diff --git a/src/operators/inspect_file.cc b/src/operators/inspect_file.cc
index 28c9c072a..063e6bd14 100644
--- a/src/operators/inspect_file.cc
+++ b/src/operators/inspect_file.cc
@@ -63,6 +63,12 @@ bool InspectFile::evaluate(Transaction *transaction, const std::string &str) {
         std::string res;
         std::string openstr;
 
+        // SECURITY HARDENING NOTE:
+        // popen() executes via shell with concatenated arguments.
+        // Current inputs are engine-controlled, but replacing this
+        // with argv-based exec/spawn would remove shell parsing risk.
+
+        
         openstr.append(m_param);
         openstr.append(" ");
         openstr.append(str);