Inspecting Profiles
Before you trust a community profile, inspect it. This lets you see tools and dotfiles before anything touches your system.
CLI usage
sh
dpm inspect <github-url | search-number> [dotfile]
# short alias
dpm -x <github-url | search-number> [dotfile]
Arguments
github-urlis the full URL of the community profile repository, or a number from a previousdpm search --communityresult.dotfileis optional. Use it to preview one specific dotfile.
What inspect shows
Running dpm inspect fetches the profile.yaml from the remote repository and displays:
- Profile metadata like ID, name, description, and version.
- The full tool list, and whether each tool is in your local catalog.
- Dotfile names listed in the profile.
sh
dpm -x https://github.com/user/pentest-kit
Community profile: user/pentest-kit
Tools (3):
nmap ✓ in catalog
binwalk ✓ in catalog
unknown-tool ✗ not in local catalog (will be skipped)
Dotfiles (1):
.tmux.conf
Previewing a dotfile
Pass a dotfile name as a second argument to see its contents before applying:
sh
dpm -x https://github.com/user/pentest-kit .bashrc
# first 200 bytes of .bashrc shown
TUI: dotfiles import inspect
In the TUI, inspection happens as part of the dotfiles import flow. When you press A in the Dotfiles tab and paste a repository URL, DPM scans the repo and presents all detected configurations in Phase 2 before anything is applied. You can review, select, or cancel before committing.
A dedicated standalone inspect screen for community profiles does not exist in the TUI. Use
dpm -x <url> from the CLI before you install any tools from that profile.
Why inspect before applying
Community profiles are not vetted by the DPM project. Inspecting lets you confirm:
- Tool IDs are valid and expected.
- Dotfiles are safe and do not contain harmful commands.
- The profile actually matches what you want to install.
Read every dotfile before install. Dotfiles can run shell commands and change startup behavior.