcp-clickhouse 0.4.0 (2026-06-03); Cloud Remote MCP; Managed ClickStack MCP

ClickHouse (Official)

MCPdatabaseanalyticsolapobservability
79
Strong
About This MCP

Official ClickHouse MCP family: open-source mcp-clickhouse (PyPI, v0.4.0) plus ClickHouse Cloud Remote MCP at https://mcp.clickhouse.cloud/mcp with OAuth 2.0 and a Managed ClickStack MCP endpoint for observability. The local server is read-only by default; writes require CLICKHOUSE_ALLOW_WRITE_ACCESS=true, and destructive operations (DROP/TRUNCATE) need a second opt-in flag, CLICKHOUSE_ALLOW_DROP=true. Cloud remote tools are strictly read-only (readOnlyHint).

Last Evaluated: July 9, 2026
Official Website

Trust Vector Analysis

Dimension Breakdown

๐Ÿš€Performance & Reliability
+
query execution

Query execution capability review

Evidence
ClickHouse MCP server repository โ€” run_query executes SQL on ClickHouse clusters via the official client, inheriting ClickHouse's columnar analytical performance; optional chDB tool provides embedded in-process querying
highVerified: 2026-07-09
connection stability

Connection stability assessment

Evidence
ClickHouse MCP server repository โ€” Built on the official ClickHouse Python client with configurable connection env vars; supports ClickHouse Cloud and self-managed clusters, with an unauthenticated /health endpoint on HTTP/SSE transports
mediumVerified: 2026-07-09
large result handling

Large result handling review

Evidence
ClickHouse MCP server repository โ€” list_tables supports pagination and filtering; very large SELECT result sets still need query-side LIMITs to avoid flooding the model context
mediumVerified: 2026-07-09
error handling

Error handling review

Evidence
ClickHouse MCP server repository โ€” Middleware system allows request interception and custom handling; write/DDL attempts in read-only mode are rejected with explicit errors rather than executed
mediumVerified: 2026-07-09
remote endpoint reliability

Managed endpoint reliability review

Evidence
ClickHouse Cloud Remote MCP documentation โ€” Fully managed remote MCP server at https://mcp.clickhouse.cloud/mcp, enabled per service from the Cloud console Connect menu; 13 read-only tools covering querying, schema exploration, service management, backups, ClickPipes, and billing
mediumVerified: 2026-07-09
๐Ÿ›ก๏ธSecurity
+
read only default

Default-posture review; secure-by-default read-only stance on both local and remote variants

Evidence
ClickHouse MCP server repository โ€” Local server defaults to read-only, preventing accidental mutations during AI exploration; the Cloud remote server goes further โ€” all tools carry readOnlyHint: true and no tool can modify data or service configuration
highVerified: 2026-07-09
graduated write gate

Write-gate design review; the graduated two-flag model separating writes from destructive DDL is a good practice other database MCP servers should adopt

Evidence
ClickHouse MCP server repository โ€” Two-tier opt-in: CLICKHOUSE_ALLOW_WRITE_ACCESS=true enables DDL/DML (CREATE, ALTER, INSERT, UPDATE, DELETE), while destructive operations (DROP TABLE, DROP DATABASE, TRUNCATE) require a separate CLICKHOUSE_ALLOW_DROP=true flag
highVerified: 2026-07-09
authentication security

Authentication mechanism review; strong OAuth on remote, but local deployments can be misconfigured with the auth-disabled bypass

Evidence
ClickHouse Cloud Remote MCP documentation โ€” Remote MCP authenticates via OAuth 2.0 scoped to the user's organizations and services; local HTTP/SSE transports require a bearer token (CLICKHOUSE_MCP_AUTH_TOKEN) or OAuth/OIDC delegation, with a development-only auth bypass flag
highVerified: 2026-07-09
credential exposure

Credential security analysis; scored on the local path since it is the most common deployment

Evidence
ClickHouse MCP server repository โ€” Local stdio deployments place CLICKHOUSE_USER/CLICKHOUSE_PASSWORD in environment variables or client config files; the OAuth-based Cloud remote avoids static credentials entirely
highVerified: 2026-07-09
query injection risk

Injection and prompt-injection exposure analysis

Evidence
Model Context Protocol security best practices โ€” The AI constructs arbitrary SQL; untrusted content in query results can carry injected instructions back to the model โ€” read-only default bounds the blast radius but exfiltration of readable data remains possible
mediumVerified: 2026-07-09
๐Ÿ”’Privacy & Compliance
+
data exposure to llm

Data flow analysis

Evidence
MCP Architecture โ€” Query results, schema listings, and (for ClickStack) telemetry data returned by tools are sent to the connected LLM provider
highVerified: 2026-07-09
pii protection

PII protection assessment

Evidence
ClickHouse MCP server repository โ€” No built-in PII detection or result filtering; any data readable by the configured ClickHouse user can reach the model
highVerified: 2026-07-09
self hosted option

Self-hosting options review

Evidence
ClickHouse MCP server repository โ€” Full self-hosting: pip/uv install, Docker, stdio/HTTP/SSE transports, and chDB embedded mode allow entirely local operation against self-managed ClickHouse
highVerified: 2026-07-09
third party data sharing

Data sharing analysis

Evidence
ClickHouse Cloud Remote MCP documentation โ€” Remote MCP access is scoped to the authenticated user's organizations and services; database content shared with the LLM provider is governed by that provider's terms, not ClickHouse's
mediumVerified: 2026-07-09
๐Ÿ‘๏ธTrust & Transparency
+
documentation quality

Documentation completeness review

Evidence
ClickHouse Cloud Remote MCP documentation โ€” First-party docs cover the repo README (env vars, flags, transports), Cloud remote MCP enablement, and ClickStack MCP blogs with setup for Claude Code, Cursor, and custom agents
highVerified: 2026-07-09
open source transparency

