# Unsafe Or Untrusted Code Inspection

Recommended profile: `workspace-core`

Smoke target:

```bash
make smoke-untrusted-inspection
```

Use this flow when the agent needs to inspect suspicious code or an unfamiliar
repo without granting more capabilities than necessary.

Chat-host recipe:

1. Create one workspace from the suspicious repo seed.
2. Inspect the tree with structured file listing and file reads.
3. Run the smallest possible command that produces the inspection report.
4. Export only the report the agent chose to materialize.
5. Delete the workspace when inspection is complete.

This recipe stays offline-by-default, uses only explicit file reads and execs,
and exports only the inspection report the agent chose to materialize.