AI agents use create_vas_order to commit financial operations through SIMcloud — usually the final step of a payment, billing, or trading workflow. A call moves real money.
| Parameter | Type | Required | Description |
|---|---|---|---|
amount | number | Yes | |
reference | string | Yes | |
product_id | integer | — | SIMcloud VAS product ID. Required when voucher_type is not supplied. |
voucher_type | string | — | Exact VAS voucher type or slug. Required when product_id is not supplied. |
Parameters from the server's own tool schema.
Creating a VAS voucher order involves spending funds from the authenticated SIMcloud wallet. This is analogous to the other order-creation tools on this server (airtime, data, electricity) which all commit financial transactions. Misuse by an AI agent could result in unauthorized purchases and financial loss.
From the tool's definition 'Queues a VAS voucher order through the authenticated SIMcloud account' — creates a purchase order for a VAS (Value Added Service) voucher, committing financial obligations against the account wallet.
Attacks that exploit this kind of access
Queues a VAS voucher order through the authenticated SIMcloud account. It is categorised as a Financial tool in the SIMcloud MCP Server, which means it involves financial transactions. Block by default and require explicit approval.
create_vas_order accepts 4 parameters: amount, reference, product_id, voucher_type. Required: amount, reference. The full parameter table on this page comes from the server's own tool schema.
Register the SIMcloud MCP server in PolicyLayer and add a rule for create_vas_order: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches SIMcloud. Nothing to install.
create_vas_order is a Financial tool with critical risk. Critical-risk tools should be blocked by default and only enabled with explicit human approval.
Yes. Add a rate_limit block to the create_vas_order rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for create_vas_order. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
create_vas_order is provided by the SIMcloud MCP server (https://simcloud.co.za/api/mcp.php). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
create_vas_order is one line of SIMcloud's registry record.
The record carries the whole server: verified identity, auth posture, risk grade, every tool classified, recommended policy — re-checked continuously.
Teams ship this data inside their own products. See what a licence covers →