On July 13, 2026, a researcher known as cereblab captured a 5.10 GiB upload from xAI’s Grok Build CLI that included an entire 12 GB Git repository—complete with its full commit history—sent to a Google Cloud Storage bucket named gs://grok-code-session-traces/. That’s the catch.
Key Takeaways
- Grok Build version 0.2.93 sent full repository bundles, not just files needed for a coding task.
- The storage channel moved 5.10 GiB while model traffic was only about 192 KB, a 27,800× difference.
- Credentials in.env files were transmitted unredacted and stored alongside the code.
- xAI disabled the upload via a server‑side flag, but hasn’t confirmed if the change is permanent.
- Developers should rotate any secrets that might have been captured and verify their own settings.
Grok Build Data Upload: Whole Repo Sent to xAI Storage
cereblab was testing version 0.2.93 of the Grok Build CLI when they noticed a separate HTTP channel to /v1/storage that was shuffling massive payloads. The binary itself listed the destination bucket, and a staged metadata.json file pointed at the same path. That’s why the upload happened.
How the Upload Worked
The CLI split traffic into two streams. Model calls went to /v1/responses and stayed tiny—just a few hundred kilobytes. Meanwhile, the storage stream chopped the repo into 73 chunks of roughly 75 MB each, each returning HTTP 200. The researcher cloned the intercepted bundle and recovered a planted canary file, src/_probe/never_read_canary.txt, verbatim. It proved the bundle contained everything, not just the files the model read.
Why the Repository Bundle Is a Problem
Sending the entire tracked repository means any proprietary code, internal URLs, or credentials hidden in commit history travel off the developer’s machine. Even if a file is git‑ignored, any version that ever made it into the history rides along. That’s concerning.
- Proprietary source can be exposed.
- Deleted secrets reappear in the bundle.
- Commit history may contain customer data.
- Other cloud agents like Claude Code and Codex didn’t exhibit this behavior.
In cereblab’s cross‑tool comparison, Claude Code and Codex sent no repository bundle; Gemini sent none in an idle test, though its realistic‑task run was quota‑blocked before it finished. Grok Build was the outlier.
What xAI Said and Did
On July 13, the same 0.2.93 binary stopped making storage requests. cereblab retested six times and saw zero /v1/storage uploads. The server now returned disable_codebase_upload: true and trace_upload_enabled: false. Developer Peter Dedene confirmed the flag appeared for his account as well, indicating a server‑side switch rather than a client update.
“All user data uploaded before now would be completely and utterly deleted,” Elon Musk said on X.
xAI has communicated the fix mainly on X, not through a formal security advisory. The @SpaceXAI account claimed enterprise teams on zero‑data‑retention never have code or trace data stored, that API‑key use respects ZDR, and that consumers can run /privacy in the CLI to disable retention and delete previously synced data.
Practical Steps for Developers
If you’ve run Grok Build before the shutdown, you shouldn’t wait for another announcement. Rotate any credential the CLI might have read—API keys, database passwords, anything in a tracked.env file, and any secret that ever lived in the repository’s history. Deleting a secret from the working tree won’t pull it out of the uploaded bundle.
Run /privacy to purge any stored traces, and double‑check that trace_upload_enabled is false in the /v1/settings response. Verify your own CLI version hasn’t re‑enabled the feature; version 0.2.99 still contains the upload code, held off only by the server flag.
What This Means For You
For developers, the incident is a reminder that “local‑only” claims can be misleading. Even when you turn off a model‑training toggle, your code might still be shipped off‑site. You’ll need to audit your CI/CD pipelines for any hidden data exfiltration paths.
Security teams should treat any credential file that a coding agent reads as potentially exposed. Implement secret‑rotation policies that assume a breach could have captured historic commits, not just the current head.
Going forward, watch for any server‑side flag changes that could re‑enable the upload without a client update. The fact that xAI can flip the switch remotely suggests that future privacy controls might be more opaque than they appear.
