// SCAN REPORT

cPanel MCP Server

164 tools. 102 can modify or destroy data without limits.

28 destructive tools with no built-in limits. Policy required.

Last updated:

102 can modify or destroy data
62 read-only
164 tools total

Community server · catalogue entry verified 12/06/2026

How to control cPanel MCP Server ↓

TOOL MAP

What cPanel MCP Server exposes to your agents

Read (62) Write / Execute (74) Destructive / Financial (28)

Running more than one server? Check your whole stack →

MOST DANGEROUS TOOLS
Critical Risk

The most dangerous cPanel MCP Server tools

Destructive · High clear_spam_box This tool permanently removes data (spam messages) in bulk with no stated recovery mechanism. Destructive · High deauthorize_ssh_key Revoking an SSH key permanently removes access credentials, which is an irreversible action that cannot be undone without re-authorizing the key. Destructive · High delete_addon_domain Deleting an addon domain is an irreversible destructive action that removes domain configuration from the hosting account. Destructive · High delete_autoresponder This tool permanently removes an autoresponder configuration, which cannot be undone without recreating it manually.

102 of cPanel MCP Server's 164 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

POLICY

How to control cPanel MCP Server

PolicyLayer is an MCP gateway — it sits between your AI agents and cPanel MCP Server, and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations
{
  "clear_spam_box": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "add_directory_user": {
    "limits": [
      {
        "counter": "add_directory_user_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "check_feature": {
    "limits": [
      {
        "counter": "check_feature_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register cPanel MCP Server — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON CPANEL →

Free to start. No card required.

