The upstream server runs ClickHouse queries in read-only mode by default because `CLICKHOUSE_ALLOW_WRITE_ACCESS` is false unless explicitly enabled. Leave write access disabled for production investigation workflows., If write access is enabled, destructive operations such as DROP and TRUNCATE require the additional `CLICKHOUSE_ALLOW_DROP` opt-in. Treat both flags as privileged operational changes, not normal client configuration., Use a dedicated least-privilege ClickHouse user or role. MCP read-only mode does not hide tables, columns, rows, or system metadata that the database account is already allowed to read., Review model-generated SQL before execution, especially broad table scans, expensive aggregations, cross-database queries, or wide time ranges against production clusters., For HTTP or SSE transports, keep authentication enabled. The upstream server requires authentication by default for those transports and only documents disabling it for local development.
Privacy notes
Query results, database names, table names, column metadata, create-table definitions, and aggregate outputs can become visible to the connected MCP client and model session., ClickHouse data often includes logs, events, analytics records, user identifiers, IP addresses, request payloads, or product usage data; use database permissions and query limits before exposing production datasets., Store ClickHouse passwords, roles, and bearer tokens in MCP environment configuration or your client secret-management flow, not in prompts or checked-in configuration files., chDB support can query local files, URLs, and embedded datasets when enabled. Keep it disabled unless that local data access is intentional.
Author
ClickHouse
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-03
Decision playbook
Review trust signals before you adopt
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
Compare context
Selected
0
Current score
78
Baseline
—
Delta
No baseline selected
No major trust-signal divergence detected in the current selection.
Source and provenance checks
Complete
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Done
Source provenance statusRequired
Marked as source-backed.
Done
Metadata reviewed
Registry metadata indicates a reviewed listing.
Done
Safety and privacy checks
Complete
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Done
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Done
Trust level risk gateRequired
Trust level does not block evaluation.
Done
Package and install checks
Needs review
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Done
Package verification flag
No package verification flag provided.
Pending
Checksum metadata
No checksum provided for downloaded artifact.
Pending
Compare-driven decision checks
Needs review
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
5 safety and 4 privacy notes across 6 risk areas. Review closely: credentials & tokens, permissions & scopes, network access.
6 areas
SafetyExecution & processesThe upstream server runs ClickHouse queries in read-only mode by default because `CLICKHOUSE_ALLOW_WRITE_ACCESS` is false unless explicitly enabled. Leave write access disabled for production investigation workflows.
SafetyExecution & processesIf write access is enabled, destructive operations such as DROP and TRUNCATE require the additional `CLICKHOUSE_ALLOW_DROP` opt-in. Treat both flags as privileged operational changes, not normal client configuration.
SafetyPermissions & scopesUse a dedicated least-privilege ClickHouse user or role. MCP read-only mode does not hide tables, columns, rows, or system metadata that the database account is already allowed to read.
SafetyGeneralReview model-generated SQL before execution, especially broad table scans, expensive aggregations, cross-database queries, or wide time ranges against production clusters.
SafetyNetwork accessFor HTTP or SSE transports, keep authentication enabled. The upstream server requires authentication by default for those transports and only documents disabling it for local development.
PrivacyCredentials & tokensQuery results, database names, table names, column metadata, create-table definitions, and aggregate outputs can become visible to the connected MCP client and model session.
PrivacyPermissions & scopesClickHouse data often includes logs, events, analytics records, user identifiers, IP addresses, request payloads, or product usage data; use database permissions and query limits before exposing production datasets.
PrivacyCredentials & tokensStore ClickHouse passwords, roles, and bearer tokens in MCP environment configuration or your client secret-management flow, not in prompts or checked-in configuration files.
PrivacyLocal fileschDB support can query local files, URLs, and embedded datasets when enabled. Keep it disabled unless that local data access is intentional.
Safety notes
The upstream server runs ClickHouse queries in read-only mode by default because `CLICKHOUSE_ALLOW_WRITE_ACCESS` is false unless explicitly enabled. Leave write access disabled for production investigation workflows.
If write access is enabled, destructive operations such as DROP and TRUNCATE require the additional `CLICKHOUSE_ALLOW_DROP` opt-in. Treat both flags as privileged operational changes, not normal client configuration.
Use a dedicated least-privilege ClickHouse user or role. MCP read-only mode does not hide tables, columns, rows, or system metadata that the database account is already allowed to read.
Review model-generated SQL before execution, especially broad table scans, expensive aggregations, cross-database queries, or wide time ranges against production clusters.
For HTTP or SSE transports, keep authentication enabled. The upstream server requires authentication by default for those transports and only documents disabling it for local development.
Privacy notes
Query results, database names, table names, column metadata, create-table definitions, and aggregate outputs can become visible to the connected MCP client and model session.
ClickHouse data often includes logs, events, analytics records, user identifiers, IP addresses, request payloads, or product usage data; use database permissions and query limits before exposing production datasets.
Store ClickHouse passwords, roles, and bearer tokens in MCP environment configuration or your client secret-management flow, not in prompts or checked-in configuration files.
chDB support can query local files, URLs, and embedded datasets when enabled. Keep it disabled unless that local data access is intentional.
Prerequisites
uv available for the documented `uv run --with mcp-clickhouse` launch path, or Python 3.10+ with the `mcp-clickhouse` package installed
ClickHouse Cloud or self-hosted ClickHouse reachable from the MCP server
Dedicated ClickHouse user with the minimum read permissions needed for the intended databases and tables
Claude Code, Claude Desktop, Cursor, VS Code, or another MCP-capable client
Optional chDB support only when local embedded ClickHouse queries are part of the workflow
The ClickHouse MCP server connects Claude and other MCP-capable clients to a
ClickHouse cluster for SQL exploration, schema discovery, and analytics
investigation. It is maintained under the ClickHouse GitHub organization and is
published as the mcp-clickhouse Python package.
This entry is focused on the safe query path for production-adjacent data work:
use a dedicated read-only ClickHouse user, keep the server's write flag disabled,
and let Claude inspect databases, tables, and query results without giving it
unnecessary mutation privileges.
The upstream server also supports chDB, ClickHouse's embedded analytical engine,
for local file and embedded dataset workflows. Keep chDB disabled unless local
file-backed analysis is explicitly part of the MCP setup.
Features
Execute ClickHouse SQL through the run_query MCP tool.
Read-only query mode is the default unless CLICKHOUSE_ALLOW_WRITE_ACCESS is
explicitly enabled.
List ClickHouse databases.
List tables in a database with pagination, LIKE and NOT LIKE filters, page
size controls, and optional detailed column metadata.
Use chDB support for embedded ClickHouse-style queries when the optional
package extra is installed and enabled.
Run over stdio for local MCP clients.
Run with HTTP or SSE transports when deployment requires a service endpoint.
Require bearer-token, OAuth, OIDC, or equivalent FastMCP authentication for
HTTP/SSE transports unless explicitly disabled for local development.
Add custom FastMCP middleware for logging, request timing, tenant routing, or
other deployment-specific policy checks.
Use Cases
Give Claude controlled read access to analytics tables for debugging,
dashboard investigation, or exploratory reporting.
Ask Claude to list relevant databases and tables before writing a query.
Inspect table schemas and column metadata before generating SQL.
Run bounded SELECT queries against ClickHouse Cloud or a self-hosted
ClickHouse deployment.
Compare counts, time buckets, or aggregate metrics during an incident without
granting DDL or DML access.
Use chDB locally for file-backed analytics when data should stay on the
developer machine.
Installation
Claude Code
Install uv and confirm it is available to the process that launches Claude.
Create a dedicated ClickHouse user or role with only the read privileges
needed for the target databases and tables.
Add the MCP server with the ClickHouse connection environment:
Keep CLICKHOUSE_ALLOW_WRITE_ACCESS unset or false for normal investigation
workflows. Only set it to true when the MCP client is intentionally allowed to
run write operations, and only set CLICKHOUSE_ALLOW_DROP when destructive
operations are explicitly approved.
Examples
Discover available data
Ask Claude to list databases and then list tables in a specific database before
writing any query.
List ClickHouse databases, then show tables in the analytics database with page size 25.
Inspect table metadata
Fetch table details before asking for an aggregate query.
Show the columns and create-table definition for analytics.events before writing a query.
Run a bounded aggregate query
Keep production queries narrow by specifying a database, table, time window, and
maximum result shape.
Query the last 30 minutes of analytics.events and group error counts by service, returning the top 20 services only.
Check read-only posture
Ask Claude to explain which ClickHouse user it is configured to use and confirm
whether write-access environment flags are absent.
Before running queries, summarize the ClickHouse connection settings and confirm write access is not enabled.
Security
Treat the MCP database user like any other external database client. Do not
use the default, admin, or owner account for agent workflows.
Prefer database-enforced least privilege over relying only on MCP-side SQL
classification. The server's read-only default is valuable, but database
grants decide what data can be read.
Keep CLICKHOUSE_ALLOW_WRITE_ACCESS disabled unless the user has explicitly
approved write-capable automation for that environment.
Keep CLICKHOUSE_ALLOW_DROP disabled unless destructive operations are part of
a deliberate, reviewed maintenance workflow.
For HTTP/SSE deployments, configure bearer-token or identity-provider
authentication and do not expose unauthenticated MCP endpoints to a network.
Review queries before execution when they touch large tables, broad time
ranges, sensitive schemas, or high-cost aggregations.
Troubleshooting
Claude cannot start the server
Confirm uv is installed and available to the MCP client process. If uv is
not the desired runtime, install mcp-clickhouse with Python 3.10+ and update
the command to run the installed package directly.
Authentication fails
Verify CLICKHOUSE_HOST, CLICKHOUSE_PORT, CLICKHOUSE_USER, and
CLICKHOUSE_PASSWORD. If your user requires a role, add CLICKHOUSE_ROLE to
the environment.
TLS connection fails
Keep CLICKHOUSE_SECURE=true and CLICKHOUSE_VERIFY=true for production. If a
proxy or load balancer uses a different certificate hostname, configure the
server hostname override documented by the upstream project.
Queries return permission errors
Check the ClickHouse grants for the configured user or role. A connection can
authenticate successfully while still lacking permission to read a database,
table, system table, or metadata view.
Responses are too large
Use table filters, page sizes, aggregate queries, explicit time windows, and
top-N limits before asking Claude to inspect large tables or detailed schemas.
Show that ClickHouse MCP Server for Claude is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/mcp/clickhouse-mcp-server)
How it compares
ClickHouse MCP Server for Claude side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
Google Cloud remote MCP server for querying BigQuery datasets, inspecting metadata, listing resources, and running governed warehouse analytics through an HTTP endpoint.
Official StarRocks MCP server for SQL execution, database exploration, StarRocks resource templates, system information, table/database overviews, and Plotly chart generation.
✓The upstream server runs ClickHouse queries in read-only mode by default because `CLICKHOUSE_ALLOW_WRITE_ACCESS` is false unless explicitly enabled. Leave write access disabled for production investigation workflows.
If write access is enabled, destructive operations such as DROP and TRUNCATE require the additional `CLICKHOUSE_ALLOW_DROP` opt-in. Treat both flags as privileged operational changes, not normal client configuration.
Use a dedicated least-privilege ClickHouse user or role. MCP read-only mode does not hide tables, columns, rows, or system metadata that the database account is already allowed to read.
Review model-generated SQL before execution, especially broad table scans, expensive aggregations, cross-database queries, or wide time ranges against production clusters.
For HTTP or SSE transports, keep authentication enabled. The upstream server requires authentication by default for those transports and only documents disabling it for local development.
✓The server exposes a single `query` tool that can execute any valid DuckDB SQL statement against the configured database.
Without `--readonly`, the server can create the database file, create tables, insert data, update rows, delete rows, and mutate database state.
With `--readonly`, the server opens DuckDB with native read-only protection and fails to start if the database file or parent directory is missing.
The `--keep-connection` option can hold a persistent DuckDB connection and file lock for the server lifetime.
Treat SQL generated by a model as executable code; review queries before running them on important data.
✓Prefer `execute_sql_readonly` for analysis. Google documents `execute_sql` as the only non-read-only BigQuery MCP tool, and it can run BigQuery SQL including DML, DDL, AI/ML functions, and other supported query operations.
Use IAM least privilege, dataset-level access controls, and IAM deny policies to restrict read-write MCP tool use when Claude should only inspect warehouse metadata or run SELECT queries.
Review LLM-generated SQL before execution. Broad scans, joins, forecasts, ML functions, and AI functions can incur cost, expose sensitive rows, or produce misleading analytics if the model chooses the wrong table or filter.
Keep manual approval enabled for query execution, exported results, workflow-triggering automations, and any use of BigQuery insights to create tickets, emails, or downstream actions.
