A managed-hosting account is one of the more sensitive things a business owns. It holds the sites, the databases, the DNS, the backups, and the billing. Cloudways has just handed most of it to AI agents. Its Model Context Protocol (MCP) server, the piece that lets AI agents operate software on your behalf, is now at v1.2.112 and exposes 244 tools, 112 of them new, covering malware scanning, staging, billing, team management, and background jobs. An agent in Claude, Cursor, or Windsurf can restart a service, deploy code, run a security scan, or issue an invoice by chat, without anyone opening the dashboard. Cloudways is not alone, and the more telling part is what it did about the risk: it replaced blanket API keys with role-based, scoped tokens. In a category where most implementations have no such control, that is the real news.

What Cloudways Shipped

The release is substantial, not incremental. v1.2.112 roughly doubles the tool count to 244 and adds nine capability areas the agent could not previously reach, including anti-malware and WAF controls, SSL and IP whitelisting, staging synchronization, client billing, and queue monitoring. The change underneath matters more than the tool count. Cloudways swapped single API keys for tokens with three permission levels: READ for monitoring, LIMITED SCOPE for specific endpoints, and FULL ACCESS for complete control. In the company’s words, “instead of one key with blanket access, you generate a token scoped to exactly what you want.” Cloudways is owned by DigitalOcean, which shipped its own MCP server in 2025.

A Whole Category, Not One Vendor

This is a wave, not a single product. DigitalOcean’s official MCP server has been in production since August 2025, letting an agent deploy an app, create a Postgres database, or check billing, with a --services flag to restrict what it can reach. Community projects already wrap other control panels: one cPanel MCP server exposes 164 tools across DNS, email, databases, SSL, and backups. The through line is a shift from provisioning to administration. The first agent-hosting tools spun up a server or registered a domain; this generation runs the whole account. For agencies managing dozens or hundreds of client sites, that is both the appeal and the exposure.

Why Role-Based Tokens Matter Here

Scoped access is the headline because MCP security is immature, and the research is blunt about it. The security firm BlueRock scanned more than 10,000 public MCP servers and found 9.2 percent carrying critical vulnerabilities and 43 percent with command-injection flaws, the kind that let an outsider run their own commands on the server. In a proof of concept against Microsoft’s MarkItDown MCP server, its researchers used a server-side request forgery bug, which tricks a server into fetching data it should not, to pull the AWS account’s access keys straight from the cloud instance’s metadata endpoint, enough, depending on the attached permissions, to reach the wider AWS account. Authentication is a known weak spot too: many MCP servers ship with static keys or none, and the protocol does not require an agent to prove who it is.

Against that backdrop, minting a token scoped to a single task is precisely the mitigation security teams recommend, because it shrinks the blast radius if the token leaks. Cloudways’ READ, LIMITED, and FULL levels, and DigitalOcean’s --services flag and its note that “a layer of human oversight helps to ensure that critical decisions aren’t left entirely to automation,” are early moves in the right direction rather than a finished answer.

What It Means for Agencies and Hosts

For an agency, the calculus is speed against blast radius. An agent that can scan for malware and push a fix across a fleet of client sites by chat is a genuine efficiency gain. The same agent holding a FULL ACCESS token, or talking to a vulnerable MCP server, is a single point of failure across every one of those client environments. The practical asks are the ones this release starts to answer: scoped, role-based tokens instead of one master key; audit logging of what the agent did; a registered identity for the agent so it is not invisible to security tooling; and human sign-off on destructive or billing actions.

Two cautions belong on all of it. The safeguards described here are the vendors’ own account of their design, not an independent audit. And MCP as a protocol is young, so the sensible posture is least privilege by default: give the agent the narrowest token that does the job, and widen it only when you must. The hosting control panel is becoming something an AI agent operates. The question every buyer should ask is not whether that is convenient, but how tightly the key is cut.