• Category: Security
  • Status: developing
  • Sources: wire-capture writeup, HN discussion
  • Summary: A researcher (cereblab) published a wire-level analysis dated 2026-07-10 of xAI's Grok Build CLI v0.2.93 using mitmproxy interception and planted canary files. The writeup claims the CLI transmits the contents of files it reads, including a .env secrets file, to xAI verbatim, and separately uploads the entire workspace as git bundles to a Google Cloud Storage bucket named grok-code-session-traces (POST /v1/storage) independent of what the agent reads. It reports a 12 GB repository produced about 5.10 GiB of storage uploads while model-channel traffic was only 192 KB, and that recovered bundles contained never-read files. It also cites telemetry to Mixpanel and an xAI events endpoint, and states the behavior runs by default regardless of privacy settings.
  • Comments: HN commenters quote the writeup's claim that upload covers every tracked file plus git history regardless of reads. A commenter identifying as a GitHub Copilot engineer rejected a side-thread claim that Microsoft can read all GitHub repositories. Others note the file-exfiltration risk is not specific to AI (any program run as the user can read your files) and recommend running coding CLIs inside a sandbox with limited directory access, while one suggests a plausible server-side reason (inspecting the codebase during model "thinking" without round-trip tool calls).
  • Why it matters: If accurate, a widely used coding CLI ships full repository contents and plaintext secrets to a vendor bucket by default, which is a credential-rotation and data-governance event for any team that ran it.
  • Follow-up: Watch for an xAI response or a Grok Build CLI change, independent reproduction of the wire captures, and whether an opt-out or redaction lands.

Send feedback on this story