Gemini connects to Robinhood’s agentic trading through the Model Context Protocol (MCP), via Gemini CLI — the terminal agent. The Gemini web app does not support custom MCP connectors, so the CLI is the path. The setup is two commands, and then two Gemini-specific safety settings that most guides skip entirely — one of which you must not use.
Before you start
Same prerequisites as every agent connection: a Robinhood individual investing account in good standing, a desktop machine (agentic accounts can only be opened and authenticated there), and a funding decision you’ve already made — the funding amount is your hard loss cap. You’ll also need Gemini CLI installed and signed in.
The Robinhood Trading MCP URL:
https://agent.robinhood.com/mcp/trading
Step 1 — Add the server
In your terminal:
gemini mcp add robinhood-trading --transport http https://agent.robinhood.com/mcp/trading
This writes the server into your Gemini settings. Use --scope user to make it available everywhere, or --scope project to confine it to one working directory — confining a money-handling tool to one dedicated directory is the better habit.
If you prefer editing config directly, the equivalent entry in ~/.gemini/settings.json uses the httpUrl field (not url, which is for SSE transport):
{
"mcpServers": {
"robinhood-trading": {
"httpUrl": "https://agent.robinhood.com/mcp/trading"
}
}
}Step 2 — Authenticate
Gemini CLI discovers a remote server’s OAuth configuration automatically (the default authProviderType is dynamic_discovery). Check the connection and complete sign-in:
gemini mcp list
When the Robinhood sign-in prompt appears, authenticate and — if you haven’t yet — open and fund your Agentic account. If the server shows Disconnected, re-run from a trusted folder: Gemini CLI’s folder-trust feature blocks some server connections in untrusted directories (gemini trust to trust the current one).
The two Gemini-specific safety settings
This is where Gemini differs from Claude and ChatGPT, and it matters for an agent that touches money.
Never pass --trust for a trading server. Gemini CLI’s --trust flag bypasses every tool-call confirmation prompt for that server. For a notes server, fine. For a server that can place orders, those confirmation prompts are your approval gate — the human check before money moves. Leaving them on costs you a keystroke per action and buys you the single most effective guardrail there is.
Use includeTools for least privilege. Gemini CLI lets you allowlist which of a server’s tools the model can even see. Start read-only — quotes, positions, history — and add order placement only once you’ve watched the agent behave:
"robinhood-trading": {
"httpUrl": "https://agent.robinhood.com/mcp/trading",
"includeTools": ["get_quote", "get_positions", "get_orders"]
}A tool the agent can’t see is a tool it can’t be talked into using. (Tool names vary with the server’s current surface — run gemini mcp list to see what it exposes, then allowlist deliberately. Note that excludeTools overrides includeTools if a tool appears in both.)
Set guardrails before Gemini trades
The connection is the easy part. Before the first order:
- Generate a guardrail config with the free SecProve Agent Safety Kit — per-trade caps, a daily cap, an approval gate, a kill switch, and a prompt-injection rule — and give it to Gemini as standing instructions (a
GEMINI.mdin your project directory works well for this). - Set your spending and trade limits deliberately, and know your kill switch — including
gemini mcp remove robinhood-trading, the hard disconnect. - Remember the limits of prompt-level rules: a manipulated agent can ignore its own instructions. Caps and confirmations exist for exactly that day.
Good to know
Robinhood’s agentic trading is in beta and equities-only. Gemini Code Assist (VS Code agent mode) reads the same settings.json, so the server you added in the CLI appears there too — be deliberate about whether you want a trading tool available inside your IDE. And as with every agent: Robinhood does not supervise what you connect. The safety configuration is yours to own.
The URL is the easy part. Whether you’d notice a poisoned headline steering Gemini toward a bad trade is a security skill — and it’s measurable. Test yours at secprove.com.