Skillget

sisense-mcp-server

mcp
Guvenlik Denetimi
Uyari
Health Uyari
  • License — License: NOASSERTION
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 5 GitHub stars
Code Uyari
  • process.env — Environment variable access in e2e/helpers/test-utils.ts
  • process.env — Environment variable access in e2e/tests/build-chart.test.ts
  • process.env — Environment variable access in e2e/tests/build-query.test.ts
  • process.env — Environment variable access in e2e/visual-tests/analytics-app-render.spec.ts
  • process.env — Environment variable access in e2e/visual-tests/analytics-app-render.test.ts
Permissions Gecti
  • Permissions — No dangerous permissions requested
Purpose
This MCP server acts as a bridge between Large Language Models and the Sisense analytics platform, enabling AI assistants to query data sources and programmatically generate charts using natural language.

Security Assessment
Overall Risk: Medium. The tool inherently requires access to sensitive data, relying on Sisense API tokens and explicit environment variables (`SISENSE_URL`, `SISENSE_TOKEN`) for per-session authentication. Scans found no hardcoded secrets and confirmed that no dangerous system permissions are requested. It does not appear to execute arbitrary shell commands. However, automated checks flagged `process.env` access. While this is primarily located within end-to-end test files rather than the core runtime, developers should still verify how the application loads its credentials. Furthermore, because the tool fetches data from external Sisense servers and runs a lightweight local HTTP server, it actively makes network requests and should be run in a secure, restricted environment.

Quality Assessment
The project is written in TypeScript and appears to be actively maintained, with its most recent code push occurring today. However, it currently suffers from very low community visibility, having only 5 GitHub stars and an unasserted license. This lack of widespread community scrutiny means that potential bugs or security vulnerabilities might not yet be identified or patched by external contributors.

Verdict
Use with caution: the code is active and avoids dangerous permissions, but its newness, unverified license, and requirement to handle external API tokens mean you should thoroughly inspect it before exposing sensitive analytics data.
SUMMARY

MCP server enabling LLMs to query Sisense data sources and build charts via natural language prompts.

README.md

Sisense MCP Server

A Model Context Protocol (MCP) server that provides integration with Sisense analytics platform. This server enables LLMs to interact with Sisense data models and create charts programmatically.

Features

  • Transport: Streamable HTTP (streamable-http) for HTTP-based MCP clients (for example Claude Desktop, Cursor)
  • MCP tools (three by default; optional fourth when enabled):
    • getDataSources: Retrieve Sisense data sources (or data models)
    • getDataSourceFields: List all available fields for a specific data source
    • buildChart: Build charts from natural language prompts
    • buildQuery (optional): Run analytics queries when TOOL_BUILD_QUERY_ENABLED / toolBuildQueryEnabled is enabled
  • MCP Apps: When used in MCP Apps–capable clients (for example Claude), buildChart exposes an interactive View that renders the chart in an iframe within the app.
  • Per-session authentication: Sisense credentials via URL parameters and/or server environment variables
  • TypeScript: Full type safety and modern ESM support
  • Lightweight: Pure Node.js HTTP server, no heavy frameworks
  • Fast: Optimized for Bun runtime, also runs on Node.js

Documentation

  • Quick start — clone, .env, run, MCP client setup
  • Configuration — credentials, tunneling, feature flags, URL examples
  • FAQ — common questions and troubleshooting
  • Usage examples — prompts and workflows

Prerequisites

  • Bun >= 1.0.0 (recommended) or Node.js >= 18.0.0
  • Sisense instance with API access
  • Sisense API token
  • Playwright Chromium (installed automatically by bun install / npm install via postinstall)

Installation

bun install

Usage

Start the server:

# Development mode (hot reload)
bun run dev

# Production mode
bun run build
bun run start

Sessions are in-memory — chart state is lost if the server restarts.

The server prints something like the following (port defaults to 3001, or PORT if set):

Sisense MCP Server running on http://localhost:3001

Connect with:
  http://localhost:3001/mcp?sisenseUrl=<SISENSE_URL>&sisenseToken=<SISENSE_TOKEN>
  Or set SISENSE_URL and SISENSE_TOKEN in the environment and use http://localhost:3001/mcp

Optional feature-flag query params (override env vars per connection):
  mcpAppEnabled=true|false, toolBuildQueryEnabled=true|false, toolBuildChartNarrativeEnabled=true|false

Endpoints:
  Health: http://localhost:3001/health
  Screenshots: http://localhost:3001/screenshots/

Connecting your MCP client

Use an MCP streamable HTTP URL. For Cursor, Claude Desktop, and similar clients, add a server entry with the MCP path (not the shell bun command).

