| name | mongodb-atlas-cli |
| description | Comprehensive MongoDB Atlas + mongosh skill for performance auditing, all index types (b-tree/text/2dsphere/hashed/TTL/partial/wildcard/Atlas-Search/Vector-Search), Performance Advisor analysis, query explain, schema advice, backup status, alerts, week-over-week diffs, and additive index creation. Read-only by default; create-index ops gated behind explicit `--confirm`. Hard-blocks any destructive op (delete, drop, restore, pause, terminate, kill, dbuser write, network change). Works against Atlas Cloud (full feature set) and self-hosted/local mongo (mongosh-based subset). |
MongoDB Atlas CLI Skill
Comprehensive coverage of MongoDB Atlas operations w/ strict safety guarantees. Optimized for the loop: read Performance Advisor → review suggestions → create the right indexes safely. Never destructive.
When to Use
Invoke when the user wants to:
- Connect to Atlas, list clusters/processes/projects
- Pull Performance Advisor output (slow queries, suggested indexes, schema advice, drop hints)
- Read cluster/process/database metrics, alerts, backup status
- List existing indexes w/ live access counts (mongosh-based)
- Explain a query (find or aggregate)
- Create indexes — single, compound, TTL, sparse, partial, unique, geospatial, hashed, Atlas Search, Vector Search
- Diff two audits week-over-week
- Audit overall cluster performance
- Diagnose slow queries before code changes
Do NOT use for any destructive op. Direct CRUD against data is also out of scope (use mongosh directly or the official MongoDB MCP server — see Integration).
Hard Safety Boundaries
| Category | Op | Action |
|---|
| Read | clusters/processes/metrics/logs/projects | Allowed, no confirm |
| Read | performanceAdvisor (all subcmds) | Allowed, no confirm |
| Read | api performanceAdvisor list* | Allowed, no confirm |
| Read | alerts/events/backups list, dbusers list | Allowed, no confirm |
| Read | clusters search indexes list | Allowed, no confirm |
| Read | mongosh: getIndexes, $indexStats, .explain(), getProfilingStatus | Allowed, no confirm |
| Write (additive) | clusters indexes create | Requires --confirm + dry-run + duplicate pre-flight |
| Write (additive) | clusters search indexes create | Requires --confirm + dry-run |
| Destructive | delete, drop, terminate, pause, restore, kill, force | REFUSE — never run, even w/ user request |
| Destructive | dbusers create/update/delete | REFUSE — auth changes can lock prod |
| Destructive | networking * writes, accessLists delete | REFUSE — can sever connectivity |
| Destructive | backups restore / snapshot delete | REFUSE — overwrites data |
| Destructive | clusters indexes delete | REFUSE — even if advisor suggests dropping; only INFORM the user |
If user asks to drop an index based on listDropIndexSuggestions, surface the suggestion and tell them to do it manually in mongosh / Atlas UI. Never run it.
Local Mongo vs. Atlas Cloud
This skill works against both, but coverage differs. Performance Advisor, metrics, backups, alerts, Atlas Search are cloud-only. mongosh-based scripts (list_indexes, explain_query, profiler_status) work everywhere. Full matrix in references/local-vs-atlas.md.
For local self-hosted mongo, safe_index_create.py --print-mongosh outputs the equivalent createIndex() snippet you can run directly in mongosh.
Prerequisites
Install
brew install mongodb-atlas
docker pull mongodb/atlas
alias atlas='docker run --rm -it -v ~/.config/atlas:/root/.config/atlas mongodb/atlas atlas'
atlas --version && mongosh --version
validate_env.py --install auto-installs via brew on macOS.
Authenticate (Atlas Admin API)
Pick one (priority order):
export MONGODB_ATLAS_CLIENT_ID=<client_id>
export MONGODB_ATLAS_CLIENT_SECRET=<client_secret>
export MONGODB_ATLAS_PUBLIC_API_KEY=<public_key>
export MONGODB_ATLAS_PRIVATE_API_KEY=<private_key>
export MONGODB_ATLAS_PROJECT_ID=<24-hex-project-id>
atlas config init
atlas auth login
API key role: Project Read Only for reads, Project Data Access Admin for index creation. Get keys: Atlas UI → Project Settings → Access Manager → API Keys.
