Grok Build Uploaded Your Entire Code Repository to xAI Servers. Here's What Developers Need to Know
Between its launch and July 13, 2026, xAI's Grok Build coding tool was uploading entire Git repositories, including full commit histories and unredacted secrets, to xAI storage servers,not just the files the AI agent actually opened during a coding session. A researcher identified the issue by intercepting network traffic, and the discovery has raised serious questions about data handling practices in AI coding assistants.
What Actually Happened With Grok Build?
Grok Build, xAI's command-line coding assistant, was sending tracked Git repositories to a Google Cloud Storage bucket operated by xAI. The destination bucket, named "grok-code-session-traces," was hardcoded into the software binary. A researcher publishing under the name cereblab intercepted the traffic on version 0.2.93 and recovered the uploaded Git bundle, discovering files the agent had been explicitly told not to open.
The scale of the data transfer was striking. While the model API received about 192 kilobytes of data per session, the storage upload sent approximately 5.10 gigabytes, meaning the upload was roughly 27,800 times larger than what the model actually needed to function.
What Data Left Your Machine?
The uploaded bundles contained far more than developers likely expected. Here's what researchers found included in the transfers:
- All tracked files: Every file in the Git repository that was tracked by version control, including files the AI agent never opened or interacted with during the session
- Complete commit history: The full Git history, including deleted commits and changes that were later reverted
- Unredacted secrets: Environment files (.env) containing API keys, database passwords, and other credentials in plain text, exactly as they appeared in the repository
- Credentials in commit history: Any secret that appeared anywhere in the repository's commit history, even if it had been deleted from the working directory in a later commit
Notably, files that were gitignored and never committed to the repository did not appear in the bundle. However, any credential that had ever been committed, even if later removed, rode along in the historical record.
Did the Privacy Toggle Actually Work?
xAI offered users a setting called "Improve the model" that appeared to control data uploads. However, this toggle did not actually prevent the repository upload. With the setting disabled, Grok Build continued uploading the full repository while the server kept returning a flag indicating uploads were enabled. The critical detail: the privacy setting controlled whether data was used for training purposes, not whether code left the machine at all. These were two separate controls, and only one was visible to users.
How Did xAI Respond?
On July 13, 2026, without requiring users to update their software, xAI flipped a server-side switch that disabled the upload functionality. Version 0.2.93 and later stopped making storage requests, and the server began returning a flag indicating uploads were disabled. Elon Musk stated on X that all previously uploaded data would be "completely and utterly deleted." Enterprise teams using zero data retention policies and API key users were reportedly never affected by the upload.
Elon Musk
However, a separate analysis of build 0.2.99 found the upload code still present in the binary, held off only by the server-side flag. This means xAI could theoretically re-enable uploads without shipping a new client update.
Steps to Protect Your Credentials If You Used Grok Build Before July 13
- Rotate credentials immediately: Change any API key, database password, or secret that Grok Build could have accessed, including any secret in a file the agent read during a session
- Rotate environment variables: Update any tracked.env file in your repository, since these were included in uploads
- Audit commit history: Rotate any credential that appears anywhere in your repository's commit history, including commits where the secret was supposedly already deleted
- Don't wait for confirmation: Rotate credentials first rather than waiting for xAI to confirm deletion of previously synced data
- Request deletion: Individual subscribers can run the /privacy command in the Grok Build CLI to disable retention and request deletion of previously synced data
How Does This Compare to Other AI Coding Tools?
The discovery raises questions about how other AI coding assistants handle repository data. Researchers tested comparable tools and found that Claude Code, OpenAI Codex, and Gemini did not upload full repositories in the same manner, though the testing conditions varied. All cloud coding agents send files they open to remote models, which is expected. However, uploading the entire tracked repository and its complete history represents a different boundary entirely.
For development teams using AI coding agents as part of their workflow, the incident highlights the importance of reviewing how tools handle sensitive code and credentials. The distinction between what a tool needs to function and what it actually uploads deserves careful attention when evaluating security practices.