BotBeat
...
← Back

> ▌

xAIxAI
RESEARCHxAI2026-07-13

xAI Quietly Patches Grok Build CLI After Security Researcher Exposes Undisclosed Repository Uploads

Key Takeaways

  • ▸Grok Build CLI was uploading entire developer repositories to Google Cloud Storage without explicit consent or transparent disclosure
  • ▸The 'Improve the model' opt-out toggle did not prevent code uploads, indicating false user control over data collection
  • ▸A security researcher discovered this through packet capture analysis showing 5.1 GB uploaded versus 192 KB needed for the actual task
Source:
Hacker Newshttps://www.internationalcyberdigest.com/xais-grok-build-cli-uploads-entire-git-repositories-to-a-google-cloud-bucket/↗

Summary

A security researcher discovered that xAI's Grok Build CLI was uploading complete developer repositories, including full Git history, credentials, and secrets, to a Google Cloud Storage bucket named grok-code-session-traces. The researcher, publishing under the handle cereblab, analyzed traffic from version 0.2.93 using the mitmproxy interception tool and found that on a 12 GB test repository, the CLI uploaded 5.1 gigabytes of code despite only needing 192 KB for the actual coding task. Any team that ran Grok Build on a private or proprietary codebase inadvertently handed xAI an undisclosed copy of its entire source history.

Critically, the "Improve the model" toggle—which developers would reasonably expect to control data collection—did not stop the uploads. Server responses still returned trace_upload_enabled: true, and the repository transfer proceeded regardless of the user's setting. The upload behavior was never documented in Grok Build's setup documentation, contradicting xAI's marketing of the tool as "local-first." Additionally, test credentials the researcher planted in a .env file were captured and transmitted verbatim and unredacted in the traffic.

One day after the disclosure went public, xAI deployed a server-side fix without any security advisory, statement, or explanation. The researcher retested and observed the server returning disable_codebase_upload: true, preventing further uploads. However, xAI has provided no clarity on what happens to the repositories already stored in the cloud bucket, nor has it explained the upload's original purpose, scope, or data retention policy. The official changelog for version 0.2.98 (released July 12, 2026) makes no mention of the upload behavior or the fix.

  • xAI applied a server-side fix after public exposure but provided no advisory, explanation, or guidance on already-collected code
  • The tool lacked documentation about its upload behavior despite being marketed as 'local-first'

Editorial Opinion

This incident exposes a critical gap in transparency and user agency for AI developer tools. xAI's undisclosed collection of sensitive source code, credentials, and secrets—combined with a misleading opt-out mechanism and complete silence after discovery—fails to meet the accountability standards the industry must establish. The silent server-side patch without advisory, explanation, or disclosure about data retention raises serious questions about xAI's commitment to responsible AI deployment. Developers and enterprises evaluating AI-assisted coding tools must now demand explicit documentation of data practices and genuine consent mechanisms.

AI AgentsCybersecurityAI Safety & AlignmentPrivacy & Data

More from xAI

xAIxAI
UPDATE

xAI Launches Grok 4.5: Enhanced Model for Coding and Agentic Tasks

2026-07-09
xAIxAI
RESEARCH

Grok 4.5 Dominates CursorBench, Achieving Superior Performance to GPT-5.5 at Half the Cost

2026-07-08
xAIxAI
UPDATE

xAI Completes Rebrand to SpaceXAI With New Logo

2026-07-06

Comments

Suggested

CdbxCdbx
PRODUCT LAUNCH

Cdbx Launches AI-Powered Browser IDE to Build Apps from Plain English Descriptions

2026-07-13
Academic ResearchAcademic Research
RESEARCH

Real-World AI-Generated Code More Similar to Human Code Than Lab Studies Suggested, Large-Scale Study Finds

2026-07-13
CompoundCompound
PRODUCT LAUNCH

Compound Launches Frankie: AI Analyst You Can Email to Get Work Done

2026-07-13
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us