AI agents use fund_wallet_stripe to commit financial operations through AgentPay — usually the final step of a payment, billing, or trading workflow. A call moves real money.
This tool directly initiates a payment flow by generating a Stripe checkout URL for adding credits. Even though a human must complete the payment, the tool's purpose is to commit financial obligations (purchasing credits). It falls squarely in the Financial category. Severity is critical because misuse could lead to unauthorized charges or manipulation of an AI agent's payment workflow.
From the tool's definition 'Get a Stripe checkout URL to add credits' and 'pay' — this tool initiates a financial transaction to add credits/funds to a wallet via Stripe checkout.
Attacks that exploit this kind of access
Get a Stripe checkout URL to add credits. Requires a human to open the link and pay. Use fund_wallet_x402 for fully autonomous crypto payments instead. It is categorised as a Financial tool in the AgentPay MCP Server, which means it involves financial transactions. Block by default and require explicit approval.
Register the AgentPay MCP server in PolicyLayer and add a rule for fund_wallet_stripe: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches AgentPay. Nothing to install.
fund_wallet_stripe is a Financial tool with critical risk. Critical-risk tools should be blocked by default and only enabled with explicit human approval.
Yes. Add a rate_limit block to the fund_wallet_stripe rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for fund_wallet_stripe. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
fund_wallet_stripe is provided by the AgentPay MCP server (joepangallo/mcp-server-agentpay). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →