Does Avast provide details on what it’s picking up?
I’ve seen some instances where software that’s supposed to “protect” you from visiting harmful sites report false-positives such as when making an HTTPS request on a domain that doesn’t have a valid, working SSL certificate installed.
If you’ve not installed an SSL certificate on cPanel to cover your hostname and links, that may be one flag since, IIRC, cPanel enforces SSL, whether you have a valid certificate or not.
You can do a lookup on your Droplet IP also to see if it’s potentially in one of the well-known lists that many pieces of software use. Simply enter your Droplet IP in the input box on the page below, click submit and let it run.