Ffcli
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill is trusting the configured API key to retrieve meeting data from the associated Fireflies account.
The skill requires a Fireflies API key and may store it locally, which is expected for this integration but gives the CLI access to Fireflies account data.
ffcli auth <your-api-key> # Store key locally (~/.config/ffcli/) Alternatively, set the `FIREFLIES_API_KEY` environment variable
Use a dedicated or least-privilege Fireflies API key if available, keep it out of shared files, and revoke or rotate it if the machine or config is exposed.
Installing the skill means trusting the external ffcli package and its maintainer for handling your Fireflies API key and meeting data.
The skill depends on an externally maintained CLI installed from a Homebrew tap or npm package rather than bundled reviewed code.
brew install ruigomeseu/tap/ffcli # or npm install -g @ruigomeseu/ffcli **Note:** `ffcli` is a third-party CLI by @ruigomeseu
Review the npm package or Homebrew tap provenance, version history, and source before installing, as the skill itself recommends.
Meeting discussions, action items, participants, and transcript text may be shown to or processed by the agent.
The skill can bring private meeting transcripts and AI summaries into the agent context; those retrieved contents may include sensitive or prompt-like text.
Query meeting recordings, transcripts, and AI summaries from Fireflies.ai. ffcli show <id> --transcript-only --md
Ask for only the meetings and fields you need, avoid retrieving highly sensitive transcripts unnecessarily, and treat transcript content as data rather than instructions.