PostgreSQL Read-Only Query Skill

← Back to skills

- Use when querying PostgreSQL databases and access must stay strictly read-only - Use when exploring schemas, tables, and data across multiple configured connections - Use when you want defense-in-depth protection against accidental INSERT/UPDATE/DELETE or DDL

Category: Backend & Cloud
Repo: antigravity-awesome-skills
Path: skills/postgres-readonly-queries/SKILL.md
Updated: 7/12/2026, 11:41:17 PM

AI Summary

- Use when querying PostgreSQL databases and access must stay strictly read-only - Use when exploring schemas, tables, and data across multiple configured connections - Use when you want defense-in-depth protection against accidental INSERT/UPDATE/DELETE or DDL. It is useful for API design, databases, authentication, cloud deployment, and serverless. Source: antigravity-awesome-skills (skills/postgres-readonly-queries/SKILL.md).

PostgreSQL Read-Only Query Skill

When to Use

  • Use when querying PostgreSQL databases and access must stay strictly read-only
  • Use when exploring schemas, tables, and data across multiple configured connections
  • Use when you want defense-in-depth protection against accidental INSERT/UPDATE/DELETE or DDL

Execute safe, read-only queries against configured PostgreSQL databases.

Requirements

  • Python 3.8+
  • psycopg2-binary: pip install -r requirements.txt

Setup

Create connections.json in the skill directory or ~/.config/claude/postgres-connections.json.

Security: Set file permissions to 600 since it contains credentials:

chmod 600 connections.json
{
  "databases": [
    {
      "name": "production",
      "description": "Main app database - users, orders, transactions",
      "host": "db.example.com",
      "port": 5432,
      "database": "app_prod",
      "user": "readonly_user",
      "password": "your-password",
      "sslmode": "require"
    }
  ]
}

Config Fields

FieldRequiredDescription
nameYesIdentifier for the database (case-insensitive)
descriptionYesWhat data this database contains (used for auto-selection)
hostYesDatabase hostname
portNoPort number (default: 5432)
databaseYesDatabase name
userYesUsername
passwordYesPassword
sslmodeNoSSL mode: disable, allow, prefer (default), require, verify-ca, verify-full

Usage

List configured databases

python3 scripts/query.py --list

Query a database

python3 scripts/query.py --db production --query "SELECT * FROM users LIMIT 10"

List tables

python3 scripts/query.py --db production --tables

Show schema

python3 scripts/query.py --db production --schema

Limit results

python3 scripts/query.py --db production --query "SELECT * FROM orders" --limit 100

Database Selection

Match user intent to database description:

User asks aboutLook for description containing
users, accountsusers, accounts, customers
orders, salesorders, transactions, sales
analytics, metricsanalytics, metrics, reports
logs, eventslogs, events, audit

If unclear, run --list and ask user which database.

Safety Features

  • Read-only session: Connection uses PostgreSQL readonly=True mode (primary protection)
  • Query validation: Only SELECT, SHOW, EXPLAIN, WITH queries allowed
  • Single statement: Multiple statements per query rejected
  • SSL support: Configurable SSL mode for encrypted connections
  • Query timeout: 30-second statement timeout enforced
  • Memory protection: Max 10,000 rows per query to prevent OOM
  • Column width cap: 100 char max per column for readable output
  • Credential sanitization: Error messages don't leak passwords

Troubleshooting

ErrorSolution
Config not foundCreate connections.json in skill directory
Authentication failedCheck username/password in config
Connection timeoutVerify host/port, check firewall/VPN
SSL errorTry "sslmode": "disable" for local databases
Permission warningRun chmod 600 connections.json

Exit Codes

  • 0: Success
  • 1: Error (config missing, auth failed, invalid query, database error)

Workflow

  1. Run --list to show available databases
  2. Match user intent to database description
  3. Run --tables or --schema to explore structure
  4. Execute query with appropriate LIMIT

Limitations

  • Read-only protections reduce accidental writes but cannot override database-server policy, triggers, extensions, or an over-privileged account. Use a database role with read-only permissions as the primary control.
  • Query results can contain personal, confidential, or regulated data. Confirm the intended database and avoid exporting or sharing results without explicit authorization.
  • The script is not a replacement for backups, auditing, access reviews, or production change controls.

Related skills