FULL CATALOGUE

All 164 cPanel MCP Server tools

DESTRUCTIVE 28 tools
Destructive clear_spam_box Clear all messages from the SpamAssassin spam box Destructive deauthorize_ssh_key Deauthorize an SSH key (revoke login access) Destructive delete_addon_domain Delete an addon domain Destructive delete_autoresponder Delete an email autoresponder Destructive delete_cron_job Delete a cron job Destructive delete_dns_record Delete a DNS zone record by line number Destructive delete_email_account Delete an email account Destructive delete_email_filter Delete an email filter Destructive delete_email_forwarder Delete an email forwarder Destructive delete_file Delete a file or directory Destructive delete_ftp_account Delete an FTP account Destructive delete_git_repo Delete a Git repository from cPanel Destructive delete_mysql_database Delete a MySQL database Destructive delete_mysql_user Delete a MySQL database user Destructive delete_parked_domain Remove a parked/aliased domain Destructive delete_postgresql_database Delete a PostgreSQL database Destructive delete_postgresql_user Delete a PostgreSQL user Destructive delete_redirect Delete a URL redirect Destructive delete_ssh_key Delete an SSH key Destructive delete_ssl_certificate Delete/uninstall an SSL certificate from a domain Destructive delete_subdomain Delete a subdomain Destructive remove_2fa Remove/disable two-factor authentication from the account Destructive revoke_api_token Revoke/delete an API token Destructive revoke_mysql_privileges Revoke all privileges for a MySQL user on a database Destructive revoke_postgresql_privileges Revoke a PostgreSQL user Destructive unregister_passenger_app Unregister/remove a Node.js, Python, or Ruby application Destructive disinfect_files Quarantine/disinfect files detected as infected Destructive kill_ftp_session Terminate an active FTP session
EXECUTE 10 tools
Execute deploy_git_repo Deploy a Git repository (trigger deployment via .cpanel.yml) Execute start_virus_scan Start a ClamAV virus scan on a directory (requires ClamAV plugin on server) Execute trigger_autossl Trigger an AutoSSL check/renewal for the account Execute disable_modsecurity Disable ModSecurity (WAF) for all domains Execute disable_modsecurity_domain Disable ModSecurity for specific domains Execute disable_passenger_app Disable/stop a registered application Execute enable_passenger_app Enable/start a registered application Execute ensure_passenger_deps Install/update dependencies for a registered application (npm install, pip install, etc.) Execute trace_email_filter Test email filters against a message to see which rules match Execute update_git_repo Pull/update a Git repository
WRITE 64 tools
Write add_directory_user Add a user to a password-protected directory Write add_dns_record Add a DNS zone record (A, AAAA, CNAME, MX, TXT, SRV, CAA) Write authorize_ssh_key Authorize an SSH key for login Write block_ip Block an IP address or range Write change_email_password Change password for an email account Write change_email_quota Change mailbox quota for an email account Write change_ftp_password Change an FTP account password Write change_ftp_quota Change an FTP account Write create_addon_domain Create a new addon domain Write create_api_token Create a new cPanel API token with full access Write create_autoresponder Create an email autoresponder Write create_cron_job Create a new cron job Write create_database_backup Create a backup of a specific MySQL database Write create_email_account Create a new email account Write create_email_backup Create a backup of email configurations and data Write create_email_forwarder Create an email forwarder Write create_file Create a new file with specified content Write create_ftp_account Create a new FTP account Write create_full_backup Create a full account backup Write create_git_repo Create a new Git repository in cPanel Write create_homedir_backup Create a backup of the home directory files Write create_mysql_database Create a new MySQL database Write create_mysql_user Create a new MySQL database user Write create_parked_domain Park/alias a domain to the main domain Write create_postgresql_database Create a new PostgreSQL database Write create_postgresql_user Create a new PostgreSQL user Write create_redirect Create a URL redirect Write create_subdomain Create a new subdomain Write disable_dkim Disable DKIM for a domain Write disable_dnssec Disable DNSSEC for a domain Write disable_greylisting Disable greylisting for all domains Write disable_hotlink_protection Disable hotlink protection Write disable_spam_assassin Disable SpamAssassin spam filtering Write disable_spam_box Disable the spam box Write edit_cron_job Edit an existing cron job Write edit_dns_record Edit an existing DNS zone record Write edit_file Update the contents of an existing file Write enable_dkim Enable DKIM (DomainKeys Identified Mail) for a domain Write enable_dnssec Enable DNSSEC for a domain Write enable_greylisting Enable greylisting for all domains (delays first-time senders to block spam) Write enable_hotlink_protection Enable hotlink protection Write enable_modsecurity Enable ModSecurity (WAF) for all domains Write enable_modsecurity_domain Enable ModSecurity for specific domains Write enable_spam_assassin Enable SpamAssassin spam filtering for the account Write enable_spam_box Enable the spam box (auto-deliver spam to a separate folder) Write ensure_dkim_keys Ensure DKIM keys exist for all domains (generates missing keys) Write generate_2fa_config Generate a new two-factor authentication secret (returns QR code data) Write generate_ssl_csr Generate a Certificate Signing Request (CSR) Write import_ssh_key Import an SSH public or private key Write install_spf_records Install/update SPF records for all domains Write install_ssl_certificate Install an SSL certificate for a domain Write register_passenger_app Register a new Node.js, Python, or Ruby application Write rename_api_token Rename an existing API token Write restore_database_backup Restore a MySQL database from a backup file Write restore_file_backup Restore a file from a backup Write set_2fa Enable two-factor authentication with a secret and verification code Write set_cron_email Set the email address for cron job notifications Write set_dnssec_nsec3 Enable NSEC3 for a DNSSEC domain (prevents zone enumeration) Write set_mysql_privileges Set privileges for a MySQL user on a database Write set_php_ini_directives Set PHP INI directives (e.g., memory_limit, upload_max_filesize) Write set_php_version_for_domain Set the PHP version for a domain Write set_postgresql_privileges Grant a PostgreSQL user access to a database Write unblock_ip Unblock a previously blocked IP address Write unset_dnssec_nsec3 Disable NSEC3 for a DNSSEC domain (revert to NSEC)
READ 62 tools
Read check_feature Check if a specific feature is enabled for the account Read get_2fa_status Check if two-factor authentication is configured for the account Read get_account_info Get general server and account information Read get_account_stats Get general account statistics (email count, db count, domains, etc.) Read get_autossl_status Check AutoSSL status and pending requests Read get_bandwidth_usage Get bandwidth usage statistics for the account Read get_cron_email Get the email address for cron job notifications Read get_disk_usage Get account disk space usage summary (quota, used, limits) Read get_dns_records Get all DNS records for a zone/domain Read get_dnssec_ds_records Fetch DS records for a DNSSEC-enabled domain (needed for registrar configuration) Read get_domain_info Get detailed information about a specific domain Read get_email_routing Get email routing configuration for all mail domains Read get_error_log Get the most recent entries from the site error log Read get_ftp_port Get the FTP server port number Read get_git_deployment_status Get the deployment status of a Git repository Read get_greylisting_status Check if greylisting is enabled for the account Read get_hotlink_protection Get current hotlink protection settings Read get_modsecurity_status Check if ModSecurity (WAF) is installed and get domain status Read get_mysql_server_info Get MySQL server information and restrictions Read get_php_ini_directives Get current PHP INI directives for the account Read get_php_version_for_domain Get the current PHP version assigned to a domain Read get_resource_usage Get current resource usage (CPU, memory, I/O, entry processes) Read get_server_info Get server information (hostname, OS, IP addresses) Read get_spam_settings Get SpamAssassin settings and score threshold Read get_ssl_status Get SSL status for all domains on the account Read get_virus_scan_status Check the status of a running virus scan Read get_visitors_stats Get visitor/access statistics for a domain Read list_addon_domains List all addon domains Read list_api_tokens List all cPanel API tokens for the account Read list_autoresponders List all email autoresponders Read list_backups List available backups on the account Read list_blocked_ips List all blocked IP addresses Read list_cron_jobs List all cron jobs on the account Read list_directory_privacy List directories with password protection configured Read list_domains List all domains on the account (main, addon, sub, parked) Read list_email_accounts List all email accounts with disk usage info Read list_email_filters List all email filters for an account Read list_email_forwarders List all email forwarders Read list_features List all features available to the cPanel account Read list_files List files and directories in a specified path Read list_ftp_accounts List all FTP accounts with disk usage Read list_ftp_sessions List active FTP sessions Read list_git_repos List all Git repositories managed by cPanel Read list_infected_files List files detected as infected by ClamAV Read list_mysql_databases List all MySQL databases on the account Read list_mysql_users List all MySQL database users Read list_parked_domains List all parked/aliased domains Read list_passenger_apps List all registered Node.js/Python/Ruby applications Read list_php_versions List all installed PHP versions available on the server Read list_postgresql_databases List all PostgreSQL databases Read list_postgresql_users List all PostgreSQL users Read list_redirects List all URL redirects Read list_ssh_keys List all SSH keys on the account Read list_ssl_certificates List all installed SSL certificates Read list_ssl_keys List all SSL private keys on the account Read list_subdomains List all subdomains Read list_wordpress_installations List all WordPress installations managed by cPanel (requires WP Toolkit or Instance Manager on server) Read read_file Read the contents of a file Read validate_dkim Validate current DKIM configuration for all domains Read validate_ptr_records Validate current PTR (reverse DNS) records Read validate_spf Validate current SPF records for all domains Read export_dnssec_key Export a DNSSEC DNSKEY record for a domain
EXPLORE

