[This is Windows only, since I don't have access to a Mac] FLfile is the file API extension introduced to JSAPI with Flash MX 2004 7.2. You can read more about JSFL File API here, a great article to get you started with File API by Guy Watson.
JSAPI is authoring time only, still Mario Klingemann posted about some possible dangers at his blog. Extensibility of Macromedia products has not been exploited yet, nevertheless the conclusion is that you should know and trust the source of any FLA or MXP…
It’s not always bad intentions that cause damage, a bug in a JSFL file which uses the FLfile.remove command to delete files might prove a disaster. I remember about the guy who deleted all the files in his C: drive by just using FrontPage (back in 98 maybe). As far as I remember, he defined his site at root of his C: drive and when he wanted to remove his site, FrontPage deleted all the files there!
And most of the time, in any API, there are some undocumented functions you don’t know of. In a cross platform API, the reason may be that those functions do not work the same in, or apply at all to, all platforms.
Does FLfile have any? Sure, 3 of them. [On Windows] FLfile.getPlatform() will return platform ID string like “win32″. FLfile.getSystemTempFolder() will return the path to the system temporary folder (not in URI format). FLfile.runCommandLine(param) seems the most useful of all but also the dangerous one. It runs the string parameter you supply on the command line. Does not expect URIs, normal paths are used again, and displays an ugly console window, but you can even run documents with it, actually you can run anything you can normally run using the commandline, as the functions name suggests.
It’s not really a big issue, but if you are paranoid, you can rename the FLfile.dll and use the API with the new name yourself only, this will block any third party extension trying to use FLfile. And if you give it a short name, you can save from some typing too.
It may be possible to write a ‘proxy’ dll named FLfile, that passes the requests to the real FLfile, but does not allow any undocumented function calls and display a confirmation dialog every time remove function is called. This may also come handy when debugging extensions, if it has some debug trace functionality. If I find some free time, I might try doing that.