42
/ 100
1 month ago
glama

media-gen-mcp

MCP server for generating and editing images using OpenAI, and creating videos using OpenAI Sora and Google Veo. Enables fetching media from URLs or disk with smart output placement.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
⚠️
Tool descriptions don’t match what handlers do
3 tools describe read intent but their handlers mutate — fetch-images (line 1150: fs.promises.writeFile(filePath, Buffer.from(img.b64, "base64"))); fetch-videos (line 257: fs.promises.mkdir(dir, { recursive: true })); fetch-document (line 257: fs.promises.mkdir(dir, { recursive: true }))
🚨
Known vulnerabilities in dependencies: 1 critical, 3 high
Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.
🔐
You'll be asked for 5 credentials: ANTHROPIC_API_KEY, AZURE_OPENAI_API_KEY, GEMINI_API_KEY, GOOGLE_API_KEY, OPENAI_API_KEY
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies1 critical3 high

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

criticalvitest@3.2.4GHSA-5xrq-8626-4rwp

When Vitest UI server is listening, arbitrary file can be read and executed

high@modelcontextprotocol/sdk@1.23.0GHSA-345p-7cg4-v4c7

@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse

high@modelcontextprotocol/sdk@1.23.0GHSA-8r9q-7v3j-jr4g

Anthropic's MCP TypeScript SDK has a ReDoS vulnerability

high@modelcontextprotocol/sdk@1.23.0GHSA-w48q-cv73-mx4w

Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

Depend on this server? Get alerted when its CVEs change.Watch this server free →
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
🔐 secretANTHROPIC_API_KEY
🔐 secretAZURE_OPENAI_API_KEY// "": "sk-...",
configAZURE_OPENAI_DEPLOYMENT
configAZURE_OPENAI_ENDPOINT// "": "my.endpoint.com",
🔐 secretGEMINI_API_KEYGemini Developer API: set (or GOOGLE_API_KEY), or google.api_key in secrets.yaml.
🔐 secretGOOGLE_API_KEYGemini Developer API: set GEMINI_API_KEY (or ), or google.api_key in secrets.yaml.
configGOOGLE_CLOUD_LOCATIONVertex AI: set GOOGLE_GENAI_USE_VERTEXAI=true, GOOGLE_CLOUD_PROJECT, and (or google.vertex_ai. in secrets.yaml).
configGOOGLE_CLOUD_PROJECTVertex AI: set GOOGLE_GENAI_USE_VERTEXAI=true, , and GOOGLE_CLOUD_LOCATION (or google.vertex_ai. in secrets.yaml).
configGOOGLE_GENAI_USE_VERTEXAIVertex AI: set =true, GOOGLE_CLOUD_PROJECT, and GOOGLE_CLOUD_LOCATION (or google.vertex_ai. in secrets.yaml).
configMCP_MAX_CONTENT_BYTESthreshold (default ~50MB via ), the server
configMEDIA_GEN_DIRSAllowed directories: All tools are restricted to paths matching . If unset, defaults to /tmp/media-gen-mcp (or %TEMP%/media-gen-mcp on Windows).
configMEDIA_GEN_MCP_ALLOW_FETCH_LAST_N_IMAGESWhen n is provided, it is only honored when the environment variable is set to true. Otherwise, the call fails with a validation error.
configMEDIA_GEN_MCP_ALLOW_FETCH_LAST_N_VIDEOSWhen n is provided, it is only honored when the environment variable is set to true. Otherwise, the call fails with a validation error.
configMEDIA_GEN_MCP_DEBUG
configMEDIA_GEN_MCP_LOG_FORMAT
configMEDIA_GEN_MCP_LOG_LEVEL
configMEDIA_GEN_MCP_LOG_SANITIZE_IMAGES(default: true)
configMEDIA_GEN_MCP_LOG_SANITIZE_KEYS(comma-separated list of field names).
configMEDIA_GEN_MCP_TEST_SAMPLE_DIRTest samples: adds a directory to the allowlist and enables the test-images tool.
configMEDIA_GEN_MCP_URL_PREFIXESFor ChatGPT, use response_format: "url" and configure the first entry as a public HTTPS prefix (for example MEDIA_GEN_MCP_URL_PREFIXES=https://media-gen.example.com/media).
configMEDIA_GEN_URLSRemote reads: HTTP(S) fetches are filtered by patterns. Empty = allow all.
🔐 secretOPENAI_API_KEYPut and other settings into media-gen.env (see .env.sample in this repo).
configOPENAI_API_VERSION"": "2024-12-01-preview"
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 7 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/strato-space-media-gen-mcp-1ehxob)](https://m8ven.ai/mcp/strato-space-media-gen-mcp-1ehxob)
commit: 893feb7b043984924c9d23c5f3face21966c55f7
code hash: 58b1e9c7110eae94fcf341eaceadccde541975d1bc0de362bfa5940e90b4cef4
verified: 6/12/2026, 10:37:27 AM
view raw JSON →