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

Sperax Ecosystem Crypto & DeFI MCP Server 1318 tools
adminautomation
Mcp Afip 1300 tools
adminautomation
Mcp Ap2 1300 tools
adminautomation
BNB Chain MCP 1240 tools
adminautomation
Nodebench 824 tools
adminautomation
Amazon Bedrock Knowledge Base Retrieval MCP Server 805 tools
adminautomation
Amazon Data Processing MCP Server 805 tools
adminautomation
Amazon ECS MCP Server 805 tools
adminautomation
FAQ

Questions about cPanel MCP Server

Can an AI agent delete data through the cPanel MCP Server MCP server? +

Yes. The cPanel MCP Server server exposes 28 destructive tools including clear_spam_box, deauthorize_ssh_key, delete_addon_domain. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through cPanel MCP Server? +

The cPanel MCP Server server has 64 write tools including add_directory_user, add_dns_record, authorize_ssh_key. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach cPanel MCP Server.

How many tools does the cPanel MCP Server MCP server expose? +

164 tools across 4 categories: Destructive, Execute, Read, Write. 62 are read-only. 102 can modify, create, or delete data.

How do I enforce a policy on cPanel MCP Server? +

Register the cPanel MCP Server MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every cPanel MCP Server tool call.

Deterministic rules across all 164 cPanel MCP Server tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

ENFORCE POLICY ON CPANEL →

Free to start. No card required.

164 cPanel MCP Server tools catalogued and risk-classified — across an index of 43,000+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.