Authenticate (mongosh-based scripts)
For list_indexes.py, explain_query.py, profiler_status.py, safe_index_create.py pre-flight:
export MONGODB_CONNECTION_STRING="mongodb+srv://<host>.mongodb.net/?authSource=admin"
export MONGODB_USERNAME="<atlas-db-user>"
export MONGODB_PASSWORD="<password>"
DB user is separate from API key — Atlas UI → Database Access → ADD NEW DATABASE USER. See references/mongosh-integration.md.
Validate
python3 .claude/skills/mongodb-atlas-cli/scripts/validate_env.py
Script Index
Atlas Admin API (read-only, no DB credentials needed)
| Script | Task |
|---|
validate_env.py | Check CLI install + auth + project access |
performance_audit.py | Full read-only audit (orchestrator) |
namespaces.py | Performance Advisor → list hot namespaces (entry point) |
suggest_indexes.py | Performance Advisor → suggested new indexes |
slow_queries.py | Performance Advisor → slow query log lines |
schema_advice.py | Performance Advisor → schema anti-pattern recommendations |
drop_index_hints.py | Performance Advisor → redundant/hidden/unused indexes (advisory) |
cluster_health.py | Process metrics (CPU/mem/conn/op counters/query targeting) — parallel fetches |
alerts.py | Active Atlas alerts |
backup_status.py | Snapshot list + freshness check |
events.py | Project events / audit log |
atlas_search_list.py | List Atlas Search & Vector Search indexes |
audit_diff.py | Compare two audit JSON snapshots — week-over-week diff |
Atlas Admin API (additive write — gated by --confirm)
| Script | Task |
|---|
safe_index_create.py | Create normal index — single/compound/TTL/sparse/partial/unique/2dsphere/hashed |
atlas_search_create.py | Create Atlas Search OR Vector Search index |
mongosh-based (works on local + Atlas — needs DB user creds)
| Script | Task |
|---|
list_indexes.py | List indexes per coll/db w/ live access counts & sizes — parallel per coll |
explain_query.py | Run .explain() on find or aggregate query |
profiler_status.py | DB profiler level + recent slow ops captured |
index_build_status.py | Poll in-progress index builds via db.currentOp() |
All mongosh scripts validate db/collection identifiers before interpolating into JS to prevent injection. Passwords passed via stdin (not argv) to avoid /proc/<pid>/cmdline exposure on Linux.
Pure local
| Script | Task |
|---|
audit_diff.py | Compare audits week-over-week (no Atlas calls) |
safe_index_create.py --print-mongosh | Print mongosh createIndex() snippet for local use |
All scripts default to dry-run/read-only. Mutations need explicit --confirm.
