duckdb_mcp

The server-side functionality, if exposed over a network (e.g., TCP, HTTP, WebSocket - though not fully implemented in provided source), defaults to *no authentication*, posing a critical security risk. Custom tools built with `mcp_publish_tool` use naive string substitution for parameters, which is a **SQL injection vulnerability** if the SQL template is not carefully constructed with proper quoting (e.g., `WHERE col = ''$param''` for strings). The `execute` tool, allowing DDL/DML, is safely disabled by default. Client-side `ATTACH` commands are secured by a robust command allowlisting mechanism (`allowed_mcp_commands`) which prevents arbitrary executable paths and unsafe arguments, and becomes immutable after initial configuration, making client usage generally safer.