Analyzes a SQL query and produces visualization metadata. Args: conn_id: Connection ID previously obtained from the connect tool sql_query: The SQL query to analyze Returns: JSON metadata about the query results structure
AI agents call pg_metadata to retrieve information from Pg without modifying anything — typically the context-gathering step in research, monitoring, and reporting workflows, before the agent takes action elsewhere.
pg_metadata is a read-only analysis tool that examines query structure and returns metadata for visualization purposes. It does not execute queries, modify data, delete data, or trigger external operations. The most severe risk is information disclosure about schema structure, which is low impact. Confidence is high because the description clearly indicates analysis and metadata production only.
From the tool's definition Tool analyzes a SQL query and produces visualization metadata, returning JSON metadata about query results structure. No modification, deletion, or execution of actual queries—purely analytical/introspective.
Documented attack patterns abuse exactly the kind of access pg_metadata gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and Pg, and nothing reaches the server without passing your rules. This is the rule we recommend for pg_metadata:
{
"version": "1",
"default": "deny",
"tools": {
"pg_metadata": {}
}
}pg_metadata is read-only, so it stays allowed — but everything else on the server is denied unless you say otherwise.
Free to start. No card required.
Analyzes a SQL query and produces visualization metadata. Args: conn_id: Connection ID previously obtained from the connect tool sql_query: The SQL query to analyze Returns: JSON metadata about the query results structure. It is categorised as a Read tool in the Pg MCP Server, which means it retrieves data without modifying state.
Register the Pg MCP server in PolicyLayer and add a rule for pg_metadata: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Pg. Nothing to install.
pg_metadata is a Read tool with low risk. Read-only tools are generally safe to allow by default.
Yes. Add a rate_limit block to the pg_metadata rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for pg_metadata. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
pg_metadata is provided by the Pg MCP server (stuzero/pg-mcp-server). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Deterministic rules across all 5 Pg tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.
Free to start. No card required.
5 Pg tools catalogued and risk-classified — across an index of 42,500+ MCP servers.