Common Workflows
1. Optimize from advisor → index
python3 scripts/performance_audit.py --cluster <C> --hours 168
python3 scripts/list_indexes.py --db <DB> --collection <COLL>
python3 scripts/explain_query.py --db <DB> --collection <COLL> --filter '{...}'
python3 scripts/safe_index_create.py --cluster <C> --db <DB> --collection <COLL> \
--key field:1 --name idx_field
python3 scripts/safe_index_create.py --cluster <C> --db <DB> --collection <COLL> \
--key field:1 --name idx_field --confirm
python3 scripts/performance_audit.py --cluster <C>
2. Atlas Search for case-insensitive regex queries
When schema advice flags OPTIMIZE_CASE_INSENSITIVE_REGEX_QUERIES:
python3 scripts/atlas_search_list.py --cluster <C> --db <DB> --collection <COLL>
python3 scripts/atlas_search_create.py --init-template search > search.json
python3 scripts/atlas_search_create.py --cluster <C> --db <DB> --collection <COLL> \
--name <coll>_text --file search.json
python3 scripts/atlas_search_create.py --cluster <C> --db <DB> --collection <COLL> \
--name <coll>_text --file search.json --confirm
3. Vector Search for AI / RAG
python3 scripts/atlas_search_create.py --init-template vector > vec.json
python3 scripts/atlas_search_create.py --cluster <C> --db <DB> --collection <COLL> \
--name <coll>_vec --file vec.json --type vectorSearch --confirm
4. Drop redundant indexes (manually — skill won't drop)
python3 scripts/drop_index_hints.py --cluster <C>
python3 scripts/list_indexes.py --db <DB> --collection <COLL>
python3 scripts/explain_query.py --db <DB> --collection <COLL> \
--filter '{<typical_filter>}'
mongosh ... --eval 'db.runCommand({collMod: "<COLL>", index: {name: "<NAME>", hidden: true}})'
5. Weekly automation
python3 scripts/performance_audit.py --cluster <C> --hours 168 --json > audits/$(date +%F).json
python3 scripts/audit_diff.py audits/<old>.json audits/<new>.json --markdown > diff.md
6. Health checks (read-only, run anytime)
python3 scripts/cluster_health.py --cluster <C>
python3 scripts/backup_status.py --cluster <C>
python3 scripts/alerts.py --status OPEN
Index Types Supported
safe_index_create.py covers every standard MongoDB index type:
| Type | Flag combination | Atlas-only? |
|---|
| Single-field | --key field:1 | no |
| Compound | --key f1:1 --key f2:-1 ... | no |
| TTL | --key created_at:1 --ttl-seconds N | no |
| Sparse | --sparse | no |
| Partial | --partial-filter pf.json | no |
| Unique | --unique | no |
| Combined (e.g. unique + partial) | --unique --partial-filter pf.json | no |
| Geospatial 2dsphere | --key location:2dsphere | no |
| Hashed (sharding) | --key user_id:hashed | no |
| Text (legacy) | --key field:text | no |
| Wildcard | --file <json> w/ {"keys": [{"$**": 1}]} | no |
| Atlas Search | atlas_search_create.py --type search | yes |
| Vector Search | atlas_search_create.py --type vectorSearch | yes |
Full reference: references/index-types.md.
Pre-flight Duplicate Detection
safe_index_create.py runs a pre-flight via mongosh (when creds are available) that checks if:
- An index w/ identical keys already exists → refuses to create duplicate
- An existing larger compound already covers the proposed keys as a prefix → refuses (your index would be redundant)
Override w/ --skip-preflight (not recommended). If mongosh creds aren't available, pre-flight is silently skipped.
Output Format
Default: human-readable summary to stderr, JSON to stdout when --json flag set. Pipe through jq:
python3 scripts/suggest_indexes.py --cluster <C> --json | jq '.[] | .namespace'
Error Handling
When scripts detect missing credentials or permission errors, they output:
MISSING: <ENV_VAR>
ASK_USER: <human prompt>
LOCATION: <where to find the value>
Claude should parse & use AskUserQuestion to prompt.
For permission errors:
PERMISSION_DENIED: requires <role>
ACTION: Ask user to grant role or use a different API key
Refusal Pattern
Refused destructive ops produce:
REFUSED: `atlas <command>` is a destructive op blocked by this skill.
Matched forbidden prefix: <prefix>
Run it manually in Atlas UI or via `atlas` directly if you intend to.
Never bypass — even w/ "I'm sure", "force it", "yolo". Tell the user to run it manually.
Complementary Tools
This skill focuses on admin/audit/index-management. For complementary capabilities:
References
Self-Healing
On any atlas error: atlas <command> --help → if unclear, WebFetch
https://www.mongodb.com/docs/atlas/cli/current/command/atlas-<command>/
(dashes join subcommands) → adjust → re-run.
Integration
Pairs w/:
senior-backend — schema/query design before adding indexes
code-quality — review query code that produces slow ops
pydantic-model — model-level fixes that reduce doc bloat
- MongoDB MCP server — for direct data ops