Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

altinity/altinity-expert-clickhouse-grants

Name: altinity-expert-clickhouse-grants
Author: altinity

altinity-expert-clickhouse/skills/altinity-expert-clickhouse-grants/SKILL.md

npx skillsauth add altinity/skills altinity-expert-clickhouse-grants

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Diagnostics

Run all queries from checks.sql in this skill's directory and analyze the results.

Propose Minimal Grants

Provide the smallest set of GRANT statements that match observed needed_grant values. Prefer role-based grants when the user already uses roles.

Example pattern:

-- Direct grants
GRANT SELECT ON system.processes TO user_x;
GRANT SELECT ON INFORMATION_SCHEMA.COLUMNS TO svc_y;
GRANT CLUSTER ON *.* TO svc_z;

-- Role-based grants (preferred)
GRANT SELECT ON system.processes TO role_analytics;
GRANT role_analytics TO user_x;

Scope to the narrowest object that resolves the error: db.table (or a column list) over db.*, and db.* over *.*.

Security-sensitive grants — scope tightly

Some privileges are exfiltration / SSRF / privilege-escalation surfaces. If the failing query needs one, grant the narrowest form and to a role, never broadly on *.*:

SOURCES / S3 / URL / FILE / REMOTE (and READ/WRITE on 25.7+) — external read/write; broad grants enable data exfiltration and SSRF. Grant the specific source needed, not the SOURCES umbrella.
SYSTEM, INTROSPECTION — operational/internal exposure; scope to the specific subcommand.
ACCESS MANAGEMENT, WITH GRANT OPTION, displaySecretsInShowAndSelect, NAMED COLLECTION ADMIN, ALLOW SQL SECURITY NONE, IMPERSONATE — privilege-escalation/secret-exposure; do not grant these to fix a routine ACCESS_DENIED without explicit justification.

A grant that resolves an error but is broader than needed becomes a future audit finding — see the altinity-expert-clickhouse-security skill.

Post-Upgrade Compatibility Checks

Verify access_control_improvements settings, which can change privilege requirements:

select_from_system_db_requires_grant
select_from_information_schema_requires_grant
on_cluster_queries_require_cluster_grant

If these are enabled post-upgrade, users may require new explicit grants for system.*, INFORMATION_SCHEMA.*, or CLUSTER. The same access_control_improvements flags (plus the version-gated source/engine/definer changes) are covered from the audit side in altinity-expert-clickhouse-security → references/14-version-specific-security-checks.md; keep the two in sync.

Related skills

This is the reactive remediation skill — it makes a legitimately-blocked operation work with the minimal grant. Its counterpart is altinity-expert-clickhouse-security, the proactive read-only audit skill: use that to review who has too much access, find exfiltration paths, weak auth, and exposure. Fixing an error here → grant minimally; reviewing posture → use security.

altinity/altinity-expert-clickhouse-grants

altinity-expert-clickhouse/skills/altinity-expert-clickhouse-grants/SKILL.md

Diagnose and resolve ClickHouse grant and authentication errors, especially after upgrades. Use when queries fail with ACCESS_DENIED/NOT_ENOUGH_PRIVILEGES, AUTHENTICATION_FAILED/WRONG_PASSWORD/REQUIRED_PASSWORD, or ON CLUSTER privilege errors; when system.* or INFORMATION_SCHEMA access is denied; or when grant behavior changes after version upgrades.

10 stars

tools

Updated Jun 4, 2026

$ install --global

skillsauth

npx skillsauth add altinity/skills altinity-expert-clickhouse-grants

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Jun 4, 2026, 5:01 AM260.4s1 file scanned

SKILL.md

name:: altinity-expert-clickhouse-grants
description:: Diagnose and resolve ClickHouse grant and authentication errors, especially after upgrades. Use when queries fail with ACCESS_DENIED/NOT_ENOUGH_PRIVILEGES, AUTHENTICATION_FAILED/WRONG_PASSWORD/REQUIRED_PASSWORD, or ON CLUSTER privilege errors; when system.* or INFORMATION_SCHEMA access is denied; or when grant behavior changes after version upgrades.
license:: Apache-2.0

Diagnostics

Run all queries from checks.sql in this skill's directory and analyze the results.

