AI SECURITY

xAI's Grok Build Shipped Whole Git Repos to a Cloud Bucket, and the Privacy Toggle Didn't Stop It

A researcher publishing as cereblab caught xAI's Grok Build CLI uploading entire Git repositories, full commit history included, to a Google Cloud Storage bucket named grok-code-session-traces.

Matt Lucas  |  July 14, 2026  |  6 min
xAI's Grok Build Shipped Whole Git Repos to a Cloud Bucket, and the Privacy Toggle Didn't Stop It — editorial hero illustration
5.10 GiB
Repo data uploaded per session
27,800x
Storage traffic vs. model traffic
73 / 73
Chunks accepted with HTTP 200
0.2.93
Version tested and captured
TL;DR
  • What: xAI's Grok Build coding CLI (v0.2.93) uploaded entire tracked Git repositories, including full commit history, to an xAI-run Google Cloud Storage bucket called grok-code-session-traces, separate from the model's own request channel.
  • Impact: On a 12 GB test repo the model never read, 5.10 GiB went to /v1/storage against 192 KB of model traffic; the researcher cloned the intercepted bundle and recovered a file the agent was explicitly told not to open, plus a tracked .env with unredacted canary credentials.
  • Fix / mitigation: xAI flipped a server-side flag on July 13 that stopped the uploads on the same 0.2.93 binary (disable_codebase_upload: true), and individual subscribers can run /privacy in the CLI to disable retention and delete synced data, but the upload code remains in build 0.2.99 and can be re-enabled without a client update.
  • Who's at risk: Anyone who ran Grok Build against a private repo, especially individual subscribers outside enterprise zero-data-retention agreements, and anyone whose commit history ever contained a credential.

A researcher publishing as cereblab pointed a packet capture at xAI's Grok Build coding CLI, version 0.2.93, and found that the tool was not doing what a coding agent is supposed to do. It was not sending the files it needed to read. It was sending the repository. All of it. Tracked files, full commit history, packaged as a git bundle and shipped to a Google Cloud Storage bucket run by xAI called grok-code-session-traces.

The byte split is the part that ends the argument. On a 12 GB repository the model never read, traffic to the model endpoint at /v1/responses came to roughly 192 KB. Traffic to /v1/storage came to 5.10 GiB. That is a gap of about 27,800x between what the model actually needed to do the job and what left the developer's machine. The upload ran as 73 chunks of roughly 75 MB each, and every single one came back HTTP 200. Across cereblab's size sweep, the volume tracked total repo size, which is exactly what you would expect if the thing being uploaded is the repo rather than the task.

The canary that was never opened

cereblab planted a file at src/_probe/never_read_canary.txt with a unique marker, and told the agent in plain terms not to open it. Then they intercepted the upload, cloned the git bundle straight out of the captured request, and pulled the canary back verbatim, along with the repository's full commit history. The test replicated on a second, unrelated repo. The destination bucket is named in the binary and again in a staged metadata.json whose per-file paths point at gs://grok-code-session-traces/.

Be precise about what this does and does not prove, because the researcher was. The captures establish transmission, acceptance, and storage. They do not establish training. The teardown makes no claim that xAI trained on the code, that staff read it, or that gitignored files were swept in. Tracked files plus history is what the wire shows. That is enough.

A separate, simpler problem with secrets

The repository bundle is one channel. Secrets took the obvious one. When Grok reads a file, the contents go into the model turn, and a tracked .env went along with canary API_KEY and DB_PASSWORD values fully unredacted. The same content also turned up in a session_state archive bound for storage. The planted values were fake, so nothing real leaked in the test. The behavior is the finding: a credential file the agent touched during a normal task left the machine and was stored with no redaction step anywhere in the path.

The toggle you would reach for does not do what you think

With "Improve the model" turned off, Grok Build still uploaded the repository, and the server's own /v1/settings response kept returning trace_upload_enabled: true. That switch governs whether your data trains the model. It does not govern whether your code leaves the machine. Two different controls, and only one of them was ever exposed to the user.

Grok Build was the outlier, not the norm

Every cloud coding agent has to send some source to a remote model to function. That channel is expected and nobody should be shocked by it. Sending the entire tracked repository plus its history is a materially wider boundary than sending the files a task needs, and the difference matters because a repo is not just code. It holds proprietary logic, internal URLs, customer data, and credentials that were pulled from the working tree years ago but still sit in commit history, immortal.

cereblab's cross-tool comparison found Claude Code and Codex sent no repository bundle. Gemini sent none in an idle test, though its realistic-task run was quota-blocked before it finished. Grok Build was alone here. That said, all of these are cloud tools that send the files they open, so "local only" remains the wrong mental model for any of them. Wholesale collection of the workspace is what was specific to Grok Build.

xAI's response: a flag, not a fix

On July 13 the same 0.2.93 binary stopped making storage requests. cereblab retested six times and saw zero /v1/storage uploads, with the server now returning disable_codebase_upload: true and trace_upload_enabled: false. Developer Peter Dedene reported the same flag on his own account, so this was not one researcher's machine. The client never changed version. The server did. That is a switch, not a patch.

xAI has addressed this on X rather than through a security advisory or a changelog entry. The @SpaceXAI account said enterprise teams on zero data retention never have code or trace data stored, that API-key use respects ZDR, and that consumers who have not enabled it can run /privacy in the CLI to disable retention and delete previously synced data. Elon Musk said all previously uploaded user data would be "completely and utterly deleted," with nothing left behind. Separately, an analysis of build 0.2.99 found the upload code still sitting in the binary, held off only by the server flag.

The RedEye take

The uploads stopping is not the story. The story is that a server-side boolean is the only thing standing between your private repository and an xAI storage bucket, and xAI controls that boolean. The code path is still compiled into 0.2.99. It can come back tomorrow, silently, with no update for you to review, no changelog for you to diff, and no advisory for your vendor risk team to file. "We turned it off" is a configuration state, not a security control.

The deeper failure is one of honest labeling. A user who unchecked "Improve the model" made a deliberate privacy decision and was given a control that answered a question they did not ask. Whether that gap was carelessness or product design, the effect on the developer is the same: they believed they had opted out, and 5.10 GiB left anyway. Trust in AI tooling gets built on the boring accuracy of settings screens, and this one lied by omission.

And the questions that would actually let a CISO close the ticket remain unanswered. xAI has not said why full repositories were uploaded by default, how long they were retained, or how many users were affected. A deletion promise made on X is not a retention record. Until those three numbers exist, treat every repo you ever opened in Grok Build as having been disclosed to a third party, and act accordingly.

What defenders should learn

If you ran Grok Build

Do not wait on xAI. Run /privacy in the CLI to disable retention and delete synced data, then rotate any credential the tool could have sent: anything it read, anything in a tracked file, and anything in the git history the bundle carried. Then check what your other AI coding tools are sending, because "local only" is the wrong mental model for all of them.

Source

Swati Khandelwal, "Grok Build Uploaded Entire Git Repositories to xAI Storage, Not Just Files It Read," The Hacker News, July 14, 2026, reporting on research published by cereblab. https://thehackernews.com/2026/07/grok-build-uploads-entire-git.html

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us