Safety model · permissions · recovery

Is a Codex theme safe? CC Theme's package and adapter model

Understand CC Theme's local media handling, declarative theme packages, loopback CDP adapter, exact-build checks, restore path and remaining risks.

Reviewed

Theme package and adapter are different trust boundaries

The browser Studio exports a declarative .cctheme archive. It contains JSON, allowlisted local image or MP4 media, compiled target configuration and a manifest of files and hashes. It does not contain an installer, arbitrary JavaScript, raw CSS, HTML, SVG or remote media URL.

The macOS adapter is a separate release artifact. It contains the fixed, reviewable code that connects to the target desktop client over a local loopback CDP session. That adapter has more capability than a theme package and should be evaluated as software.

  • Inspect the release source and checksum before installing
  • Match the exact Codex or WorkBuddy build
  • Never treat a theme archive as executable code
  • Stop and restore when a target is unknown or the client changes

What stays on the device

Theme images, videos and drafts are processed by the current Studio in the browser. Package export happens on the device, and the product workflow does not upload those media files to CC Theme servers.

This is narrower than saying that a public website processes no data at all: hosting infrastructure can still receive ordinary request metadata when a page is visited. CC Theme's privacy claim is specifically about theme media, drafts, accounts and cloud theme storage.

  • No account is required for the current Studio
  • No server-side theme-media upload
  • No remote URL is accepted inside a theme package
  • Local browser storage can be cleared by the user

Why loopback CDP still deserves care

CDP is a powerful debugging interface. Binding it to 127.0.0.1 limits network reach, but other untrusted software running on the same Mac may still be able to interact with an active debugging endpoint. Loopback is a boundary, not a security certificate.

Use the adapter only for the documented target, close or pause it when finished, and do not run unknown local programs during the session. CC Theme does not modify app.asar or the signed application bundle, but a client update can still change the surfaces the adapter expects.

  • Local-only does not mean risk-free
  • Exact-build validation reduces accidental mismatch
  • Unknown builds fail closed
  • Restore returns CC Theme appearance and connection state, not deleted product data

How to verify a download

Download from the linked GitHub Release, compare the artifact name with the intended client, and verify the published SHA-256 checksum. A matching hash shows that the file matches the published artifact; it does not by itself prove authorship, code signing or absence of every defect.

An antivirus warning can be a heuristic false positive or a real concern. Do not disable protection blindly. Check the source, release notes, checksum and issue tracker; if the evidence is unclear, do not run the file.

  • Confirm Codex versus WorkBuddy
  • Confirm macOS and the exact client version
  • Verify SHA-256 against the release checksum
  • Keep the documented restore workflow before applying

Codex theme safety FAQ

Does CC Theme modify app.asar or the signed app bundle?

No. The current macOS adapters connect to a separately launched client over loopback CDP and do not patch app.asar or the signed application bundle.

Can a .cctheme theme execute JavaScript or CSS?

No. Theme archives reject scripts, raw CSS, HTML, SVG, remote URLs, traversal paths and unlisted files. The separate adapter contains fixed implementation code.

Is local CDP completely safe?

No tool with a powerful debugging interface is risk-free. Loopback limits network exposure, but untrusted local software may still be dangerous while the endpoint is active.

What does SHA-256 verification prove?

It proves file integrity against the published checksum. It is not the same as code signing, author identity verification or an independent security audit.

What should I do after a Codex update?

Check the compatibility matrix again. Do not assume an adapter verified for an earlier build remains compatible; restore the native appearance when the new build is pending.

Will restore recover deleted chats or removed Codex features?

No. Restore removes CC Theme appearance and connection state. It cannot recover product data or functionality removed by the official client.

Primary references

This page documents a threat model and product boundary; it is not a claim of independent security certification.