motherduck-security-governance
Security and Governance
Use this skill when the user is evaluating whether MotherDuck can meet their security, governance, and deployment requirements. This is a workflow skill focused on control boundaries and safe patterns.
Source Of Truth
- Prefer current MotherDuck public trust, security, pricing, and product documentation.
- If the MotherDuck MCP
ask_docs_questionfeature is available, use it first. - Use current SSO and data-recovery docs when the requirement involves identity-provider login, restore windows, named snapshots, or
UNDROP DATABASE. - Verify claims against live public materials before making compliance or commercial assertions.
Default Posture
- Prefer service accounts for production systems, not personal tokens.
- Keep credentials in backend-controlled secrets, not browsers or hardcoded notebooks.
- Prefer structural isolation over query-time tenant filtering for serious B2B or CFA workloads.
- Treat region and residency as first-class architectural constraints that require current public confirmation.
- Be explicit about whether the boundary is a share, a Dive, a database, or a full application.
- Separate documented product guarantees from architectural recommendations and assumptions in the final answer.
Workflow
- Identify where credentials live and who administers them.
- Define the actual isolation boundary: account, database, schema, or query filter.
- Determine who can read, write, share, or administer the data.
- Check whether residency, compliance, or contractual guarantees are part of the requirement.
- Use only publicly documented security anchors unless the user has current commercial documentation in hand.
Open Next
references/SECURITY_GOVERNANCE_PLAYBOOK.mdfor public security anchors, service-account posture, residency framing, sharing boundaries, and what not to overstate
Related Skills
motherduck-connectfor secure token handling and endpoint selectionmotherduck-explorewhen governance depends on what data is actually present and how it is partitionedmotherduck-share-datawhen the design includes governed data distribution
More from motherduckdb/agent-skills
motherduck-query
Execute DuckDB SQL queries against MotherDuck databases. Use when running analytics, aggregations, transformations, or any SQL operation. Covers query best practices, CTEs, window functions, QUALIFY, and performance optimization.
44motherduck-build-data-pipeline
Design an end-to-end MotherDuck pipeline. Use when choosing raw, staging, and analytics boundaries, bulk ingestion paths, transformation sequencing, publication targets, or whether DuckLake is actually required.
44motherduck-pricing-roi
Explain MotherDuck pricing and ROI tradeoffs. Use when an economic_buyer, technical_owner, or analytics_lead is asking about spend, budget guardrails, workload cost drivers, plan fit, or whether MotherDuck is worth adopting.
44motherduck-ducklake
Decide when DuckLake is the right MotherDuck storage pattern. Use when evaluating fully managed DuckLake, BYOB, own-compute DuckLake access, data inlining, object-storage layout, or file-aware maintenance instead of native MotherDuck storage.
44motherduck-create-dive
Create, edit, manage, share, or embed MotherDuck Dives. Use when the work involves Dive authoring, live React + SQL components, MCP get_dive_guide, useSQLQuery, local preview, version history, Dives-as-code, required resources, team sharing, or embedded Dive sessions.
44motherduck-share-data
Create and manage MotherDuck data shares for zero-copy data distribution. Use when sharing databases with team members, other organizations, or making data publicly available.
44