Back to stories
DevelopingAI-edited source brief

xAI's Grok Build CLI was silently uploading entire codebases—including secrets—to the cloud

A security researcher found that xAI's AI coding tool packaged and shipped full Git repositories, .env files, and commit history to cloud storage regardless of user instructions or privacy settings.

Published Updated 3 sources2 web88% confidence

What matters

  • xAI's Grok Build CLI (v0.2.93) uploaded entire Git repositories—including .env secrets and commit history—to cloud storage, even when told not to read files.
  • A privacy toggle in the tool's settings had no effect on the upload behavior.
  • Wire captures documented roughly 5 GB of data uploaded per session.
  • xAI disabled the behavior after being reported but issued no formal user advisory.
  • The findings raise broader questions about data-handling practices across AI coding assistants.

What happened

On Monday, July 14, 2026, security researcher Cereblab published findings from a wire-level analysis of xAI's Grok Build CLI (version 0.2.93), the AI coding assistant from Elon Musk's xAI venture. Using a proxy to intercept traffic from controlled test repositories seeded with fake canary credentials, Cereblab discovered that the tool was doing far more than reading files to answer coding questions—it was packaging and uploading entire Git repositories to cloud storage.

The findings, reported by The Register and surfaced by The Verge, detail two distinct data-transmission paths. First, when Grok Build reads a local file, its contents are sent verbatim through the model-request channel (POST /v1/responses). During testing, unredacted fake API keys and database passwords stored in a .env-style file appeared in the captured request data—and the same sensitive information also showed up in a session-state archive sent through POST /v1/storage.

Second, and more alarmingly, a separate background upload mechanism packaged and transferred an entire Git repository rather than just the files relevant to a coding task. The captured Git bundle included files the agent had been explicitly instructed not to read, as well as the repository's full commit history. In one test, Cereblab used the prompt: "Reply with exactly: OK. Do not read or open any files." Despite that instruction, the upload still proceeded.

According to TechTimes, wire captures documented approximately 5 GB of data uploaded per session, and a privacy toggle in the tool's settings did nothing to prevent the uploads. xAI turned off the behavior after being reported, but no formal advisory was issued to users.

Why it matters

AI coding assistants are becoming standard tooling for developers, and they require deep access to local codebases to function. But there is a fundamental difference between reading files to generate a response and silently exfiltrating an entire repository—including secrets, environment variables, and Git history—to a vendor's cloud.

The Grok Build findings highlight several systemic risks in the AI coding-tool category:

  • Secrets exposure. Unredacted .env contents, including API keys and database passwords, were transmitted in plaintext. For any developer who used Grok Build against a real production repository, live credentials may have been sent to xAI's infrastructure.

  • Instruction non-compliance. The tool uploaded files even when explicitly told not to read or open them. This undermines the assumption that prompt-level instructions can serve as a reliable access-control mechanism.

  • Ineffective privacy controls. A privacy toggle that does nothing is arguably worse than no toggle at all, because it gives users a false sense of control.

  • No user notification. xAI disabled the behavior but, according to reporting, issued no advisory. Developers who used the tool before the fix may be unaware their code and credentials were uploaded.

This is not unique to xAI. Any AI coding tool that processes local repositories faces the same tension between utility and data exposure. But the Grok Build case is a particularly stark example of a tool overstepping its stated function and doing so silently.

What to watch

  • Whether xAI issues a formal advisory or notification to users who may have been affected before the behavior was disabled.
  • Whether other AI coding tools (Cursor, GitHub Copilot, Cody, etc.) undergo similar wire-level audits in the wake of these findings.
  • Whether this incident prompts regulatory scrutiny under data-protection frameworks, particularly if any affected repositories contained personal or regulated data.
  • Whether xAI publishes a technical postmortem explaining how the background upload mechanism worked and why the privacy toggle was non-functional.

What to do next

Developers

If you used Grok Build CLI before July 14, 2026, rotate any API keys, database passwords, and other secrets that existed in your repository's .env files or code.

Unredacted secrets were transmitted to xAI cloud storage; affected credentials should be considered compromised.

Founders

Audit which AI coding tools your engineering team has adopted and require a data-handling review before any new tool gets repository access.

Silent codebase exfiltration can expose IP, customer data, and infrastructure credentials—risks that fall on the company, not the individual developer.

PMs

Review your product's AI-tool usage policies and ensure there is a documented process for evaluating third-party coding assistants before deployment.

The Grok Build case shows that privacy toggles can be non-functional; PMs need to verify, not assume, that vendor controls work as advertised.

Investors

Factor data-handling transparency and independent security audits into due diligence for AI coding-tool companies.

Silent data exfiltration is a liability and trust risk that can materially affect adoption and valuation; companies with robust, auditable data practices are better positioned long-term.

Operators

Run network-traffic audits on any AI coding tools currently in use across your organization, using proxy interception to verify what data is actually leaving your environment.

The Grok Build findings were only discovered through wire-level analysis; operators cannot rely on vendor documentation alone to confirm safe data behavior.

How to test

  1. 1Create a fresh Git repository with several files, including a .env file containing fake API keys and database passwords.
  2. 2Add a few commits to populate Git history.
  3. 3Configure your proxy to intercept traffic from the Grok Build CLI process.
  4. 4Run Grok Build CLI against the test repository with a simple prompt such as: 'Reply with exactly: OK. Do not read or open any files.'
  5. 5Inspect captured traffic for any POST requests to /v1/responses or /v1/storage endpoints.
  6. 6Check whether file contents, .env values, or Git bundle data appear in the captured requests.

Caveats

  • xAI has reportedly disabled the upload behavior, so current versions may no longer exhibit this issue.
  • Testing with real credentials is strongly discouraged; use only fake canary credentials.
  • Results may vary by CLI version; the original findings were based on version 0.2.93.