MCP Server

clawdflare

Opinionated Cloudflare MCP server — audit and fix your zones with a read/write security split.

pip install clawdflare View on GitHub v0.1.0 Mar 22, 2026

What it does

AI agents are great at reading infrastructure and telling you what's wrong. They're less great at having unsupervised write access to your DNS. clawdflare splits the difference: read operations are free, write operations require a PIN via macOS popup. The agent never sees the write token.

Key features

Read/write split — read token in env, write token encrypted on disk, decrypted only with PIN
Zone audit — check DNS records, SSL settings, and security against best practices
Fix mode — dry-run shows what would change, --apply requires PIN confirmation
SSL status — certificate mode, edge certs, HSTS
Cache management — purge cache with PIN confirmation
CLI + MCP — use from terminal or as Claude Code MCP server

Install

pip install clawdflare
export CLOUDFLARE_API_TOKEN="your-read-only-token"
clawdflare setup-token  # encrypt write token with PIN

Usage

# CLI
clawdflare zones                     # list all zones
clawdflare audit example.com         # audit against best practices
clawdflare fix example.com           # dry-run: show what would change
clawdflare fix example.com --apply   # apply fixes (PIN required)
clawdflare dns-records example.com   # list DNS records
clawdflare ssl-status example.com    # SSL/TLS summary

# MCP — add to Claude Code
clawdflare serve

Read operations use CLOUDFLARE_API_TOKEN from env. Write operations decrypt a separate token with a macOS PIN popup. The agent never sees the write credentials.