MCP Server

clawdflare

Opinionated Cloudflare MCP server — audit and fix your zones with a read/write security split.

pip install clawdflare

View on GitHub v0.1.0 Mar 22, 2026

What it does

AI agents are great at reading infrastructure and telling you what's wrong. They're less great at having unsupervised write access to your DNS. clawdflare splits the difference: read operations are free, write operations require a PIN via macOS popup. The agent never sees the write token.

Audit and apply

Agents are great at reading infrastructure and telling you what's wrong. They're less great at having unsupervised write access to DNS. Clawdflare splits the difference — the read token lives in $CLOUDFLARE_API_TOKEN and the agent uses it freely; the write token is encrypted on disk and only decrypts when a human enters a PIN at a macOS popup. The agent never sees the write credential.

1. Agent audits the zone — surfaces real issues

agent · cloudflare

  › clawdflare audit example.com clawdflare reading zone example.com (read token)...   ✗ hsts not enabled — MITM exposure on first visit  ✗ min-tls-version 1.0 — should be 1.2 minimum  ✗ caa-record missing — any CA can issue for this domain  ✗ dns/orphaned A api-old → 192.0.2.33 (unreachable 30d)  ✓ ssl-mode Full (strict)  ✓ dnssec active  agent 4 fixes available. Dry-run first: › clawdflare fix example.com # dry-run — no writes  would: enable HSTS · min-tls 1.2 · add CAA · remove api-old A   

2. Agent requests the apply — PIN popup gates the write

agent · cloudflare (apply)

  › clawdflare fix example.com --apply clawdflare write token is encrypted · requesting PIN...  ⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯  │ Clawdflare wants to apply 4 writes to example.com │  │ enable HSTS · min-tls 1.2 · add CAA · remove A api-old │  │ PIN: •••• │  ⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯  human enters PIN · write token decrypted applied ✓ HSTS · ✓ min-tls 1.2 · ✓ CAA · ✓ removed api-old  agent: audit re-run — 6 green, 0 findings. Done.   

The agent drives every step — the read, the dry-run, the fix request, the re-audit. The one thing it cannot do is apply writes without a human at the keyboard. Perfect division of labor: agents see everything, humans authorize the things with blast radius.

Key features

Read/write split — read token in env, write token encrypted on disk, decrypted only with PIN
Zone audit — check DNS records, SSL settings, and security against best practices
Fix mode — dry-run shows what would change, --apply requires PIN confirmation
SSL status — certificate mode, edge certs, HSTS
Cache management — purge cache with PIN confirmation
CLI + MCP — use from terminal or as Claude Code MCP server

Install

pip install clawdflare
export CLOUDFLARE_API_TOKEN="your-read-only-token"
clawdflare setup-token  # encrypt write token with PIN

Usage

# CLI
clawdflare zones                     # list all zones
clawdflare audit example.com         # audit against best practices
clawdflare fix example.com           # dry-run: show what would change
clawdflare fix example.com --apply   # apply fixes (PIN required)
clawdflare dns-records example.com   # list DNS records
clawdflare ssl-status example.com    # SSL/TLS summary

# MCP — add to Claude Code
clawdflare serve

Read operations use CLOUDFLARE_API_TOKEN from env. Write operations decrypt a separate token with a macOS PIN popup. The agent never sees the write credentials.