If SISENSE_URL and SISENSE_TOKEN are set in the server environment (for example in .env loaded by the process that runs bun run dev), the client URL does not need to include credentials:

{
  "mcpServers": {
    "sisense-analytics": {
      "url": "http://localhost:3001/mcp"
    }
  }
}

Note: Depending on your network or client environment, the localhost HTTP setup may not connect. In those cases, you will need to expose your local server publicly via HTTPS using a proxy service such as ngrok. Point the client at your HTTPS tunnel URL with the same /mcp path (and query parameters if you are not using server env credentials).

Credentials: If you do not use server env vars, put sisenseUrl and sisenseToken on the MCP URL as query parameters (URL params take precedence over env when both are present). Always percent-encode each value — see Configuration: URL encoding for details and examples.

Alternative connection patterns (placeholders only; use encoded values for real credentials):

http://localhost:3001/mcp?sisenseUrl=https://your-instance.sisense.com&sisenseToken=your-api-token

With SISENSE_URL and SISENSE_TOKEN in the server environment only:

http://localhost:3001/mcp

Behind a public HTTPS tunnel (example):

https://your-ngrok-url.ngrok-free.app/mcp?sisenseUrl=https://your-instance.sisense.com&sisenseToken=your-api-token

Configuration

Parameter Description
sisenseUrl Full URL to your Sisense instance (e.g., https://instance.sisense.com). In the query string, pass the value percent-encoded.
sisenseToken Sisense API authentication token. In the query string, pass the value percent-encoded (required if the token contains &, =, +, etc.).
PORT (Optional) Server port, defaults to 3001

The server automatically derives its public base URL from request headers, so it works correctly behind proxies like ngrok. For how to build encoded MCP URLs, see URL encoding for query parameters.

Optional feature-flag query parameters

Defaults suit most setups; change flags when you need a specific client behavior. For when to use each flag, copy-paste URL patterns, and env vs query string, see docs/guides/configuration.md.

These query params override the corresponding env vars on a per-connection basis. Accepted values: true, false, 1, 0 (case-insensitive).

Query parameter Env var equivalent Default Description
mcpAppEnabled MCP_APP_ENABLED true Renders the chart in an interactive app UI (supported in Claude); set to false for tool mode (image/screenshot output)
toolBuildQueryEnabled TOOL_BUILD_QUERY_ENABLED false Enable the buildQuery tool for executing analytics queries
toolBuildChartNarrativeEnabled TOOL_BUILD_CHART_NARRATIVE_ENABLED true Include NLG narrative/insights in the build chart tool response

Example URL with all three overrides (encode sisenseUrl and sisenseToken values when they are not simple alphanumeric placeholders):

http://localhost:3001/mcp?sisenseUrl=https://your-instance.sisense.com&sisenseToken=your-api-token&mcpAppEnabled=false&toolBuildQueryEnabled=true&toolBuildChartNarrativeEnabled=false

Development

# Run server in development mode with hot reload
bun run dev

# Build the project (View + server)
bun run build

# Build only the analytics View (dist/view.html)
bun run build:view

# Run tests
bun test

# Type checking
bun run type-check

# Lint
bun run lint

Security Considerations

⚠️ NEVER commit credentials to version control

⚠️ Use secret managers or vaults - NOT environment variables in production

⚠️ NEVER bind to 0.0.0.0 in production - use 127.0.0.1 or Unix socket

⚠️ Recommended: Use dev or staging Sisense when you have them. Autonomous AI clients can issue many API calls, and prompts can be ambiguous. Non-production reduces the impact of mistakes and surprises.

⚠️ Enable authentication - never run without auth

⚠️ Approve EVERY tool call - review all parameters before execution

⚠️ Create dedicated Sisense service account with minimum required permissions

⚠️ Rotate credentials regularly (every 90 days recommended)

Yorumlar (0)

Sonuc bulunamadi