Build an unsigned Bitcoin native-send PSBT (segwit/taproot only in Phase 1). Returns a 15-min handle the agent forwards to send_transaction; the Ledger BTC app clear-signs every output (address + amount) + fee on-screen, so there is NO blind-sign hash to pre-match in chat. The verification block ...
AI agents use prepare_btc_send to create or update resources in VaultPilot MCP — usually the action step of a workflow, after the agent has gathered context. Every call changes real data in your VaultPilot MCP environment.
| Parameter | Type | Required | Description |
|---|---|---|---|
to | string | Yes | Bitcoin recipient address. Any of the four mainnet types is accepted as a destination — the restriction is only on the source side. |
rbf | boolean | — | BIP-125 Replace-By-Fee. Default true → sequence 0xFFFFFFFD on every input, marking the tx replaceable so the user can fee-bump if it stalls. Set false → 0xFFFFF |
amount | string | Yes | Decimal BTC string (up to 8 fractional digits, e.g. "0.001") or "max" to sweep the full balance minus fees. "max" picks the fee-aware amount after coin-selectio |
wallet | object | Yes | One paired Bitcoin source address (string), OR an array of 1-20 paired source addresses for multi-input consolidation (issue #264). All addresses must belong to |
feePriority | string | — | Issue #435 — fuzzy-fee preset that resolves to mempool.space's named buckets (`fastestFee` ~next-block, `halfHourFee` ~3-block, `hourFee` ~6-block, `economyFee` |
allowHighFee | boolean | — | Override the fee-cap guard. The cap is `max(10 × feeRate × vbytes, 2% of total output value)`. Legitimate priority sends through heavy congestion can exceed it; |
feeRateSatPerVb | number | — | Fee rate in sat/vB. Optional — when omitted, uses mempool.space's `halfHourFee` recommendation (~3-block confirm target). Override for priority sends through co |
Parameters from the server's own tool schema.
An AI agent can call prepare_btc_send faster than any human can review — one bad instruction and it creates or modifies resources in VaultPilot MCP by the hundred, each call as confident as the last.
Risk signalsBulk/mass operation — affects multiple targets
Attacks that exploit this kind of access
Build an unsigned Bitcoin native-send PSBT (segwit/taproot only in Phase 1). Returns a 15-min handle the agent forwards to send_transaction; the Ledger BTC app clear-signs every output (address + amount) + fee on-screen, so there is NO blind-sign hash to pre-match in chat. The verification block surfaces every output's address, amount in BTC, isChange flag, fee (BTC + sat/vB), and RBF flag. Fee selection: pass feeRateSatPerVb for an explicit sat/vB number, OR feePriority for a fuzzy preset (fastestFee / halfHourFee / hourFee / economyFee / minimumFee — issue #435) that resolves to mempool.space's named buckets at prepare time. Default (neither set) is halfHourFee. The resolved sat/vB always appears in the response under feeRateSatPerVb so the user sees what was picked. Coin-selection runs branch-and-bound + accumulative fallback via the coinselect library; a fee-cap guard refuses any tx whose fee exceeds max(10 × feeRate × vbytes, 2% of total output value) unless allowHighFee: true is passed. RBF is enabled by default (sequence 0xFFFFFFFD); pass rbf: false to mark final. It is categorised as a Write tool in the VaultPilot MCP MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
prepare_btc_send accepts 7 parameters: to, rbf, amount, wallet, feePriority, allowHighFee, feeRateSatPerVb. Required: to, amount, wallet. The full parameter table on this page comes from the server's own tool schema.
Register the VaultPilot MCP server in PolicyLayer and add a rule for prepare_btc_send: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches VaultPilot MCP. Nothing to install.
prepare_btc_send is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the prepare_btc_send rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for prepare_btc_send. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
prepare_btc_send is provided by the VaultPilot MCP server (vaultpilot-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.