writing/news/2026/07
NewsJul 15, 2026·6 min read

xAI's Grok Build Caught Silently Uploading Entire Code Repositories to the Cloud

A security researcher's wire-level analysis revealed that xAI's Grok Build CLI uploaded developers' full Git repositories — including commit histories and unredacted secrets — to a Google Cloud Storage bucket without consent. xAI disabled the uploads server-side and Elon Musk promised full data deletion, but researchers question whether that deletion has actually happened.

xAI's Grok Build coding agent has been caught silently uploading developers' entire Git repositories — full commit histories, untracked files, and unredacted secrets included — to a Google Cloud Storage bucket, according to a wire-level analysis published by a security researcher known as cereblab. xAI halted the uploads server-side on July 13 and Elon Musk promised that all previously uploaded data would be "completely and utterly deleted," but the company has yet to issue a formal security advisory.

Key Highlights

  • Grok Build CLI version 0.2.93 packaged and uploaded complete repositories to the Google Cloud Storage bucket grok-code-session-traces, independent of what a coding task actually required.
  • In one documented test, the model needed roughly 192 KB of context while the storage channel uploaded 5.10 GB — about 27,800 times more data than necessary.
  • Tracked .env files went up unredacted, including planted canary API keys and database passwords. Even a file the agent was explicitly told never to read was uploaded.
  • Disabling the "Improve the model" setting did not stop the uploads: the server kept responding with trace uploads enabled, showing that data retention and model training were controlled by separate, hidden flags.
  • xAI stopped the uploads via a server-side flag on July 13 without publishing an advisory or changelog entry.

Details

The researcher intercepted network traffic from Grok Build and found two distinct channels: normal model traffic used for generating responses, and a separate storage channel that archived the user's entire repository in 73 chunks of roughly 75 MB each. The uploads happened even in zero-tool-call tests where the agent was instructed to simply reply "OK" without opening any files.

The scope went beyond project code. Some users reported that entire home directories — including SSH keys and password manager databases — were swept into the uploads. Because full Git histories were transmitted, secrets that had been committed and later deleted months earlier remained accessible in the archived data.

xAI responded through its SpaceXAI account, stating that enterprise zero-data-retention customers never had code stored and that API-key usage respected those policies. The company also shipped a /privacy command allowing individual users to disable retention and delete previously synced data. Critics noted the researcher's finding that this command acted as a per-session opt-out rather than the switch that actually stopped the uploads — that fix came from the server-side flag. "The right default is off," the researcher wrote.

Impact

Security researchers are urging every developer who used Grok Build to rotate all credentials the tool could have accessed — not just files the model read during a session, but any tracked file in the repository and any secret that ever appeared in Git history.

Doubts also remain about the promised deletion. One user who opted out via the /privacy command queried xAI's own storage API a day later and reported that all 143 archives uploaded from their machine were still present, more than 24 hours after opting out. xAI has not disclosed how many users were affected, a deletion timeline, or a way for developers to verify their data has been removed.

Background

Grok Build launched earlier this year as xAI's answer to Claude Code and OpenAI's Codex CLI, part of a wave of terminal-based AI coding agents that now sit deep inside developers' local environments. That privileged position is exactly what makes this incident significant: all hosted coding agents send some context upstream for inference, but bulk-archiving entire repositories through a separate channel goes far beyond what any coding task requires.

The episode lands amid growing scrutiny of AI developer tools' data practices, with even OpenAI CEO Sam Altman publicly flagging the issue — a rare direct callout between rival AI labs.

What's Next

The researcher who exposed the uploads says they will re-check the storage API daily and publish whether xAI's deletion promise is honored. Enterprise teams are re-evaluating which coding agents meet zero-data-retention requirements, and the incident is likely to accelerate demands for verifiable, default-off telemetry in AI developer tools.


Source: The Hacker News