Amap Maps MCP — agentic threat model
The Amap Maps MCP agent acts as a read-only bridge to Gaode's location services, presenting low agentic risk due to its lack of write-access tools, though it remains vulnerable to API key exhaustion and location data leakage.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — the agent is model-agnostic and acts as an MCP server. The underlying LLM is responsible for interpreting user intent and mapping it to the geocoding or routing tool parameters, making it susceptible to prompt injection that could force unnecessary or malformed API calls.
The agent does not maintain a local vector database or RAG pipeline. Data operations are transient, consisting of passing location queries, coordinates, and routing requests directly to the external Amap API endpoints.
Exposes a structured tool surface (geocoding, POI search, routing, weather) via the Model Context Protocol (MCP). The primary risk is tool misuse or parameter injection where an attacker manipulates input coordinates or query strings to exhaust the user's Amap API quota.
Requires local or containerized hosting to run the MCP server. The primary security boundary is the protection of the Amap API key, which must be securely injected into the runtime environment to prevent unauthorized exposure or theft.
Not certain from the listing — there is no mention of built-in logging, rate-limiting, or guardrails to monitor API usage, detect anomalous query volumes, or prevent rapid quota depletion.
Compliance risks center on user privacy, as location queries, IP-derived coordinates, and routing paths are transmitted to Gaode's (Amap) external servers, potentially violating strict data residency or privacy policies.
Designed to be integrated into broader agentic workflows. If a parent agent is compromised, this MCP tool can be abused to map out physical locations or track user-related coordinates, serving as an information disclosure vector.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).