Skip to main content

Overview

This tool is used to convert natural language to SQL queries. When passed to the agent it will generate queries and then use them to interact with the database. This enables multiple workflows like having an Agent to access the database fetch information based on the goal and then use the information to generate a response, report or any other output. Along with that provides the ability for the Agent to update the database based on its goal. Attention: By default the tool is read-only (SELECT/SHOW/DESCRIBE/EXPLAIN only). Write operations require allow_dml=True or the CREWAI_NL2SQL_ALLOW_DML=true environment variable. When write access is enabled, make sure the Agent uses a scoped database user or a read replica where possible.

Security Model

NL2SQLTool is an execution-capable tool. It runs model-generated SQL directly against the configured database connection. This means risk depends on your deployment choices:
  • Which credentials you provide in db_uri
  • Whether untrusted input can influence prompts
  • Whether you add tool-call guardrails before execution
If you route untrusted input to agents using this tool, treat it as a high-risk integration.

Hardening Recommendations

Use all of the following in production:
  • Use a read-only database user whenever possible
  • Prefer a read replica for analytics/retrieval workloads
  • Grant least privilege (no superuser/admin roles, no file/system-level capabilities)
  • Apply database-side resource limits (statement timeout, lock timeout, cost/row limits)
  • Add before_tool_call hooks to enforce allowed query patterns
  • Enable query logging and alerting for destructive statements

Read-Only Mode & DML Configuration

NL2SQLTool operates in read-only mode by default. Only the following statement types are permitted without additional configuration:
  • SELECT
  • SHOW
  • DESCRIBE
  • EXPLAIN
Any attempt to execute a write operation (INSERT, UPDATE, DELETE, DROP, CREATE, ALTER, TRUNCATE, etc.) will raise an error unless DML is explicitly enabled. Multi-statement queries containing semicolons (e.g. SELECT 1; DROP TABLE users) are also blocked in read-only mode to prevent injection attacks.

Enabling Write Operations

You can enable DML (Data Manipulation Language) in two ways: Option 1 — constructor parameter: 
from crewai_tools import NL2SQLTool

nl2sql = NL2SQLTool(
    db_uri="postgresql://example@localhost:5432/test_db",
    allow_dml=True,
)
Option 2 — environment variable: 
CREWAI_NL2SQL_ALLOW_DML=true

from crewai_tools import NL2SQLTool

# DML enabled via environment variable
nl2sql = NL2SQLTool(db_uri="postgresql://example@localhost:5432/test_db")

Usage Examples

Read-only (default) — safe for analytics and reporting: 
from crewai_tools import NL2SQLTool

# Only SELECT/SHOW/DESCRIBE/EXPLAIN are permitted
nl2sql = NL2SQLTool(db_uri="postgresql://example@localhost:5432/test_db")
DML enabled — required for write workloads: 
from crewai_tools import NL2SQLTool

# INSERT, UPDATE, DELETE, DROP, etc. are permitted
nl2sql = NL2SQLTool(
    db_uri="postgresql://example@localhost:5432/test_db",
    allow_dml=True,
)
Enabling DML gives the agent the ability to modify or destroy data. Only enable this when your use case explicitly requires write access, and ensure the database credentials are scoped to the minimum required privileges.

Requirements

  • SqlAlchemy
  • Any DB compatible library (e.g. psycopg2, mysql-connector-python)

Installation

Install the crewai_tools package 
pip install 'crewai[tools]'

Usage

In order to use the NL2SQLTool, you need to pass the database URI to the tool. The URI should be in the format dialect+driver://username:password@host:port/database.
Code
from crewai_tools import NL2SQLTool

# psycopg2 was installed to run this example with PostgreSQL
nl2sql = NL2SQLTool(db_uri="postgresql://example@localhost:5432/test_db")

@agent
def researcher(self) -> Agent:
    return Agent(
        config=self.agents_config["researcher"],
        allow_delegation=False,
        tools=[nl2sql]
    )

Example

The primary task goal was: “Retrieve the average, maximum, and minimum monthly revenue for each city, but only include cities that have more than one user. Also, count the number of user in each city and sort the results by the average monthly revenue in descending order” So the Agent tried to get information from the DB, the first one is wrong so the Agent tries again and gets the correct information and passes to the next agent. alt text alt text The second task goal was: “Review the data and create a detailed report, and then create the table on the database with the fields based on the data provided. Include information on the average, maximum, and minimum monthly revenue for each city, but only include cities that have more than one user. Also, count the number of users in each city and sort the results by the average monthly revenue in descending order.” Now things start to get interesting, the Agent generates the SQL query to not only create the table but also insert the data into the table. And in the end the Agent still returns the final report which is exactly what was in the database. alt text alt text alt text alt text This is a simple example of how the NL2SQLTool can be used to interact with the database and generate reports based on the data in the database. The Tool provides endless possibilities on the logic of the Agent and how it can interact with the database. 
 DB -> Agent -> ... -> Agent -> DB