xAI's Grok Build CLI Uploads Git Repositories to a Google Cloud Bucket
Hacker News

xAI's Grok Build CLI Uploads Git Repositories to a Google Cloud Bucket

What the packet captures showed

The findings come from a researcher publishing under the handle cereblab, who routed Grok Build CLI version 0.2.93 through the interception proxy mitmproxy on macOS and released the captures as a public gist.

The analysis showed the client bundling the entire tracked repository, full Git history included, and uploading it to a Google Cloud Storage bucket named grok-code-session-traces. The upload ran independently of the files the agent actually opened for its coding task.

The numbers make that distinction concrete. On a 12 GB test repository, the model request channel moved about 192 KB of task-relevant traffic. The storage upload moved roughly 5.1 gigabytes. The tool was not sending what it needed to answer the developer. It was sending the codebase.

A canary credential the researcher planted in a .env file appeared verbatim and unredacted in the captured traffic. And because the CLI uploaded whatever repository it ran in, any team that pointed it at a private or proprietary codebase handed xAI an undisclosed copy of its source history, credentials, and secrets along with it.

The opt-out that did not opt out

Grok Build ships with an "Improve the model" toggle that most developers would read as a data-collection control. Disabling it did not stop the uploads. Server responses still returned trace_upload_enabled: true, and the repository transfer proceeded as normal. The setting governs training consent, not whether code leaves the machine.

Neither the storage bucket nor the upload behavior appears in Grok Build's setup documentation, according to coverage of the analysis, which also notes xAI had marketed the tool as local-first.

A fix shipped in silence

A day after the report went public, the researcher retested the same 0.2.93 client and found the server now returning disable_codebase_upload: true alongside trace_upload_enabled: false. Across six retests, no repository uploads were observed. That points to a deliberate server-side mitigation rolled out after the exposure, flipped remotely and invisibly.

The caveats cut both ways. The mitigation has been verified on one machine and one account, so there is no confirmation it is global, staged, or permanent. At the same time, the researcher is explicit that the captures do not prove xAI trained on the uploaded code, that employees viewed it, or that every account received the same configuration. This is a finding about undisclosed collection, not confirmed misuse.

What is entirely missing is xAI's side of the story. No security advisory. No explanation of the upload's purpose, scope, or retention. No word on whether repositories already sitting in grok-code-session-traces will be deleted. The official changelog listed version 0.2.98 as the latest release on July 12, 2026 without mentioning repository-upload behavior at all.

Get the ICD Newsletter

Subscribe for source-forward cyber news, OSINT notes, breach updates, and analysis. Have evidence or a lead? Send it to ICD.

Comments

No comments yet. Start the discussion.