Only the latest published npm version of mediamcp is supported.
Please do not open a public issue for security problems. Instead use GitHub private vulnerability reporting (Security → Report a vulnerability). You'll get a response within a few days.
- mediamcp runs locally over stdio and sends your prompt/images to the endpoint you configure (OpenRouter by default). It never sends your API key anywhere except the configured endpoint's origin.
- API keys are redacted from all error messages and logs; if you find a code path where a key can leak, that's a vulnerability — please report it.