Source code and maintenance review

Evidence
ClickHouse MCP server repository โ€” Apache 2.0, officially maintained under the ClickHouse GitHub org (818+ stars, 192 forks); v0.4.0 released 2026-06-03 on PyPI as mcp-clickhouse
highVerified: 2026-07-09
query visibility

Query logging assessment

Evidence
ClickHouse query_log documentation โ€” All agent-issued SQL is recorded in ClickHouse's system.query_log; MCP clients additionally surface each tool call for user review
mediumVerified: 2026-07-09
community activity

Community engagement analysis

Evidence
ClickHouse blog โ€” agentic analytics and ClickStack MCP โ€” Active first-party investment: remote MCP beta launch, AWS Marketplace AI Agents listing, Managed ClickStack MCP for observability agents, and regular releases on the open-source server
highVerified: 2026-07-09
โš™๏ธOperational Excellence
+
ease of setup

Setup complexity assessment

Evidence
ClickHouse MCP server repository โ€” Local: uv/pip install mcp-clickhouse with a handful of env vars, plus an SQL Playground demo preset; Cloud: enable MCP from the service Connect menu and complete browser OAuth
highVerified: 2026-07-09
query performance

Performance review of the underlying engine for agent workloads

Evidence
ClickHouse benchmarks โ€” ClickHouse's columnar engine delivers sub-second analytical queries over billions of rows, making agent-driven exploratory analytics responsive
highVerified: 2026-07-09
deployment flexibility

Deployment options review

Evidence
ClickHouse MCP server repository โ€” Four deployment shapes: local stdio, self-hosted HTTP/SSE, managed Cloud Remote MCP (mcp.clickhouse.cloud/mcp), and Managed ClickStack MCP (mcp.clickhouse.cloud/clickstack) for observability, plus embedded chDB mode
highVerified: 2026-07-09
cost efficiency

Cost analysis

Evidence
ClickHouse Cloud pricing โ€” Open-source server and self-managed ClickHouse are free; Cloud remote MCP has no separate fee but agent queries consume service compute
mediumVerified: 2026-07-09
community support

Community support assessment

Evidence
ClickHouse MCP server repository โ€” 818 stars, 192 forks, active issue tracker and releases (v0.4.0, 2026-06-03), maintained by ClickHouse with community contributions
highVerified: 2026-07-09
Strengths
  • +Read-only by default with a graduated write-gate: writes need CLICKHOUSE_ALLOW_WRITE_ACCESS=true and destructive DDL needs a second flag (CLICKHOUSE_ALLOW_DROP=true) โ€” exemplary secure-by-default design
  • +Managed Cloud Remote MCP with OAuth 2.0 and strictly read-only tools (readOnlyHint on all 13 tools)
  • +Excellent analytical query performance for agent-driven data exploration
  • +Flexible deployment: stdio, HTTP/SSE, managed remote, ClickStack observability endpoint, and embedded chDB
  • +Open source (Apache 2.0) under the official ClickHouse org with active releases
  • +Managed ClickStack MCP extends the same model to logs, metrics, and traces for incident-investigation agents
Limitations
  • !Query results are exposed to the LLM provider with no built-in PII detection or filtering
  • !Local stdio deployments store database credentials in environment variables or client config
  • !Development-only auth bypass flag (CLICKHOUSE_MCP_AUTH_DISABLED) can be dangerously misused on exposed HTTP transports
  • !Once both write flags are enabled, the agent can perform destructive DDL within the DB user's grants
  • !Prompt-injection via untrusted data in query results remains possible; read-only mode limits damage but not data exfiltration
  • !Large result sets require query-side LIMITs to avoid flooding model context
  • !Cloud Remote MCP requires ClickHouse Cloud; feature is disabled per service until explicitly enabled
Metadata
license: Apache 2.0
supported platforms
0: All platforms with Python 3.10+; Docker; any MCP client (Cloud remote)
programming languages
0: Python
mcp version: 1.0
github repo: https://github.com/ClickHouse/mcp-clickhouse
github stars: 818
package name: mcp-clickhouse (PyPI)
latest version: 0.4.0 (2026-06-03)
remote endpoint: https://mcp.clickhouse.cloud/mcp (Cloud Remote MCP); https://mcp.clickhouse.cloud/clickstack (Managed ClickStack MCP)
api dependency: ClickHouse Python client; chDB (optional embedded engine)
authentication: Env-var credentials (stdio); bearer token or OAuth/OIDC (HTTP/SSE); OAuth 2.0 (Cloud remote)
security controls
0: read-only default
1: CLICKHOUSE_ALLOW_WRITE_ACCESS opt-in for DDL/DML
2: CLICKHOUSE_ALLOW_DROP second opt-in for destructive operations
3: readOnlyHint on all Cloud remote tools
transport types
0: stdio (default)
1: http
2: sse
3: streamable-http (Cloud remote)
maintained by: ClickHouse

Use Case Ratings

code generation

Strong for generating and validating ClickHouse SQL against live schemas

customer support

Useful for querying product analytics behind support questions

content creation

Limited fit; data-backed reporting and dashboard narratives

data analysis

Primary use case: fast agent-driven exploration of large analytical datasets

research assistant

Great for iterative hypothesis testing over large datasets

legal compliance

No PII filtering; requires scoped database users and read-only mode

healthcare

Telemetry/analytics fit, but PHI exposure to the LLM needs strict controls

financial analysis

Excellent for market/event analytics; keep write flags off for production data

education

SQL Playground preset makes it easy to teach analytical SQL with agents

creative writing

Minimal applicability beyond data lookups