Will other cloud‑based coding assistants follow xAI’s lead and add similar server‑side switches, or will they be forced to make the upload opt‑out visible to end users? Only.
Historical Context
The Grok Build CLI first appeared earlier in 2026, targeting developers who wanted on‑device model assistance. Initial releases, such as version 0.2.80, only sent model inference data. No storage endpoint was documented, and early adopters reported purely request‑response traffic.
When version 0.2.93 arrived, the binary introduced a hidden /v1/storage route. The change was not announced in release notes. Users who upgraded quietly began seeing extra network activity, but the pattern remained invisible without deep packet inspection. This explains why cereblab’s discovery felt like a surprise.
Other major coding assistants—Claude Code, Codex, and Gemini—have historically kept code upload optional and user‑controlled. Their public documentation emphasized that code never leaves the client unless explicitly requested. The contrast with Grok Build’s silent bundle underscores a departure from the norm.
Competitive Landscape
Claude Code and Codex, both owned by established AI firms, have built their services around a clear opt‑in model. When a developer runs a command, the model processes the snippet locally or via a short API call. No repository‑level archive is ever created on the provider’s side.
Gemini, another high‑profile competitor, behaved similarly in idle tests. The system refused to send any code bundle unless a specific flag was toggled. In realistic workloads, Gemini hit a quota limit before it could attempt a full upload, leaving the question of intent unanswered.
Grok Build stood alone as the only tool that transmitted a full Git history without explicit user permission. That singular behavior raises concerns about industry standards. If one vendor can silently enable massive data transfer, the bar for privacy expectations may shift.
Concrete Scenarios
Scenario 1: A startup building a fintech app. The team uses Grok Build to accelerate feature development. Their repository contains API keys for a payment processor, stored in a.env file that was once committed and later removed. After the July 13 upload, those keys travel to the xAI bucket. Even after the flag is flipped, the keys may already be cached. The startup must immediately revoke the compromised keys and issue new ones.
Scenario 2: An enterprise with strict compliance. The organization enforces data residency rules that forbid any code from leaving the corporate network. A developer inadvertently runs Grok Build version 0.2.93 on a confidential codebase. The entire 12 GB repository, including internal IP addresses, is sent to a Google Cloud bucket in a different jurisdiction. The compliance team must now document the breach, assess regulatory impact, and update internal policies to forbid such tools.
Scenario 3: An open‑source maintainer. The maintainer contributes to a public project but also keeps a private fork with experimental features. The private branch contains a secret token that was never pushed to the public repo but existed in the fork’s history. When Grok Build uploads the whole history, the token appears in the cloud storage. Even though the project is open source, the secret is now exposed and must be regenerated.
Key Questions Remaining
- Will xAI publish a formal security advisory that details the scope of the deleted data?
- How long does the uploaded bundle remain in the
gs://grok-code-session-traces/bucket before automatic deletion? - Can developers programmatically verify that no residual traces exist on xAI’s side after running
/privacy? - Will future CLI releases make the storage flag visible in the client configuration, allowing users to opt out locally?
- What safeguards will other AI coding platforms adopt to prevent a repeat of this silent upload pattern?
What Happens Next
In the short term, xAI is likely to keep the server‑side flag turned on while monitoring community feedback. The company may also introduce a dashboard where users can view and delete past uploads. That would give developers a way to confirm that the “delete everything” promise is being honored.
Long‑term, the incident could push regulators to draft clearer guidelines for AI‑assisted development tools. If a breach involves proprietary code, the legal ramifications could extend beyond simple data‑privacy complaints. Organizations might start demanding audit logs from providers, ensuring that any data transfer is traceable.
Developers should stay alert. New versions of the CLI appear frequently, and a single line of code can re‑enable a disabled feature. Regularly check the /v1/settings endpoint, and treat any unexpected flag as a signal to pause usage until you understand the impact.
Sources: The Hacker News, original report

