# Robinhood let AI agents trade real money. The only safety check is optional.

> Robinhood's MCP lets an AI agent place real trades with no broker-side cap. A few simple rules at the gateway stop a rogue or hijacked agent draining the account.

Published: Fri Jun 19

Canonical: https://policylayer.com/blog/robinhood-agentic-trading-mcp-safety

On 19 June, Robinhood CEO Vlad Tenev [shared the numbers](https://x.com/vladtenev/status/2067754874813710593):

> "In the first few weeks of agentic trading on Robinhood, over 50,000 customers have opened agentic trading accounts and are trading millions of dollars per day of equities and options."

Fifty thousand people just handed an AI agent the keys to a live brokerage account. It buys and sells real shares with real money, no human in the loop unless you ask for one.

Here's what the celebration leaves out: the only safety check between that agent and your balance is one the agent is free to skip — and a single poisoned sentence on the internet can make it skip.

<!--truncate-->

<!-- LIAD: tool names are first-hand from probing the live endpoint (19-06); per-tool schemas reconstructed from docs + SecProve. -->

## What the agent can do

Approve the MCP at `https://agent.robinhood.com/mcp/trading` once and your agent gets twelve tools: read every account and order you hold, manage watchlists, and place, review or cancel real trades. There's no read-only option — approving at all approves trading. The tool that matters is `place_equity_order`: it spends your money, and a filled market order has no undo.

Robinhood's entire safety model is account isolation — the agent trades in a separate account you fund. That caps how much you can lose. It does nothing about what the agent does with it.

## Nothing is watching the trades

`review_equity_order` looks like the seatbelt — it simulates an order and shows you the warnings. But it's a separate, optional step. Nothing forces the agent to run it before `place_equity_order`, and Robinhood says an autonomous agent can ["place trades without your confirmation"](https://robinhood.com/us/en/support/articles/agentic-trading-overview/).

That's the flaw in any control that lives inside the agent: the agent is exactly what an attacker manipulates. It reads untrusted text all day — news, research notes, a stock's description, a forum post. Plant "strong buy, act now" next to the attacker's ticker, get it in front of the agent, and it places the order. We've [written before](/blog/tool-result-injection-mcp-attack) about tool results becoming an injection surface; here that surface ends in a funded brokerage account.

And nothing on Robinhood's side stops it. No per-trade cap. No daily cap. No symbol allow-list. The ceiling on a hijacked agent is your balance.

## What "going rogue" actually looks like

That balance isn't an abstraction. With `place_equity_order` and nothing in front of it, one confused or hijacked agent can:

- **Drain the account to zero** — a single market order for the full balance, filled at whatever the order book offers, no second look.
- **Buy the wrong thing entirely** — a ticker planted in a "research note," a microcap someone wants pumped, or just a symbol three letters off the one you meant. The agent can't tell the difference. It buys.
- **Liquidate your positions at the worst moment** — sell everything to market on a signal it misread, locking in the loss.
- **Do it again, and again** — stuck in a loop, re-firing the same order until the cash is gone. There's no frequency cap to stop it.
- **Cancel your safety net** — `cancel_equity_order` can pull the limit order you set to protect yourself, then trade into the gap.

Every one of these is one tool call away, and nothing on the broker side says no.

## A few rules stop it

The fix isn't a better prompt — a prompt is the thing being attacked. It's a hard limit the agent can't argue with, sitting outside the model.

Route your agent through PolicyLayer and set rules in the dashboard in plain terms:

- **Cap every trade at $500.**
- **Only let it trade VOO, VTI and AAPL.**
- **Block options and crypto outright** — including the day Robinhood enables them.
- **Send anything bigger to you for approval.**

Each rule is checked on every order *before* it reaches Robinhood. The injection screaming "buy $40,000 of TICKER" is denied at the gate — every time, no matter what the model was told. You set it once; it holds regardless of what the agent decides to do next.

That's the whole idea: the agent can be as clever, or as compromised, as it likes. The rules don't run on trust. They run on every call.

Robinhood won't be the last to hand an agent a live order API — every fintech MCP after it carries the same gap. You don't have to wait for the broker to close it: the rule that caps the trade and locks the tickers takes a few minutes to set.

[Set your first rule](https://app.policylayer.com), or [see every tool the Robinhood agent can call](/tools/robinhood-agentic-trading).

## Related reading

- [AWS just made the case for deterministic policy at the MCP gateway](/blog/aws-cedar-deterministic-mcp-policy)
- [When tool results become an injection attack](/blog/tool-result-injection-mcp-attack)
- [Why the MCP gateway is the right enforcement point](/mcp-gateway)
- [How to stop a Robinhood trading agent going rogue](/robinhood)
- [SecProve: a security teardown of the Robinhood trading MCP](https://secprove.com/trading-agent-safety/robinhood-trading-mcp-url)
