Your AI agent just ran DELETE FROM users without a WHERE clause. It was trying to remove a single test account, hallucinated the query, and wiped your entire users table. No confirmation prompt, no rollback, no undo. Production is down and your backup is from last Tuesday.

This is not a contrived scenario. The PostgreSQL MCP server gives AI agents exactly one tool — and that one tool is enough to destroy everything.

One tool, infinite power

Most MCP servers expose a handful of scoped tools. The PostgreSQL server exposes just one: query. It executes raw SQL against your connected database. That means SELECT, INSERT, UPDATE, DELETE, DROP TABLE, ALTER, TRUNCATE — whatever the database user has permission to run.

The server's README describes the tool as executing "read-only SQL queries." In practice, nothing in the MCP layer enforces that. If the database connection has write permissions — and it usually does — the agent can write. Or delete. Or drop.