A deep packet analysis has revealed that xAI's Grok Build command-line tool was uploading entire Git repositories, including sensitive data and unredacted secrets, to a company-controlled cloud bucket. The behavior, uncovered by security researcher cereblab, was later disabled by xAI through a server-side change, without any public advisory or official statement.
Packet captures show massive code transfer
The researcher, operating under the handle cereblab, routed Grok Build CLI version 0.2.93 through the mitmproxy interception proxy on macOS and released the captures as a public gist. The analysis showed the client bundling the entire tracked repository, full Git history included, and uploading it to a Google Cloud Storage bucket named grok-code-session-traces. The upload ran independently of the files the agent actually opened for its coding task. The numbers make that distinction concrete. On a 12 GB test repository, the model request channel moved about 192 KB of task-relevant traffic, while the storage upload moved roughly 5.1 gigabytes. The tool was not sending what it needed to answer the developer; it was sending the codebase. A canary credential the researcher planted in a .env file appeared verbatim and unredacted in the captured traffic. Because the CLI uploaded whatever repository it ran in, any team that pointed it at a private or proprietary codebase handed xAI an undisclosed copy of its source history, credentials, and secrets along with it.
Sponsored Protocol
The opt-out did not stop the upload
Grok Build ships with an "Improve the model" toggle that most developers would read as a data-collection control. Disabling it did not stop the uploads. Server responses still returned trace_upload_enabled: true, and the repository transfer proceeded as normal. The setting governs training consent, not whether code leaves the machine. Neither the storage bucket nor the upload behavior appears in Grok Build's setup documentation, according to coverage of the analysis, which also notes xAI had marketed the tool as local-first.
Sponsored Protocol
The fix arrived silently server-side
A day after the report went public, the researcher retested the same 0.2.93 client and found the server now returning disable_codebase_upload: true alongside trace_upload_enabled: false. Across six retests, no repository uploads were observed. This points to a deliberate server-side mitigation rolled out after the exposure, flipped remotely and invisibly. The caveats cut both ways. The mitigation has been verified on one machine and one account, so there is no confirmation it is global, staged, or permanent. At the same time, the researcher is explicit that the captures do not prove xAI trained on the uploaded code, that employees viewed it, or that every account received the same configuration. This is a finding about undisclosed collection, not confirmed misuse.
Sponsored Protocol
Unanswered questions on retention and deletion
What is entirely missing is xAI's side of the story. No security advisory, no explanation of the upload's purpose, scope, or retention, no word on whether repositories already sitting in grok-code-session-traces will be deleted. The official changelog listed version 0.2.98 as the latest release on July 12, 2026 without mentioning repository-upload behavior at all. As Satya Nadella warned about the risks of proprietary AI models, transparency in handling sensitive data remains a critical issue for enterprise adoption. This incident raises trust questions for developers and companies relying on generative AI coding tools, especially when data collection policies are opaque. Until xAI provides definitive answers, caution remains warranted.