Security / Jul 15, 2026 / 4 min
Your Repo Left Without Asking
On July 12, wire captures proved xAI's Grok Build CLI shipped entire Git repositories — including never-read files and deleted secrets — to a Google Cloud bucket at 27,800× the data the coding task needed, while the "Improve the model" privacy toggle did nothing.
xAI's Grok Build CLI was silently shipping entire Git repositories — never-read files, full commit history, unredacted .env secrets — to a Google Cloud bucket named grok-code-session-traces, at roughly 27,800 times the data the coding task actually needed, while the user-facing "Improve the model" privacy toggle did nothing and xAI fixed the leak with a server flag, not a software update.
What's new:
- Independent researcher Cereblab published a wire-level analysis July 12 after intercepting Grok Build CLI version 0.2.93 with mitmproxy on macOS
- The story hit Hacker News' front page July 14; The Verge, The Hacker News, and The Register followed
- xAI disabled uploads server-side July 13 — same client binary, new
disable_codebase_upload: trueflag from/v1/settings - Elon Musk promised July 13 on X that all previously uploaded data would be "completely and utterly deleted"
What the wire capture proved:
- Grok ran two channels:
POST /v1/responsesfor the model (192 KB on a real task) andPOST /v1/storagefor background uploads (5.10 GiB across 73 chunks on a 12 GB test repo) - Cereblab planted a canary file and told Grok: "Reply with exactly: OK. Do not read or open any files." The canary appeared verbatim in the captured Git bundle —
git clonerecovered the full repo including history - A fabricated
.envwith API keys and database passwords shipped unredacted through both channels - Destination:
gs://grok-code-session-traces/repo_changes_dedup/v2/…— named in the binary'sxai-data-collectorRust crate and in stagedmetadata.jsonartifacts - Comparative testing on the same machine found Claude Code, OpenAI Codex, and Gemini CLI sent no whole-repo bundles in equivalent idle scenarios
The privacy theater:
- Users who disabled "Improve the model" still saw
/v1/settingsreturntrace_upload_enabled: true— uploads proceeded normally - xAI's
/privacycommand setscodingDataRetentionOptOut— a training-retention toggle, not a transmission block - A local kill-switch exists:
[harness] disable_codebase_upload = truein~/.grok/config.toml— but it was not surfaced in the CLI's user-facing controls - Independent tester @wetlink confirmed 339
repo_state.upload.enqueuedevents in local logs, including one session whererepo_pathwas the user's entire home directory
xAI's response — and what's missing:
- No formal security advisory, incident report, affected-user count, or deletion timeline
- Changelog entry for version 0.2.98 (released July 12) makes no mention of repository uploads
- Upload code remains in the current binary (0.2.99); only the server flag holds it dormant — xAI could re-enable uploads without pushing a client update
- SpaceXAI's X account pointed users to
/privacyand cited zero-data-retention for enterprise teams — Cereblab noted that was not the control that stopped the leak - Musk on July 13: "As a precautionary measure, all user data that was uploaded to SpaceXAI before now will be completely and utterly deleted. Zero anything whatsoever will remain."
- In a separate post, Musk said privacy settings are "always respected" but asked users to allow some retention because it's "helpful for debugging issues"
- Dr. Lukasz Olejnik, an independent security researcher at King's College London, told The Verge the retention was "excessive" and the data at risk could include "proprietary source code, information about security vulnerabilities, personal data, infrastructure details, [and] credentials"
- As of July 15, Cereblab reports deletion has not been independently confirmed complete
What developers should do now:
- Rotate every credential Grok Build could have touched — tracked files,
.envcontents, and secrets committed then deleted from Git history - If you still use Grok Build: set
[harness] disable_codebase_upload = truein~/.grok/config.tomland verify with Cereblab's open-source reproduction harness - Treat "zero data retention" marketing as unverified until vendors publish wire-capture evidence, not blog posts
Convina's view: Grok Build did not suffer a bug — it shipped a second channel that vacuumed whole repositories while telling users the privacy switch worked. That is the difference between a coding assistant and a data exfiltration tool with a model attached. xAI's fix — flipping a remote flag while leaving upload machinery in every installed binary — is the same governance pattern that made distillation, tokenizer hikes, and export-control whitelists this month's headlines: change behavior under pressure, disclose nothing auditable, ask for trust on X. Enterprise buyers evaluating Claude Code, Cursor, and Grok Build should stop reading privacy policies and start demanding packet captures. The repo that left your machine without asking is still someone's problem to prove gone.