CybersecurityAI

Stop AI Agents From SQL Injecting Your Database

MLOps Community
MLOps CommunityMay 11, 2026

Why It Matters

Without these zero‑trust safeguards, AI agents can become vectors for massive data breaches; implementing pre‑approved, parameterized SQL tools protects both privacy and operational integrity.

Key Takeaways

  • MCP Toolbox provides secure, pre‑approved SQL tools for AI agents.
  • Runtime agents must use parameterized queries to prevent injection attacks.
  • Confused deputy attacks exploit agents with broad database privileges.
  • Zero‑trust design removes credentials and PII from agent control.
  • Custom semantic tools bind user tokens, ensuring secure, scoped data access.

Summary

Avery Kit, a Google staff engineer, explained how his team safeguards AI‑driven database access using the MCP Toolbox. The framework offers a self‑hosted, customizable layer that abstracts credentials, enforces connection pooling, and integrates with Google Cloud services, enabling developers to build both admin‑plane and runtime tools.

Over the past month, MCP servers processed more than 20 million tool calls, revealing three usage patterns: control‑plane admin tasks, natural‑language‑to‑SQL assistance, and highly constrained structured‑SQL tools designed to block injection. The most critical guardrails involve pre‑approving SQL statements, binding only typed parameters, and separating agent‑derived inputs from application‑controlled credentials.

Kit illustrated a classic “confused deputy” breach: an agent with full database rights reads an untrusted ticket comment, executes a malicious query, and returns salaries to the requester. By moving connection details into YAML files, employing prepared statements, and authenticating parameters via OpenID tokens, the toolbox enforces a zero‑trust model where agents never see raw credentials or PII.

For enterprises deploying LLM‑powered agents, adopting these patterns is essential. Secure, parameter‑only tools eliminate SQL injection risks, protect sensitive data, and ensure low‑latency, deterministic responses in production workflows, paving the way for scalable AI‑augmented business applications.

Original Description

Averi Kitsch, Staff Software Engineer at Google and tech lead for MCP Toolbox for Databases (13,500+ GitHub stars, 100+ contributors, 40+ data sources), breaks down what her team has learned from over 20 million MCP tool calls per month against Google Cloud databases — and why most agent setups are one prompt away from leaking your customers' data.
This is a deeply practical talk on AI agent security. Averi walks through Simon Willison's "lethal trifecta" (private data + untrusted content + the ability to communicate back to the user), shows a real confused deputy attack against a ticketing-system agent, and then walks through the 4-step evolution every database tool should go through to reach a zero-trust posture where the agent never sees credentials, never writes raw SQL, and never touches PII.
Topics covered:
- Three patterns of database tools observed at 20M+ requests/month: control plane (admin) tools, natural language to SQL, and structured SQL tools
- Build-time vs runtime tools: why developer-assistance MCP servers dominate today, but runtime production tools have 10x the volume coming
- The lethal trifecta in plain English, and why "your data is only as secure as your agent"
- A real-world confused deputy attack: how a ticket comment can exfiltrate every employee's salary
- Application-controlled vs model-controlled architecture for agent data access
- The three identities every agent system needs to separate: user, application workload identity, and agent
- Agent parameters (untrusted prompt-derived inputs) vs application parameters (factual constraints)
- The 4-step evolution of a secure database tool: from fully model-controlled to configurable sources, to custom semantic tools, to bound and authenticated parameters
- Why prepared statements with strict typing kill SQL injection at the tool layer
- How to attach OpenID tokens to tool calls so the agent never sees user identity
- Q&A: parameterized secure views as a path to letting agents answer the hard analytical questions safely
For platform engineers, application security teams, and anyone shipping MCP servers in front of a production database.
Links and Resources:
- MCP Toolbox for Databases (GitHub): https://github.com/googleapis/genai-toolbox
- MCP Toolbox documentation: https://googleapis.github.io/genai-toolbox/
- Simon Willison on the lethal trifecta: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
- Model Context Protocol (MCP) spec: https://modelcontextprotocol.io/
- Averi Kitsch on LinkedIn: https://www.linkedin.com/in/averikitsch/
Timestamps (approximate — adjust on upload):
00:00 Intro: Averi Kitsch, Staff Engineer at Google
01:12 MCP Toolbox for Databases: 13.5K stars, 100+ contributors, 40+ data sources
01:44 Self-hosted MCP Toolbox vs Google Cloud's managed MCP service
02:28 Pattern 1: Control plane tools (admin and DBA automation)
03:03 Pattern 2: Natural language to SQL for developer assistance and analytical agents
04:20 Pattern 3: Structured SQL tools (the most-called pattern at scale)
04:58 Build-time tools vs runtime tools
05:22 Why runtime tools must be highly constrained, deterministic, and low-latency
06:11 The 20 million tool calls per month stat and why runtime has 10x the volume coming
07:08 Simon Willison's lethal trifecta: the three ingredients of every agent data breach
07:52 Confused deputy attack: how a ticket comment exfiltrates employee salaries
08:25 Application-controlled vs model-controlled architecture
09:00 The three identities: user, application workload, and agent
09:39 Agent parameters vs application parameters
09:59 Evolution Step 1: Fully model-controlled tool (raw SQL plus credentials = disaster)
11:01 Evolution Step 2: Configurable sources via YAML, credentials hidden from the agent
11:30 Evolution Step 3: Custom semantic tools with pre-approved SQL and typed parameters
12:44 Evolution Step 4: Bound parameters and authenticated parameters via OpenID tokens
14:11 Recap and where to learn more
14:28 Q&A: how do you still answer the hard analytical questions if you lock everything down?
15:19 Parameterized secure views as a future path
#MCP #AIAgents #DatabaseSecurity

Comments

Want to join the conversation?

Loading comments...