> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fliiq.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> What Fliiq protects, what it doesn't, and best practices for safe usage.

Fliiq gives an LLM agent access to your filesystem, email, SMS, Telegram, and shell commands. That power is the point — but it comes with real risks.

## What Fliiq protects

<AccordionGroup>
  <Accordion title="Credential file deny list">
    The agent cannot read or write `~/.fliiq/.env`, `~/.fliiq/google_tokens.json`, `~/.fliiq/daemon.secret`, or anything in `~/.ssh/`, `~/.aws/`, `~/.gnupg/`. This prevents prompt injection attacks from exfiltrating secrets.
  </Accordion>

  <Accordion title="Prompt injection defense">
    All inbound external content (Telegram messages, emails, SMS, webhook payloads) is wrapped in `<external_message>` tags with a system prompt instruction telling the agent to never follow instructions from external sources.
  </Accordion>

  <Accordion title="Telegram allowlist">
    `TELEGRAM_ALLOWED_CHAT_IDS` is required when a bot token is set. Unauthorized users get a hardcoded rejection reply — no LLM call, no tool access.
  </Accordion>

  <Accordion title="Daemon API authentication">
    All `/api/*` routes require a Bearer token (auto-generated at `~/.fliiq/daemon.secret`). Prevents local CSRF and rogue processes from triggering agent execution.
  </Accordion>

  <Accordion title="Package install validation">
    The `deps` skill validates package names against a regex and uses `subprocess_exec` (no shell) to prevent command injection.
  </Accordion>

  <Accordion title="Shell command guard">
    A layered guard runs in front of all shell execution (`shell`, `deps`, `dev_server`). A hardline blocklist unconditionally rejects catastrophically destructive commands — `rm -rf /`, `mkfs`, `dd of=/dev/...`, fork bombs, and shutdown commands. A sensitive-path write gate blocks attempts to write to `~/.ssh`, `~/.aws`, `~/.gnupg`, shell rc files, and other credential paths via any write verb (`>`, `tee`, `cp`, `mv`, `sed -i`, etc.). Command normalization strips ANSI escapes, Unicode variants, and backslash tricks to resist obfuscation. Blocked commands return an explicit error with exit code 126.
  </Accordion>

  <Accordion title="Memory threat-scan">
    Memory entries, lesson files, and auto-extracted entity facts are scanned for prompt injection patterns when loaded into the system prompt. Any flagged entry is replaced with a `[BLOCKED: possible injection]` placeholder and logged. This prevents a crafted inbound Telegram or email message from being distilled into a memory fact that persists injection instructions into every future session. The same scan runs at write time (dropping flagged candidates before they're saved) and on `memory_edit` (rolling back if the new content is flagged).
  </Accordion>
</AccordionGroup>

## What Fliiq does NOT protect

<Warning>
  These are known limitations, not bugs. Understanding them helps you use Fliiq safely.
</Warning>

* **Your project files** — The agent has full read/write access to your working directory. This is by design (it needs to edit your code), but a prompt injection attack could modify or delete project files.
* **Self-corruption** — Fliiq can overwrite its own local configuration (`~/.fliiq/jobs/`, `~/.fliiq/user.yaml`, skill files, etc.). If the agent corrupts its local state, reset with:
  ```bash theme={null}
  rm -rf ~/.fliiq && fliiq init
  ```
  This is safe — core package code lives in `site-packages/` (read-only via pip install). Only local config and job definitions are lost.
* **System prompt extraction** — An attacker with access to the agent can extract the system prompt. This is a soft defense only (LLMs can be jailbroken).
* **Audit log contents** — [Audit logs](/guides/audit) in `~/.fliiq/audit/` may contain sensitive conversation data. See the [Audit Trails guide](/guides/audit#privacy-design) for details on what is and isn't captured.

## Best practices

<Steps>
  <Step title="Use supervised mode for untrusted tasks">
    `fliiq run "..." --mode supervised` requires your approval before each tool call. Use this when running prompts you didn't write or when working with sensitive data.
  </Step>

  <Step title="Review scheduled jobs">
    Jobs run autonomously in the daemon. Audit `~/.fliiq/jobs/` to know what's running and what each job has access to.
  </Step>

  <Step title="Don't put secrets in prompts">
    The agent resolves credentials from env vars and OAuth tokens automatically. Never include passwords in job prompts or Telegram messages.
  </Step>

  <Step title="Back up your project">
    Use git. The agent writes files. Commits give you rollback if something goes wrong.
  </Step>

  <Step title="Rotate daemon secret after exposure">
    Delete `~/.fliiq/daemon.secret` and restart the daemon to regenerate.
  </Step>
</Steps>
