AI agents use create_refund to commit financial operations through PayPal — usually the final step of a payment, billing, or trading workflow. A call moves real money.
This tool directly processes financial transactions by refunding captured payments, which commits financial obligations and moves money. This is the highest severity category as it can result in significant monetary loss if misused by an AI agent (e.g., refunding legitimate transactions without authorization).
From the tool's definition Tool name 'create_refund' and description 'Process a refund for a captured payment' indicate direct movement of money from a merchant account back to a customer.
Documented attack patterns abuse exactly the kind of access create_refund gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and PayPal, and nothing reaches the server without passing your rules. This is the rule we recommend for create_refund:
{
"version": "1",
"default": "deny",
"tools": {
"create_refund": {
"deny_if": [
{
"conditions": [],
"on_deny": "Requires human approval."
}
]
}
}
}Any call to create_refund is blocked until a human approves it. The rest of the server keeps working.
Free to start. No card required.
Process a refund for a captured payment. It is categorised as a Financial tool in the PayPal MCP Server, which means it involves financial transactions. Block by default and require explicit approval.
Register the PayPal MCP server in PolicyLayer and add a rule for create_refund: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches PayPal. Nothing to install.
create_refund is a Financial tool with critical risk. Critical-risk tools should be blocked by default and only enabled with explicit human approval.
Yes. Add a rate_limit block to the create_refund rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for create_refund. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
create_refund is provided by the PayPal MCP server (paypal/agent-toolkit). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Deterministic rules across all 30 PayPal tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.
Free to start. No card required.
30 PayPal tools catalogued and risk-classified — across an index of 42,500+ MCP servers.