• Category: Security
  • Status: developing
  • Sources: wire-level analysis (gist), GIGAZINE, HN discussion, second-report HN discussion
  • Summary: A researcher published a mitmproxy wire capture of xAI's Grok Build CLI (grok 0.2.93) reporting that it uploads the full working repository, every tracked file plus complete git history, to a Google Cloud Storage bucket named grok-code-session-traces through a POST /v1/storage channel, independent of what the agent reads. On a 12 GB test repository the storage channel moved 5.10 GiB across about 73 chunks while the model-turn channel carried 192 KB, and planted files the agent never opened were recovered verbatim from the uploaded git bundle. Contents of a .env file, including canary API_KEY and DB_PASSWORD values, appeared unredacted in both the POST /v1/responses bodies and a session-state archive. Disabling the "Improve the model" toggle did not stop the upload, and /v1/settings still returned trace_upload_enabled: true. The author states the capture does not prove xAI trains on the data. A separate user account raised on Hacker News later on 2026-07-13 claims the CLI uploaded the entire home directory, not only the working repository, which would widen the reported scope. That claim comes from a single social-media account and is not independently verified.
  • Comments: HN commenters read the whole-repository upload as codebase harvesting and debate whether it is a serving optimization that lets the model inspect files during reasoning without client round-trips rather than deliberate collection.
  • Why it matters: A widely promoted coding CLI sending secrets and entire private repositories off the machine by default, with an ineffective opt-out, makes credential rotation and network isolation necessary for anyone who ran it.
  • Follow-up: Watch for an xAI statement or a CLI update that scopes uploads and honors the opt-out, and independent reproduction of the wire capture.

Send feedback on this story