mediabox-mcp
mcp
Warn
Health Warn
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Warn
- process.env — Environment variable access in mcp-server/src/auth.ts
- process.env — Environment variable access in mcp-server/src/config.ts
- network request — Outbound network request in mcp-server/src/helpers/api.ts
- network request — Outbound network request in mcp-server/src/helpers/pyload.ts
- network request — Outbound network request in mcp-server/src/helpers/qbittorrent.ts
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This MCP server acts as a unified control panel for a self-hosted media stack. It allows AI assistants to manage and interact with applications like Jellyfin, Sonarr, Radarr, qBittorrent, and PyLoad through a single interface.
Security Assessment
The overall risk is Medium. The tool makes numerous outbound network requests, which is entirely expected since its primary function is to communicate with local media and download services via their APIs. It relies on environment variables to handle authentication and API keys safely, meaning no hardcoded secrets were detected. While it does not execute arbitrary shell commands or request dangerous system permissions, the nature of the software is sensitive. Because it can control download clients (like qBittorrent and PyLoad) and media managers, a compromise or misconfiguration could lead to unauthorized access to your private network, media files, or download activity. It properly implements OAuth2 and relies on a reverse proxy for secure external access.
Quality Assessment
The project is very new and currently has low community visibility with only 5 GitHub stars. However, it is actively maintained (with recent pushes) and is cleanly licensed under MIT. The codebase is written in TypeScript and offers a polished deployment experience, utilizing Docker Compose and an automated setup CLI to simplify what is traditionally a complex networking architecture.
Verdict
Use with caution: the code itself is safe and properly structured, but the tool provides deep control over sensitive download and media services, meaning it should be deployed only on trusted, properly firewalled networks.
This MCP server acts as a unified control panel for a self-hosted media stack. It allows AI assistants to manage and interact with applications like Jellyfin, Sonarr, Radarr, qBittorrent, and PyLoad through a single interface.
Security Assessment
The overall risk is Medium. The tool makes numerous outbound network requests, which is entirely expected since its primary function is to communicate with local media and download services via their APIs. It relies on environment variables to handle authentication and API keys safely, meaning no hardcoded secrets were detected. While it does not execute arbitrary shell commands or request dangerous system permissions, the nature of the software is sensitive. Because it can control download clients (like qBittorrent and PyLoad) and media managers, a compromise or misconfiguration could lead to unauthorized access to your private network, media files, or download activity. It properly implements OAuth2 and relies on a reverse proxy for secure external access.
Quality Assessment
The project is very new and currently has low community visibility with only 5 GitHub stars. However, it is actively maintained (with recent pushes) and is cleanly licensed under MIT. The codebase is written in TypeScript and offers a polished deployment experience, utilizing Docker Compose and an automated setup CLI to simplify what is traditionally a complex networking architecture.
Verdict
Use with caution: the code itself is safe and properly structured, but the tool provides deep control over sensitive download and media services, meaning it should be deployed only on trusted, properly firewalled networks.
Self-hosted media server with AI-powered management via MCP. Control Jellyfin, Sonarr, Radarr, qBittorrent and PyLoad through any AI assistant.
README.md
Mediabox MCP
Self-hosted media server with AI-powered management via MCP
Quick Start
npx create-mediabox
One command. Answer a few questions. The CLI sets up the full stack automatically — Docker containers, API keys, service connections, media libraries, everything.
Supports Local (home network), VPS (with Caddy and automatic HTTPS), and Cloudflare Tunnel (public access from home without opening ports) deployments.
Requires Docker, Docker Compose, and Node.js >= 20. Use
--local-buildto build images from source instead of pulling from registry.
Architecture
Internet
│
┌────────────┼────────────┐
│ Reverse Proxy │
│ (Caddy / nginx / etc) │
│ :80 / :443 (HTTPS) │
└────────────┬────────────┘
│ mediabox-net
┌──────────────────────────┼──────────────────────────────┐
│ ▼ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ Your AI Client │ │
│ │ (Claude / Telegram Bot / Any MCP Client) │ │
│ └──────────────────┬───────────────────────────────┘ │
│ │ MCP Protocol (Streamable HTTP) │
│ ▼ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ MCP Server (:3000) │ │
│ │ 25 tools · OAuth2 · Express · TypeScript │ │
│ └──┬──────────┬──────────┬──────────┬──────────┬───┘ │
│ ▼ ▼ ▼ ▼ ▼ │
│ Jellyfin Sonarr Radarr qBittorrent PyLoad │
│ :8096 :8989 :7878 :8085 :8000 │
│ │ │ │ │ │
│ │ Prowlarr ◄───┘ │ │
│ │ :9696 │ │
│ │ │ │ │
│ │ FlareSolverr │ │
│ │ :8191 │ │
│ ▼ ▼ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ Shared Media Volume │ │
│ │ /data/movies · /data/tv · /data/anime │ │
│ └──────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘
Local mode: ports exposed directly
VPS mode: ports bound to 127.0.0.1 + Caddy reverse proxy
Tunnel mode: ports bound to 127.0.0.1 + Cloudflare Tunnel
MCP Tools (25)
| Category | Tools | Description |
|---|---|---|
| Jellyfin | server_status activity_log search_media show_details |
Library browsing, monitoring, playback history |
| Library | manage_library manage_files rename_episodes fix_subtitles |
File ops, subtitle conversion, batch renaming |
| Sonarr | series_search series_status series_remove series_releases series_grab |
TV/anime management with auto ID resolution |
| Radarr | movie_search movie_status movie_remove movie_releases movie_grab |
Movie management with duplicate prevention |
| Downloads | download_add download_direct download_status cancel_downloads |
Direct URLs, PyLoad, queue management, orphan cleanup |
| Maintenance | optimize_media cleanup_server check_jobs |
Strip tracks, clean server, monitor jobs |
What does the CLI do?
The create-mediabox CLI replaces ~15 manual setup steps with a single interactive wizard:
- Asks for your preferences — deployment mode (Local/VPS/Tunnel), media paths, passwords, timezone, optional Telegram bot
- Generates
.env,docker-compose.yml,Caddyfile(VPS), and pre-configures qBittorrent - Starts all Docker containers and waits for each service to be ready
- Auto-configures the entire stack via service APIs:
- Extracts Sonarr/Radarr/Prowlarr API keys
- Runs Jellyfin setup wizard, creates admin user and API key
- Configures qBittorrent as download client in Sonarr/Radarr
- Adds root folders and syncs Prowlarr indexers
- Sets up FlareSolverr proxy and Jellyfin media libraries
- Sets web UI credentials across all services
After setup, the only manual step is adding your torrent indexers in Prowlarr.
License
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found