Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.fliiq.ai/llms.txt

Use this file to discover all available pages before exploring further.

Fliiq gives an LLM agent access to your filesystem, email, SMS, Telegram, and shell commands. That power is the point — but it comes with real risks.

What Fliiq protects

The agent cannot read or write ~/.fliiq/.env, ~/.fliiq/google_tokens.json, ~/.fliiq/daemon.secret, or anything in ~/.ssh/, ~/.aws/, ~/.gnupg/. This prevents prompt injection attacks from exfiltrating secrets.
All inbound external content (Telegram messages, emails, SMS, webhook payloads) is wrapped in <external_message> tags with a system prompt instruction telling the agent to never follow instructions from external sources.
TELEGRAM_ALLOWED_CHAT_IDS is required when a bot token is set. Unauthorized users get a hardcoded rejection reply — no LLM call, no tool access.
All /api/* routes require a Bearer token (auto-generated at ~/.fliiq/daemon.secret). Prevents local CSRF and rogue processes from triggering agent execution.
The deps skill validates package names against a regex and uses subprocess_exec (no shell) to prevent command injection.

What Fliiq does NOT protect

These are known limitations, not bugs. Understanding them helps you use Fliiq safely.
  • Your project files — The agent has full read/write access to your working directory. This is by design (it needs to edit your code), but a prompt injection attack could modify or delete project files.
  • Self-corruption — Fliiq can overwrite its own local configuration (~/.fliiq/jobs/, ~/.fliiq/user.yaml, skill files, etc.). If the agent corrupts its local state, reset with: 
    rm -rf ~/.fliiq && fliiq init
    This is safe — core package code lives in site-packages/ (read-only via pip install). Only local config and job definitions are lost.
  • System prompt extraction — An attacker with access to the agent can extract the system prompt. This is a soft defense only (LLMs can be jailbroken).
  • Audit log contentsAudit logs in ~/.fliiq/audit/ may contain sensitive conversation data. See the Audit Trails guide for details on what is and isn’t captured.

Best practices

1

Use supervised mode for untrusted tasks

fliiq run "..." --mode supervised requires your approval before each tool call. Use this when running prompts you didn’t write or when working with sensitive data.
2

Review scheduled jobs

Jobs run autonomously in the daemon. Audit ~/.fliiq/jobs/ to know what’s running and what each job has access to.
3

Don't put secrets in prompts

The agent resolves credentials from env vars and OAuth tokens automatically. Never include passwords in job prompts or Telegram messages.
4

Back up your project

Use git. The agent writes files. Commits give you rollback if something goes wrong.
5

Rotate daemon secret after exposure

Delete ~/.fliiq/daemon.secret and restart the daemon to regenerate.