ICUICU
critical

@amap/amap-maps-mcp-server

v0.0.8

MCP server for using the AMap Maps API

npmduxiaohuiFirst seen Feb 22, 2026Source

26

Total

1

Critical

5

High

20

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5: import fetch from "node-fetch";
    6: function getApiKey() {
>>> 7:     const apiKey = process.env.AMAP_MAPS_API_KEY;
    8:     if (!apiKey) {
    9:         console.error("AMAP_MAPS_API_KEY environment variable is not set");
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r����z�(u��z�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r���݊���*'���)�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r���݊���*'���)�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    252:     url.searchParams.append("key", AMAP_MAPS_API_KEY);
    253:     url.searchParams.append("source", "ts_mcp");
>>> 254:     const response = await fetch(url.toString());
    255:     const data = await response.json();
    256:     if (data.status !== "1") {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    280:     url.searchParams.append("address", address);
    281:     url.searchParams.append("source", "ts_mcp");
>>> 282:     const response = await fetch(url.toString());
    283:     const data = await response.json();
    284:     if (data.status !== "1") {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    319:     url.searchParams.append("key", AMAP_MAPS_API_KEY);
    320:     url.searchParams.append("source", "ts_mcp");
>>> 321:     const response = await fetch(url.toString());
    322:     const data = await response.json();
    323:     if (data.status !== "1") {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    349:     url.searchParams.append("source", "ts_mcp");
    350:     url.searchParams.append("extensions", "all");
>>> 351:     const response = await fetch(url.toString());
    352:     const data = await response.json();
    353:     if (data.status !== "1") {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    376:     url.searchParams.append("key", AMAP_MAPS_API_KEY);
    377:     url.searchParams.append("source", "ts_mcp");
>>> 378:     const response = await fetch(url.toString());
    379:     const data = await response.json();
    380:     if (data.status !== "1") {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    413:     url.searchParams.append("destination", destination);
    414:     url.searchParams.append("source", "ts_mcp");
>>> 415:     const response = await fetch(url.toString());
    416:     const data = await response.json();
    417:     if (data.errcode !== 0) {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    458:     url.searchParams.append("destination", destination);
    459:     url.searchParams.append("source", "ts_mcp");
>>> 460:     const response = await fetch(url.toString());
    461:     const data = await response.json();
    462:     if (data.status !== "1") {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    503:     url.searchParams.append("destination", destination);
    504:     url.searchParams.append("source", "ts_mcp");
>>> 505:     const response = await fetch(url.toString());
    506:     const data = await response.json();
    507:     if (data.status !== "1") {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    551:     url.searchParams.append("cityd", cityd);
    552:     url.searchParams.append("source", "ts_mcp");
>>> 553:     const response = await fetch(url.toString());
    554:     const data = await response.json();
    555:     if (data.status !== "1") {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    638:     url.searchParams.append("type", type);
    639:     url.searchParams.append("source", "ts_mcp");
>>> 640:     const response = await fetch(url.toString());
    641:     const data = await response.json();
    642:     if (data.status !== "1") {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    673:     url.searchParams.append("citylimit", citylimit);
    674:     url.searchParams.append("source", "ts_mcp");
>>> 675:     const response = await fetch(url.toString());
    676:     const data = await response.json();
    677:     if (data.status !== "1") {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    718:     url.searchParams.append("keywords", keywords);
    719:     url.searchParams.append("source", "ts_mcp");
>>> 720:     const response = await fetch(url.toString());
    721:     const data = await response.json();
    722:     if (data.status !== "1") {
Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.9 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (5.0 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (5.3 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (5.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (5.2 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (5.2 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

Scan History

DateRiskFindings
Feb 25, 2026critical26
Feb 23, 2026critical26
Feb 22, 2026critical26