Agents & MCP

MCP server: giving Claude a trading desk

How polybot exposes market analysis, strategy assessment, and approval-gated execution as typed MCP tools — so Claude, GPT, or any agent can actually trade.

Published Apr 15, 2026

The Model Context Protocol (MCP) gave AI clients a stable, typed way to call tools. polybot was built to be MCP-native — not MCP-adapted. This guide explains what that means, what tools polybot exposes, and how to wire an agent up to trade.

What MCP actually is

MCP is a protocol spec (Anthropic, open) that standardises how AI clients discover and invoke tools on a server. If you’ve used function-calling APIs, MCP is the interop layer on top: a single client can talk to dozens of MCP servers, each exposing its own tools. The client doesn’t need per-server glue.

For a trading platform, MCP matters because:

Typed tools. Each tool has a JSON Schema input. The agent can’t pass nonsense and expect something to happen.
Discoverability. Clients enumerate tools; agents know what’s available.
Transport-agnostic. stdio for local Claude Desktop, HTTP for hosted agents, WebSocket for IDEs. The server code is the same.

polybot’s MCP surface

polybot ships an MCP server in src/polybot/mcp/ with three families of tools:

Introspection (always safe)

list_markets(category?, limit?)
get_market(market_id)
get_positions()
get_orders(status?)
get_strategy_code(strategy_name)
get_balance()

Read-only. Agents can always call these. In disabled mode, these are the only tools exposed.

Strategy assessment

analyze_strategy(name, window_days=30)
compare_strategies(names[], window_days=30)
suggest_strategy_improvements(name)

These return structured reports: P&L, Sharpe, drawdown, fill rate, cost-adjusted edge. suggest_strategy_improvements invokes the configured AI plugin with the strategy’s code and 30 days of performance, and returns a proposal. It does not apply changes — that requires a human.

Execution (gated)

place_order(market_id, side, size, price?, tif?)
cancel_order(order_id)
cancel_all(market_id?)
enable_strategy(name)
disable_strategy(name)

These are gated by the trading mode:

Mode	`place_order` behaviour
`disabled`	Tool not exposed at all
`shadow`	Accepts and logs; fills virtually against a paper book; no real order submitted
`live`	Submits real order if it passes the approval gate (pre-authorised thresholds or inline approval prompt)

Every tool invocation is logged to the audit table with tool name, arguments, caller (client identity from MCP context), and outcome.

Wiring up Claude Desktop

Claude Desktop reads MCP servers from its config. Add polybot:

{
  "mcpServers": {
    "polybot": {
      "command": "polybot",
      "args": ["mcp", "start", "--mode", "shadow"],
      "env": { "POLYBOT_HOME": "/Users/you/.polybot" }
    }
  }
}

Restart Claude Desktop. You can now ask:

“What are my three best-performing strategies over the last two weeks, and what would you change about the worst one?”

Claude calls compare_strategies(["arbitrage","spread_farm","ai_model"], window_days=14), reads the reports, calls suggest_strategy_improvements("momentum"), and summarises. You approve changes via the CLI — the agent proposes, you dispose.

Why this is a different shape than a chatbot

A chatbot reasons over tokens. An MCP-native platform lets the agent reason over your domain objects: markets, orders, positions, risk. The agent isn’t explaining trading to you; it’s operating on trading primitives, and the platform enforces the invariants it can’t be trusted with (risk caps, execution mode, audit).

This is the core claim of polybot being “an agent core, not n8n”: the tools aren’t a generic REST surface behind LLM prompts. They’re the same primitives the human operator uses, exposed coherently.

Common pitfalls

Giving the agent live mode too early. Shadow for weeks. Check the audit log. Catch the weird behaviour — we’ve seen Claude propose doubling-down on losing positions when asked to “fix” a strategy. The approval gate saves you.
Letting the agent pick market_id freely. Ambiguous market names → wrong market. polybot’s list_markets + get_market pair forces disambiguation.
Over-broad tool scope. You don’t need place_order exposed if the agent is there to analyse. Run two MCP profiles: read-only and execution; swap at the config level.

Building on this

The full tool catalog is in src/polybot/mcp/tools.py.
Approval logic is in src/polybot/mcp/approval.py.
Audit logging is in src/polybot/mcp/audit.py.

The design choice worth stealing for your own MCP server, whether or not it touches trading: separate the agent’s reasoning surface from the platform’s invariants. Let the LLM be clever about strategy; don’t let it be clever about risk.

Need an agent system built like this?

Cryptuon builds production AI agents, MCP integrations, and trading systems. polybot is our open-source showcase.

Book a 30-min intro call → Email [email protected]