How Google’s Open‑Source MCP Toolbox Secures AI Agent Database Access

Why Direct Function Calling Is Risky

Typical implementations expose an execute_sql tool that lets an LLM run any SQL, leading to three core risks: over‑privilege (LLM could issue DROP TABLE or malicious updates), a new form of SQL injection via prompt injection, and difficulty auditing generated statements.

These issues stem from giving the LLM coarse‑grained tools that are detached from business semantics.

MCP Toolbox Core Design

The toolbox inserts a control plane between the AI agent and the database. All allowed operations are defined in YAML files, and the LLM can only invoke these pre‑defined tools, never raw SQL.

AI Agent / LLM
    ↓ MCP protocol calls tool
MCP Toolbox Server (YAML‑defined tools)
    ↓ Parameterized query
Database (MySQL / PostgreSQL / Redis / …)

The Go‑based HTTP service listens on port 5000 and translates tool calls into safe, parameterized queries.

Structured Queries Eliminate Injection

Each tool’s SQL is a static template with placeholders, e.g.:

kind: tool
name: get_user_orders
type: postgres-sql
source: prod-postgres
description: "Query recent 30‑day orders for a user"
parameters:
  - name: user_id
    type: integer
    description: "User ID"
  - name: limit
    type: integer
    description: "Max rows, capped at 50"
statement: |
  SELECT order_id, amount, status, created_at
  FROM orders
  WHERE user_id = $1
    AND created_at > NOW() - INTERVAL '30 days'
  ORDER BY created_at DESC
  LIMIT LEAST($2, 50)

Only user_id and limit can be supplied, preventing logic changes, and the LEAST($2, 50) clause enforces row limits at the DB level.

Least‑Privilege and Read‑Only Hints

Tools can carry annotations such as readOnlyHint: true, destructiveHint: false, and idempotentHint: true. AI frameworks can surface these hints, require manual confirmation for destructive tools, and assign different toolsets to different agents (e.g., customer‑service agents get read‑only tools only).

Authentication Integration

Tools may require specific auth services; for example, a tool can declare authRequired: google-oidc-service and automatically fill the sub claim from the JWT, blocking attempts to pass arbitrary user IDs.

Quick Start: Running a Local Environment in Five Minutes

Step 1 – Start the Toolbox Service

docker run --rm -i \
  -v $(pwd)/tools.yaml:/app/tools.yaml \
  -p 5000:5000 \
  us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latest \
  --tools-file /app/tools.yaml

Step 2 – Write the YAML Tool Definitions

# Data source definition
sources:
  my-pg:
    kind: postgres
    host: 127.0.0.1
    port: 5432
    database: myapp
    user: readonly_user
    password: ${PG_PASSWORD}

# Tool definitions
tools:
  search_products:
    kind: postgres-sql
    source: my-pg
    description: |
      Search products by keyword, return only active items.
    parameters:
      - name: keyword
        type: string
        description: "Search keyword"
      - name: max_price
        type: float
        description: "Price ceiling (optional)"
    statement: |
      SELECT product_id, name, price, category
      FROM products
      WHERE status = 'active'
        AND name ILIKE '%' || $1 || '%'
        AND ($2::float IS NULL OR price <= $2)
      ORDER BY created_at DESC
      LIMIT 20
    annotations:
      readOnlyHint: true

  get_order_detail:
    kind: postgres-sql
    source: my-pg
    description: "Query order details with items and shipment info"
    parameters:
      - name: order_id
        type: string
        description: "Order ID"
    statement: |
      SELECT o.order_id, o.status, o.total_amount,
             oi.product_name, oi.quantity, oi.unit_price,
             s.carrier, s.tracking_number
      FROM orders o
      LEFT JOIN order_items oi ON o.order_id = oi.order_id
      LEFT JOIN shipments s ON o.order_id = s.order_id
      WHERE o.order_id = $1
    annotations:
      readOnlyHint: true

toolsets:
  customer-service-tools:
    tools:
      - search_products
      - get_order_detail

Step 3 – Go Code Integration

package main

import (
    "context"
    "fmt"
    "log"
    "github.com/googleapis/mcp-toolbox-sdk-go/core"
)

func main() {
    ctx := context.Background()
    client, err := core.NewToolboxClient("http://localhost:5000")
    if err != nil {
        log.Fatalf("Failed to create Toolbox client: %v", err)
    }
    tools, err := client.LoadToolset(ctx, "customer-service-tools")
    if err != nil {
        log.Fatalf("Failed to load toolset: %v", err)
    }
    fmt.Printf("Loaded %d tools
", len(tools))

    searchTool, err := client.LoadTool(ctx, "search_products")
    if err != nil {
        log.Fatalf("Failed to load tool: %v", err)
    }
    result, err := searchTool.Invoke(ctx, map[string]any{"keyword": "wireless earbuds", "max_price": 500.0})
    if err != nil {
        log.Fatalf("Tool invocation failed: %v", err)
    }
    fmt.Println("Query result:", result)
}

Install the SDK with go get github.com/googleapis/mcp-toolbox-sdk-go/core. The LLM only sees the tool name and parameters, never the raw SQL or connection string.

Production Pitfalls

Pitfall 1: Vague tool description fields cause the LLM to misuse tools. Descriptions must clearly state the scenario, required parameters, and result scope.

Pitfall 2: Each tool call uses a separate DB connection, so multi‑step operations that need a transaction must be wrapped into a single tool that performs the transaction internally.

Pitfall 3: Forgetting to set the TOOLBOX_URL environment variable breaks OIDC authentication, leading to “tool loaded but auth error” failures.

When to Use MCP Toolbox vs. Direct Function Calling

Suitable for MCP Toolbox:

Databases contain sensitive PII, financial or transactional data.

Strict auditability is required (e.g., finance, healthcare, e‑commerce).

Multiple agents share a common set of database tools.

Separation of responsibilities between AI developers and DBAs.

Direct function calling is enough when:

The database is a read‑only analytics store for internal tools.

Rapid prototyping or proof‑of‑concept work.

All data is public and no access control is needed.

The decisive question is whether you can tolerate an LLM generating unexpected SQL in edge cases; if not, adopt the toolbox.

FAQ

Q: Does MCP Toolbox support Redis?

A: Yes. Use type: redis and commands like GET, SET, HGET with parameterized templates.

Q: Can the YAML tool definitions be hot‑reloaded?

A: In version v1.1.0 a restart is required, but the service is stateless and restarts quickly; hot‑reload is planned.

Q: What happens if the Toolbox crashes?

A: The agent loses database access. Deploy with multiple replicas (Kubernetes, Cloud Run) and monitor the /healthz endpoint.

Q: Are Go and Python SDKs feature‑parity?

A: Core functions (LoadTool, LoadToolset, Invoke) are identical; Python currently has more advanced examples, while Go is recommended for Go‑based agents.

Q: How to tune the connection pool?

A: Adjust maxConns, minConns, and maxConnLifetime in the source definition based on expected concurrency.