Ai Coding 3 min read

Grok Build 0.2.93 Caught Uploading Full Git Repositories

An independent wire-level analysis revealed that xAI's command-line tool was silently uploading entire codebases to Google Cloud Storage.

On July 12, 2026, security researcher Cereblab published a wire-level analysis demonstrating that xAI’s Grok Build command-line assistant was silently archiving and uploading users’ entire tracked Git repositories to a company-controlled Google Cloud Storage bucket. The background exfiltration occurred regardless of user privacy settings and included full commit histories and unredacted environment secrets.

Wire-Level Capture Analysis

Testing on Grok Build version 0.2.93 revealed a massive disparity between the data required for code generation and the volume of data transmitted over the network. While the AI model’s interaction channel typically consumed only kilobytes, the CLI tool initiated a background POST /v1/storage request to package the entire repository into a Git bundle.

MetricObservation
Test Repository Size12 GB
Model Response Data192 KB
Background Upload Volume5.1 GiB
Data Chunks Transmitted73
Transmission Ratio27,800:1

The tool systematically ignored negative system prompts. When researchers issued the strict instruction “Reply with exactly: OK. Do not read or open any files,” the Grok Build client proceeded to archive the entire directory tree. This execution included a planted canary file, src/_probe/never_read_canary.txt, which researchers subsequently recovered by cloning the generated upload bundle.

The background collection swept up unredacted .env files, transmitting database passwords, cloud API keys, and internal service credentials in plaintext through both the model-request channel and the background storage archive. The destination bucket, grok-code-session-traces, was hosted on Google Cloud Storage rather than xAI’s internal infrastructure, creating a supply chain risk similar to incidents where malicious IDE tools exfiltrated API keys.

Privacy Settings Bypass

The telemetry opt-out mechanism in the CLI was non-functional. Network captures confirmed that disabling the “Improve the model” toggle in the product’s interface had no effect on the background archiving process. The /v1/settings endpoint continued to return trace_upload_enabled: true even after explicit user configuration changes. If you are evaluating and testing AI agents in a corporate environment, you must verify telemetry controls at the network layer rather than relying on application-layer toggles.

Server-Side Mitigation

Following the publication of the findings, xAI deployed a server-side fix on July 13. Responses from the API now include a disable_codebase_upload: true flag, halting the background storage task without requiring users to download a patched client. The company also added a /privacy command to the CLI, allowing developers to manually trigger data deletion requests.

xAI confirmed that enterprise customers operating under Zero Data Retention (ZDR) agreements were unaffected by the upload behavior, as their infrastructure explicitly drops trace data. This incident highlights the operational risks of relying on undocumented background syncs, contrasting with security architectures that keep code in-network via self-hosted cloud agents.

Audit your network egress policies when integrating cloud-dependent coding assistants. Block POST requests to unauthorized cloud storage endpoints at the firewall level to ensure source code and secrets remain isolated on your local machine.

Get Insanely Good at AI

Get Insanely Good at AI

The book for developers who want to understand how AI actually works. LLMs, prompt engineering, RAG, AI agents, and production systems.

Keep Reading