Skip to main content
Fliiq gives an LLM agent access to your filesystem, email, SMS, Telegram, and shell commands. That power is the point — but it comes with real risks.

What Fliiq protects

The agent cannot read or write ~/.fliiq/.env, ~/.fliiq/google_tokens.json, ~/.fliiq/daemon.secret, or anything in ~/.ssh/, ~/.aws/, ~/.gnupg/. This prevents prompt injection attacks from exfiltrating secrets.
All inbound external content (Telegram messages, emails, SMS, webhook payloads) is wrapped in <external_message> tags with a system prompt instruction telling the agent to never follow instructions from external sources.
TELEGRAM_ALLOWED_CHAT_IDS is required when a bot token is set. Unauthorized users get a hardcoded rejection reply — no LLM call, no tool access.
All /api/* routes require a Bearer token (auto-generated at ~/.fliiq/daemon.secret). Prevents local CSRF and rogue processes from triggering agent execution.
The deps skill validates package names against a regex and uses subprocess_exec (no shell) to prevent command injection.

What Fliiq does NOT protect

These are known limitations, not bugs. Understanding them helps you use Fliiq safely.
  • Your project files — The agent has full read/write access to your working directory. This is by design (it needs to edit your code), but a prompt injection attack could modify or delete project files.
  • Self-corruption — Fliiq can overwrite its own local configuration (~/.fliiq/jobs/, ~/.fliiq/user.yaml, skill files, etc.). If the agent corrupts its local state, reset with: 
    rm -rf ~/.fliiq && fliiq init
    This is safe — core package code lives in site-packages/ (read-only via pip install). Only local config and job definitions are lost.
  • System prompt extraction — An attacker with access to the agent can extract the system prompt. This is a soft defense only (LLMs can be jailbroken).
  • Audit log contentsAudit logs in ~/.fliiq/audit/ may contain sensitive conversation data. See the Audit Trails guide for details on what is and isn’t captured.

Best practices

1

Use supervised mode for untrusted tasks

fliiq run "..." --mode supervised requires your approval before each tool call. Use this when running prompts you didn’t write or when working with sensitive data.
2

Review scheduled jobs

Jobs run autonomously in the daemon. Audit ~/.fliiq/jobs/ to know what’s running and what each job has access to.
3

Don't put secrets in prompts

The agent resolves credentials from env vars and OAuth tokens automatically. Never include passwords in job prompts or Telegram messages.
4

Back up your project

Use git. The agent writes files. Commits give you rollback if something goes wrong.
5

Rotate daemon secret after exposure

Delete ~/.fliiq/daemon.secret and restart the daemon to regenerate.