A wave of "AI agents can now trade" tooling shipped this quarter. Kraken put out a CLI described as a crypto trading tool for AI agents. Alpaca shipped an MCP server. deBridge, Bybit, and others expose their functionality to agents the same way. The interfaces are genuinely good — clean, well-documented, and easy for an autonomous agent to call.

But "an agent can call it" and "an agent can rely on it" are different claims. When an agent fires a trade through one of these tools, it isn't just sending a request. It's accepting a trust model. And that trust model is usually invisible in the tool's README.

This post is a mechanism-level diff: what a custodial exchange tool requires you to trust, versus what hash-time-locked (HTLC) atomic settlement requires. No marketing — just where the trust sits in each design, including the honest costs of the trustless path.

What a custodial CEX tool asks an agent to trust

Wrap a centralized exchange in a CLI or an MCP server and you get a great developer surface on top of an unchanged settlement model. Three trust assumptions come along for free: