SAFETY / LOCAL BOUNDARY

Know what runs, where it runs, and how to stop it.

DreamSkin Studio supplies original theme assets and a reviewable prompt. The pinned upstream project supplies the macOS engine. You remain in control of every local command.

VERIFIED FIELD GUIDE
macOS · arm64 · build 5307
Reviewed against the pinned upstream build
2026-07-16

Important security fact

CDP is powerful, even on loopback.

The upstream injector binds Chrome DevTools Protocol to 127.0.0.1 only, but that local endpoint is unauthenticated. Restore the native app when you no longer need the theme.

01

How the upstream engine works

At the pinned commit, the macOS workflow validates the official app and injects only into expected local renderer targets.

Validates app identity

It checks the bundle, signature, Team ID, architecture, and Codex-bundled Node before proceeding.

Uses local loopback

Codex is started through user launchd with CDP bound to 127.0.0.1, not a public network interface.

Targets expected renderers

Injection is limited to expected app:// renderer targets and persists across route changes while the injector is active.

Does not patch the signed app

The upstream README states that it does not modify Codex.app, app.asar, or the official code signature.

02

Local files and state

Review these locations before approval so you can distinguish expected theme files from an unexpected request.

Engine
~/.codex/codex-dream-skin-studio
State, logs, user images, and backup
~/Library/Application Support/CodexDreamSkinStudio
Theme asset
Downloaded temporarily, then verified against the ThemeRecord SHA-256
03

Outside the theme boundary

Reject any installation step that expands into credentials, accounts, network providers, or unrelated system changes.

No API credentials

DreamSkin installation must not read, write, or request API keys or access tokens.

No provider configuration

It must not change a Base URL, model provider, proxy, HiAPI setting, or Codex account.

No remote shell shortcut

DreamSkin Studio does not publish curl-pipe-shell instructions or host an executable installer archive.

No hidden permission leap

Stop when a command or path differs from the reviewed upstream documentation.

04

Your four-point safety check

Pin the source, read commands, verify the asset hash, and test Restore. If one link in that chain is missing, the install is not verified.