AI
Why Google’s MCP Database Tools Carry Weight
Kurtis Van Gent leads MCP on Google Cloud for databases. Google offers fully managed MCP services for AlloyDB, Spanner, Cloud SQL, Bigtable, and Firestore. The open-source MCP Toolbox for Databases has 13,500 GitHub stars and 100 contributors. It supports 40 databases. Last month alone, Google sent 20 million tool calls through MCP. These numbers prove they know MCP and databases at scale.
Three Common Database MCP Tool Patterns
Database MCP tools fall into three patterns. Control plane tools let agents call admin APIs: create instances, clone databases, manage users. Natural language to SQL tools let agents write arbitrary queries. This works for developer assistance but LLMs still struggle with accuracy. Structured SQL tools pre-write the SQL as code. The agent only calls a named tool with parameters. This is the most popular pattern because it is safe, secure, and fast. The agent does not need to know SQL or the database type.
Build-Time vs Runtime Tool Design
Tools split into two categories. Build-time tools live in IDEs and CLIs like Gemini CLI and Cloud Code. They are generic, broad-access, and assume a developer watches. Slow or unsafe operations are acceptable. Runtime tools are embedded in production applications using frameworks like ADK, LangChain, or Pydantic AI. These tools must be deterministic and zero-trust. Structured SQL tools dominate here because they eliminate hallucination risk and prevent prompt injection. The agent should not think for 30 seconds about the right SQL.
The Lethal Trifecta: Why Agent Security Is Different
A database is only as secure as its agent. Simon Wilson called this the lethal trifecta: access to private data, exposure to untrusted content, and ability to communicate externally. An agent with all three can leak data. Example: a triage agent reads a ticket comment asking for executive salaries. The agent has database access, trusts the comment, and writes the data back to the ticket. The fix: treat agent identity separately from workload identity. Agent parameters must be untrusted. Application parameters like user identity must be injected by the application.
Toolbox: From Generic SQL to Authenticated Parameters
Wenxin Du showed how Toolbox hardens tools. Step one: abstract database connection details into a source primitive. The agent never sees host, port, or credentials. Step two: replace generic execute-SQL with pre-written SQL statements. Developers define prepared statements with typed parameters. This prevents SQL injection. Step three: use authenticated parameters. Toolbox derives user identity from an OIDC token and populates it into the SQL. The agent only inputs non-sensitive parameters like a date. A demo showed a travel agent booking flights for user Andy. The list-ticket tool required 20 lines of configuration.
Notable Quotes
last month alone, we sent more than 20 million tool calls through MCP Kurtis Van Gent · ▶ Watch (1:53)
LLMs are gullible Kurtis Van Gent · ▶ Watch (7:46)
Simon Wilson called this the lethal trifecta Kurtis Van Gent · ▶ Watch (8:17)
with just 20 lines of configuration Wenxin Du · ▶ Watch (23:50)
Key Takeaways
- Google’s MCP Toolbox handled 20 million tool calls last month across 40 databases.
- Structured SQL tools with pre-written queries prevent injection and eliminate agent SQL errors.
- Authenticated parameters derived from OIDC tokens keep user identity out of agent control.
About the Speaker(s)
Kurtis Van Gent is a MCP Core Maintainer and leads the MCP Transports Working Group. By day, he leads AI Ecosystems + Integrations for Google Cloud Databases and helped create MCP Toolbox for Databases.
Wenxin Du is a core maintainer of MCP Toolbox for Databases. She delivered the end-to-end implementation of Toolbox’s end-user authorization system and integrated semantic search functionality into Toolbox.