Agent database access security

Google MCP Toolbox blocks SQL injection by moving credentials and queries out of agent control MLOps Community
TL;DW
  • MCP Toolbox serves 20 million database tool calls monthly, with runtime agent applications showing 10x higher potential than buildtime development tools.
  • Confused deputy attacks exploit three conditions: agents accessing private data, reading untrusted content, and communicating results back—prevent by removing agent control.
  • Pre-write and pre-approve SQL statements in YAML; agents only input constrained parameters, eliminating SQL injection risk from agent-generated queries.
  • Abstract database credentials and network topology from agents entirely via configuration injection at server startup—agents never see connection details.
  • Use prepared statements with strictly typed parameters and remove PII from agent control via binding parameters or authenticated tokens outside agent visibility.
  • Parameterized secure database views create sandboxed environments for agents to explore complex questions like multi-condition customer purchase analysis safely.
  • Runtime production tools require zero hallucinations, low latency, and deterministic behavior; buildtime development tools can be flexible with human expert approval.
  • Separate three identities: users access only the application, application workload identity accesses databases, agents access only end-user-specific constrained data.
  • Structured SQL tools with pre-approved statements outperform natural language-to-SQL for security-critical untrusted user scenarios in autonomous applications.
  • MCP Toolbox handles authentication, observability, and connection pooling out-of-the-box, supporting 40 data sources with 13,500+ GitHub stars and 100+ contributors.

Pre-approves SQL statements at deploy time, binds user credentials server-side, and strips sensitive parameters from agent visibility entirely. Covers the four-stage hardening model and the buildtime-vs-runtime tool distinction, with a focus on stopping confused-deputy attacks in production.