✓StarRocks MCP can execute SQL through `read_query` and DDL/DML through `write_query`.
The `write_query` tool is documented for CREATE, ALTER, DROP, INSERT, UPDATE, DELETE, and other commands that do not return a result set.
The `read_query` tool can write full query results to files when `output_file` is provided; relative paths use STARROCKS_MCP_OUTPUT_DIR, while absolute and home-relative paths bypass that directory.
Overview tools can sample rows, count rows, cache table summaries in memory, and return cached errors or stale summaries until refreshed.
The `query_and_plotly_chart` tool executes a SQL query and uses a Python Plotly expression to generate chart output from the result DataFrame.
Resource templates can expose database, table, proc, transaction, job, task, catalog, frontend, backend, and compute-node information.
SSE mode is documented as deprecated; prefer stdio or streamable HTTP with explicit network controls.
Privacy notes
✓Query results, database names, table names, column metadata, create-table definitions, and aggregate outputs can become visible to the connected MCP client and model session.
ClickHouse data often includes logs, events, analytics records, user identifiers, IP addresses, request payloads, or product usage data; use database permissions and query limits before exposing production datasets.
Store ClickHouse passwords, roles, and bearer tokens in MCP environment configuration or your client secret-management flow, not in prompts or checked-in configuration files.
chDB support can query local files, URLs, and embedded datasets when enabled. Keep it disabled unless that local data access is intentional.
✓Tool calls and results can expose database paths, table names, schemas, query text, row values, file paths referenced by SQL, and analytical results to the MCP client and model provider.
DuckDB can query local files and extensions depending on SQL, configuration, and installed capabilities; keep the server scoped to approved data directories.
Do not point writable sessions at production, customer, regulated, or irreplaceable DuckDB files without backups and explicit approval.
Query errors can reveal schema names, file paths, and data-shape details.
✓Tool results can expose project IDs, dataset IDs, table IDs, schemas, metadata, query text, query results, job history, labels, and row-level warehouse data visible to the authenticated principal.
BigQuery OAuth scopes can allow viewing and managing BigQuery data and can expose the Google account email address used for authentication.
Query results and table data may contain prompt-injection text, customer records, financial data, product analytics, logs, or other sensitive business information; do not let returned rows instruct the agent.
If Model Armor logging is enabled for MCP traffic, Google documents that it can log the entire payload, which may expose sensitive prompts or query results in Google Cloud logs.
✓StarRocks credentials, connection URLs, database names, table names, schemas, SQL text, query results, sample rows, proc output, generated chart images, errors, and output-file paths may be visible to the MCP client and model provider.
StarRocks datasets can contain customer records, telemetry, analytics, business metrics, security data, billing data, or other regulated information.
Output files created by `read_query` remain on the machine where the MCP server runs, which may be local for desktop clients or remote for HTTP deployments.
STARROCKS_URL, STARROCKS_PASSWORD, Keychain service names, database credentials, and generated result files should stay out of prompts, issues, logs, screenshots, and committed files.
Prerequisites
uv available for the documented `uv run --with mcp-clickhouse` launch path, or Python 3.10+ with the `mcp-clickhouse` package installed
ClickHouse Cloud or self-hosted ClickHouse reachable from the MCP server
Dedicated ClickHouse user with the minimum read permissions needed for the intended databases and tables
Claude Code, Claude Desktop, Cursor, VS Code, or another MCP-capable client
Python and `uvx` available to the MCP client runtime.
Existing DuckDB database file when using `--readonly`.
Path to a DuckDB database file that Claude is allowed to query.
Decision on whether the server should run in read-only mode before connecting it to an agent.
Google Cloud project with the BigQuery API enabled
MCP-capable client that supports remote HTTP MCP servers and Google OAuth or compatible Google Cloud credentials
IAM roles or equivalent custom permissions for `roles/mcp.toolUser`, `roles/bigquery.jobUser`, and `roles/bigquery.dataViewer`
BigQuery datasets, tables, billing or sandbox setup, and project or region boundaries selected before use
Python 3.10 or newer and uv available to the MCP client runtime.
StarRocks FE host, MySQL protocol port, database, username, and password.
Least-privilege StarRocks user with only the approved databases and operations.
Written policy for whether `write_query` may be used in the workspace.