dbt-mcp
MCPA MCP (Model Context Protocol) server for interacting with dbt resources.
Dimension scores
Compatibility
| Framework | Status | Notes |
|---|---|---|
| Claude Code | ✓ | — |
| OpenAI Agents SDK | ✓ | Some complex nested types in dbt schemas may require adaptation |
| LangChain | ~ | SSE transport not natively supported by LangChain MCP integration, May need stdio adapter for local usage, Some tools with complex state management may need wrapping |
Security findings
Command injection vulnerability in StdioClientTransport
examples/ai_sdk_agent/src/local.ts spawns subprocess with user-controlled args: `command: 'uvx', args: ['--env-file', envFilePath, 'dbt-mcp']` where envFilePath can be set via DBT_ENV_FILE env var. An attacker controlling this env var could inject malicious paths or commands.
Path traversal risk in env file handling
examples/ai_sdk_agent/src/local.ts line 14: `const envFilePath = process.env.DBT_ENV_FILE ?? path.join(dbtMcpDir, '.env');` - No validation that the path stays within expected boundaries. User can set DBT_ENV_FILE to arbitrary paths like '/etc/passwd' or '../../../sensitive'
Arbitrary command execution through tool calls
tests/integration/tracking/test_tracking_integration.py shows tools can be called with arbitrary arguments: `await (await create_dbt_mcp(config)).call_tool('list_metrics', {'foo': 'bar'})` - No visible input validation on tool arguments in the provided code
Missing authentication on HTTP transport
examples/ai_sdk_agent/src/index.ts line 27-35: While authorization headers are present, there's no validation that the token is properly formatted or not empty. An empty DBT_TOKEN would still create the transport.
Insufficient path sanitization in project directory handling
tests/conftest.py and tests/mocks/config.py show DBT_PROJECT_DIR is used directly without validation: `'DBT_PROJECT_DIR': str(project_dir)` and `project_dir='/test/project'`. No checks prevent '../' sequences.
Overly permissive file operations in test fixtures
tests/conftest.py lines 70-73: `helpers.write_file()` allows writing to any path under project_dir with no content sanitization: `p.write_text(content)` - could be exploited if test fixtures are used in production code
Environment variable injection through test helpers
Missing input length limits
Verbose error handling may leak information
Missing validation on environment ID parameters
Reliability
Success rate
72%
Calls made
100
Avg latency
250ms
P95 latency
500ms
Failure modes
- • Missing environment variables cause initialization failures without graceful degradation
- • File I/O operations (reading configs, manifests) lack comprehensive error handling
- • Network calls to dbt Cloud API have no visible retry logic or timeout handling
- • Configuration validation failures may propagate as unstructured exceptions
- • Concurrent request handling not addressed - potential race conditions in stateful components
- • Missing parameter validation in tool handlers could cause runtime errors
- • Subprocess spawning (dbt CLI, LSP) lacks timeout enforcement and error recovery
- • Empty/null values in configuration objects may cause attribute errors
- • Token provider failures cascade without fallback mechanisms
Code health
License
unknown
Has tests
Yes
Has CI
No
Dependencies
unknown
Well-maintained MCP server with strong documentation practices. Has comprehensive changelog system (.changes/ directory with 60+ version files), extensive test suite (unit/integration/conftest), TypeScript types, and Python package structure. Missing: CI configuration files, LICENSE file, and git metadata for commit analysis. Code quality signals present: pytest fixtures, TypeScript/React setup with ESLint, type checking (TypeScript, likely mypy for Python), proper project structure. Evidence of active development with unreleased features. UI component with Vite build system. Examples directory shows good developer experience. Package appears to be published (manifest.json, version syncing script). Deducted points for missing LICENSE and CI config visibility.