Important security fact
CDP is powerful, even on loopback.
The upstream injector binds Chrome DevTools Protocol to 127.0.0.1 only, but that local endpoint is unauthenticated. Restore the native app when you no longer need the theme.
How the upstream engine works
At the pinned commit, the macOS workflow validates the official app and injects only into expected local renderer targets.
Validates app identity
It checks the bundle, signature, Team ID, architecture, and Codex-bundled Node before proceeding.
Uses local loopback
Codex is started through user launchd with CDP bound to 127.0.0.1, not a public network interface.
Targets expected renderers
Injection is limited to expected app:// renderer targets and persists across route changes while the injector is active.
Does not patch the signed app
The upstream README states that it does not modify Codex.app, app.asar, or the official code signature.
Local files and state
Review these locations before approval so you can distinguish expected theme files from an unexpected request.
- Engine
- ~/.codex/codex-dream-skin-studio
- State, logs, user images, and backup
- ~/Library/Application Support/CodexDreamSkinStudio
- Theme asset
- Downloaded temporarily, then verified against the ThemeRecord SHA-256
Outside the theme boundary
Reject any installation step that expands into credentials, accounts, network providers, or unrelated system changes.
No API credentials
DreamSkin installation must not read, write, or request API keys or access tokens.
No provider configuration
It must not change a Base URL, model provider, proxy, HiAPI setting, or Codex account.
No remote shell shortcut
DreamSkin Studio does not publish curl-pipe-shell instructions or host an executable installer archive.
No hidden permission leap
Stop when a command or path differs from the reviewed upstream documentation.
Your four-point safety check
Pin the source, read commands, verify the asset hash, and test Restore. If one link in that chain is missing, the install is not verified.