Propose Minimal Grants

Provide the smallest set of GRANT statements that match observed needed_grant values. Prefer role-based grants when the user already uses roles.

Example pattern:

-- Direct grants
GRANT SELECT ON system.processes TO user_x;
GRANT SELECT ON INFORMATION_SCHEMA.COLUMNS TO svc_y;
GRANT CLUSTER ON *.* TO svc_z;

-- Role-based grants (preferred)
GRANT SELECT ON system.processes TO role_analytics;
GRANT role_analytics TO user_x;

Scope to the narrowest object that resolves the error: db.table (or a column list) over db.*, and db.* over *.*.

Security-sensitive grants — scope tightly

Some privileges are exfiltration / SSRF / privilege-escalation surfaces. If the failing query needs one, grant the narrowest form and to a role, never broadly on *.*:

SOURCES / S3 / URL / FILE / REMOTE (and READ/WRITE on 25.7+) — external read/write; broad grants enable data exfiltration and SSRF. Grant the specific source needed, not the SOURCES umbrella.
SYSTEM, INTROSPECTION — operational/internal exposure; scope to the specific subcommand.
ACCESS MANAGEMENT, WITH GRANT OPTION, displaySecretsInShowAndSelect, NAMED COLLECTION ADMIN, ALLOW SQL SECURITY NONE, IMPERSONATE — privilege-escalation/secret-exposure; do not grant these to fix a routine ACCESS_DENIED without explicit justification.

A grant that resolves an error but is broader than needed becomes a future audit finding — see the altinity-expert-clickhouse-security skill.

Post-Upgrade Compatibility Checks

Verify access_control_improvements settings, which can change privilege requirements:

select_from_system_db_requires_grant
select_from_information_schema_requires_grant
on_cluster_queries_require_cluster_grant

Related skills

Related Skills

altinity/altinity-expert-clickhouse-security

tools

VerifiedTrustedCommunity

Read-only ClickHouse security audit expert for live or exported systems. Use when assessing ClickHouse security posture, reviewing users, roles, grants, settings profiles, row policies, table functions, external sources, table engines, executable UDFs, audit logs, named collections, password hash hygiene, SQL SECURITY DEFINER, impersonation, TLS/network exposure, Keeper/interserver security, encryption at rest, backups, the HTTP interface surface, cluster security, or version-specific ClickHouse security behavior. Diagnoses from SQL/system tables, supplied configuration files, query logs, access metadata, and ClickHouse/Altinity documentation.

10SKILL.mdUpdated Jun 4, 2026

altinity/altinity-expert-clickhouse-security

altinity/altinity-profiler-clickhouse

tools

VerifiedTrustedCommunity

Profile a ClickHouse cluster via MCP and emit a per-cluster "analyst" Skill the user can save in claude.ai. Activate when the user asks to "profile this ClickHouse", "generate an analyst skill", "build a schema guide", "map the data in this cluster", or regenerate an existing cluster-analyst Skill after schema changes. Works against any ClickHouse with read-only SELECT/SHOW/DESCRIBE access via an `execute_query` MCP tool (e.g. the Altinity MCP server). Outputs a 5-file markdown bundle plus a README.

9SKILL.mdUpdated May 11, 2026

altinity/altinity-profiler-clickhouse

altinity/altinity-expert-clickhouse-storage

tools

VerifiedTrustedCommunity

Diagnose ClickHouse disk usage, compression efficiency, part sizes, and storage bottlenecks. Use for disk space issues and slow IO.

9SKILL.mdUpdated May 11, 2026

altinity/altinity-expert-clickhouse-storage

altinity/altinity-expert-clickhouse-schema

tools

VerifiedTrustedCommunity

Analyze ClickHouse table structure, partitioning, ORDER BY keys, materialized views, and identify schema design anti-patterns. Use for table design issues and optimization.

9SKILL.mdUpdated May 11, 2026

altinity/altinity-expert-clickhouse-schema

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/altinity/skills.git

# Copy into Claude Code skills folder (global)
cp -r skills/altinity-expert-clickhouse/skills/altinity-expert-clickhouse-grants ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

altinity/skills

10 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT