Grok Build CLI Uploaded Git Repositories and Unredacted Secrets to Cloud Storage


SpaceXAI’s Grok Build CLI transmitted unredacted file contents and uploaded Git repository data to cloud storage during controlled security tests. The findings affect Grok Build version 0.2.93 and raise concerns for developers who used the coding agent with private source code, credentials, internal documents, or sensitive Git history.

The tests identified two separate upload channels. Files that Grok Build opened were included in model requests and session archives. A background repository-upload system also created Git bundles containing tracked files and commit history, including a planted file that the agent had been explicitly instructed not to read.

SpaceXAI later disabled the repository-upload mechanism through a server-side setting. However, organizations that used Grok Build before that mitigation should review affected repositories and rotate credentials that may have been present in opened files or tracked Git history.

What the Grok Build Tests Demonstrated

An independent researcher operating as Cereblab examined Grok Build 0.2.93 by routing the CLI’s network traffic through a controlled proxy. The test repositories contained synthetic canary credentials rather than real secrets.

The Cereblab wire-level analysis found that Grok Build sent the contents of files it read through POST /v1/responses. The captured request included an artificial API key and database password stored in a test `.env` file.

The same canary values also appeared in a session-state archive accepted through POST /v1/storage. This showed that the test secrets entered both the live model channel and a separate storage channel without redaction.

Data channelObserved contentWhat triggered it
POST /v1/responsesVerbatim content from files opened by the agentGrok Build read the file as part of the session
Session-state upload through POST /v1/storageSession archive containing the same synthetic secretsTrace and session-state collection
Repository upload through POST /v1/storageTracked Git files and repository historyBackground codebase snapshot mechanism

Repository Upload Included Files Grok Was Told Not to Read

The researcher created a repository containing a unique canary file and instructed Grok Build to reply only with “OK” without reading or opening any files. The agent followed the visible task, but the separate repository-upload process still packaged the project.

A Git bundle recovered from the intercepted upload contained the unread canary file and its marker. Cloning the bundle also restored the repository’s commit history. The test was repeated against a second unrelated repository with another canary file.

This distinction matters because the repository upload did not depend on the agent selecting a file as model context. A user instruction limiting file access did not control the background snapshot mechanism.

What the Tests Do and Do Not Say About .env Files

The `.env` test file entered the model and session channels after Grok Build read it. The captured values were not masked, filtered, or replaced with placeholders before transmission.

The Git-bundle test separately demonstrated the upload of tracked repository content and history. This could include a `.env` file if it had been committed, along with deleted secrets that remained in earlier commits.

The evidence does not establish that Grok Build automatically collected every untracked or gitignored `.env` file from a developer’s machine. The verified risk covers files read by the agent, tracked repository content, and historical data stored in Git commits.

File conditionVerified exposure route
File opened by Grok BuildContent may enter model requests and session-state uploads
File currently tracked by GitContent may be included in a repository bundle
Secret deleted from the working tree but retained in Git historySecret may remain recoverable from the uploaded bundle
Untracked and unread fileAutomatic inclusion was not established by the published tests
Gitignored and unread fileAutomatic inclusion was not established by the published tests

Large Test Transferred More Than 5 GiB

Cereblab also tested the upload process with a 12 GB repository filled with random files that the model did not need to read. The model-request channel transferred approximately 192 KB during the test.

The storage channel accepted about 5.10 GiB before the researcher stopped the capture. The preserved log recorded 73 large chunks of about 75 MB, along with several smaller storage requests. The server returned successful HTTP 200 responses for the observed storage uploads.

The result demonstrates that the storage mechanism could accept multi-gigabyte repository data independently of the content required for the model response. It does not prove that the entire 12 GB transfer completed because the test ended while the upload was still running.

MeasurementObserved result
Test repository size12 GB
Model-request trafficApproximately 192 KB
Captured storage trafficApproximately 5.10 GiB
Large storage chunks73 chunks of about 75 MB each
Storage responsesHTTP 200 during the captured transfer
Full 12 GB completionNot tested because the capture was stopped

Uploads Pointed to a Google Cloud Storage Bucket

The analysis connected the storage system to a Google Cloud Storage bucket named grok-code-session-traces. The bucket name appeared in the Grok Build binary and in staged metadata containing paths beginning with gs://grok-code-session-traces/.

Binary strings also referenced an internal data-collection component, storage clients, upload queues, file-access tracking, and code for sending bytes to Google Cloud Storage through a proxy.

The researcher reported observing direct Google Cloud Storage uploads during an earlier multi-gigabyte test, although those direct network lines were not preserved. The retained evidence includes successful /v1/storage requests, the captured Git bundle, binary strings, and metadata naming the bucket.

Training Claims Remain Unproven

The tests establish transmission, server acceptance, and storage-channel activity. They do not prove that SpaceXAI used private repositories or secrets to train Grok models.

The company’s privacy policy describes how information may be collected and used, while account settings can govern some model-improvement and retention choices. Those policies must be evaluated separately from the technical question of what crossed the network.

Turning off the “Improve the model” option did not stop the repository upload during Cereblab’s test. A Git bundle was captured on a SuperGrok account with the option disabled, while the server continued to return upload-related settings as enabled.

SpaceXAI Disabled the Repository Upload

Following publication of the findings, the Grok Build server began returning disable_codebase_upload: true. Subsequent tests found that the repository-upload process no longer activated.

According to The Verge’s report on the company response, Elon Musk said previously uploaded Grok Build data would be deleted. Completion of that deletion had not been independently confirmed at the time of reporting.

The server-side change reduces the immediate repository-upload risk, but it does not by itself establish what data was previously retained, how long it remained available, or whether every account and client configuration received the mitigation at the same time.

Grok Build Source Code Is Now Public

SpaceXAI has since published the official Grok Build source repository. The project contains the Rust source for the CLI, terminal interface, and agent runtime.

Public source code gives researchers and enterprise security teams a way to review the current client implementation. It can also help organizations verify how local settings, remote feature flags, upload queues, telemetry, and file-access controls interact.

The source publication does not alter the historical findings for version 0.2.93. Organizations should base incident reviews on the version and configuration used at the time, not only on the latest public code.

Local Controls for Codebase and Trace Uploads

Cereblab and other researchers identified separate controls for the repository-upload and session-trace channels. These settings address different data flows and should not be treated as interchangeable.

The local [harness] disable_codebase_upload = true setting stopped the whole-repository upload during independent tests. Trace and telemetry controls addressed session-state uploads that could contain files the agent had read.

The `/privacy` command concerns coding-data retention. Researchers reported that it did not act as the technical switch that stopped repository transmission. Security teams should verify controls through outbound monitoring after installation and after every CLI update.

ControlPurpose
[harness] disable_codebase_upload = trueLocally blocks the whole-repository upload channel
[features] telemetry = falseDisables broader telemetry when configuration precedence permits
[telemetry] trace_upload = falseDisables session-trace uploads
GROK_TELEMETRY_ENABLED=falseEnvironment-level telemetry control
GROK_TELEMETRY_TRACE_UPLOAD=falseEnvironment-level trace-upload control
/privacyReviews or changes coding-data retention rather than directly blocking every upload channel

Security Risks for Development Teams

Repository-level collection creates a wider exposure surface than sending individual files selected for a coding task. Git history can preserve credentials and confidential material long after developers remove them from the current branch.

Development repositories may also contain proprietary source code, infrastructure details, internal hostnames, vulnerability information, customer data samples, signing configuration, and deployment instructions.

Organizations should consider the following data potentially exposed if it appeared in an opened file, tracked repository content, or commit history:

  • API keys and access tokens
  • Database usernames and passwords
  • Cloud credentials and service-account files
  • SSH keys and signing material
  • Private source code and unreleased features
  • Internal infrastructure documentation
  • Security findings and vulnerability details
  • Personal or customer information committed to Git
  • Secrets deleted from current files but retained in earlier commits

What Grok Build Users Should Do

Organizations should first identify which developers, contractors, and CI environments installed Grok Build. They should record the client version, approximate usage period, account type, repository paths, and configuration active during each session.

Finding version 0.2.93 does not prove that every repository was uploaded. However, the combination of that version, an eligible account, default upload settings, and use inside a Git repository warrants further investigation.

Recommended response actions include:

  1. Update Grok Build and confirm that the server returns the repository-upload disable setting.
  2. Add a local codebase-upload veto rather than relying only on a remote feature flag.
  3. Disable trace uploads and unnecessary telemetry where organizational policy requires it.
  4. Review local Grok logs and upload-queue artifacts for repository snapshot activity.
  5. Inspect proxy, firewall, DNS, and endpoint telemetry for unexpected storage uploads.
  6. Search affected repositories and complete Git history for credentials and confidential files.
  7. Rotate exposed API keys, database passwords, cloud credentials, SSH keys, and signing secrets.
  8. Remove secrets from Git history using an approved history-rewriting process.
  9. Run cloud coding agents only inside repositories prepared for external processing.
  10. Use isolated workspaces or restricted development containers for sensitive projects.
  11. Request retention and deletion confirmation through the organization’s SpaceXAI account or legal contact where appropriate.

Why Configuration Verification Matters

Grok Build uses local configuration, environment variables, and remotely supplied settings. Their precedence can affect whether an upload control takes effect.

The newly available Grok Build codebase may help defenders verify current behavior, but runtime testing remains important. Auto-updates and server-side feature changes can alter the effective configuration without a manual reinstall.

Teams can test their controls with synthetic canary repositories and network monitoring. They should never place real credentials in a validation project. A successful test should confirm that prohibited storage requests do not leave the machine.

Cloud Coding Agents Need Repository-Level Controls

Cloud coding agents must send some source context to remote infrastructure to analyze code. The security question is whether the transmitted scope matches what users expect and what the immediate task requires.

SpaceXAI introduced Grok Build as a terminal-based coding agent for professional software development. The SpaceXAI privacy terms provide broad policy information, but development teams still need product-specific controls covering source selection, repository history, retention, and deletion.

The incident shows why enterprises should combine vendor settings with local technical enforcement. File access restrictions, egress monitoring, secret scanning, isolated workspaces, short-lived credentials, and verified retention policies can reduce the impact when an AI development tool sends more data than expected.

Current Status

The reported whole-repository upload has been disabled through a server-side setting, and SpaceXAI has made the Grok Build source available for public review.

Reporting on the response also records a public commitment to delete previously uploaded data. Independent confirmation that the deletion process has finished has not been published.

Organizations should continue treating earlier Grok Build sessions as a possible data-exposure event until they have reviewed repository contents, Git history, credentials, logs, and applicable account-retention settings.

FAQ

What data did Grok Build CLI transmit?

Controlled tests showed that Grok Build 0.2.93 sent files opened by the agent through model requests and session-state uploads. A separate mechanism uploaded tracked Git repository content and commit history.

Did Grok Build upload every .env file?

The tests did not prove that every untracked or gitignored .env file was automatically uploaded. They showed an opened .env test file entering model and session requests without redaction. A committed .env file or historical secret could also appear in an uploaded Git bundle.

Did the repository upload include files Grok was told not to read?

Yes. A captured Git bundle contained a tracked canary file that the agent had been explicitly instructed not to open, along with the repository’s commit history.

Did SpaceXAI use the uploaded code for AI training?

The published evidence does not prove that SpaceXAI trained models on the uploaded repositories. It establishes transmission, server acceptance, and storage-channel activity. Training and retention depend on separate policies and account settings.

Has the Grok Build repository upload been disabled?

SpaceXAI disabled the repository-upload mechanism through a server-side setting after the findings became public. Users should still update the CLI, apply local upload controls, and verify network behavior after future updates.

What should developers do if they used Grok Build 0.2.93?

They should review repositories and Git history for sensitive information, inspect logs and network records, rotate potentially exposed credentials, update the CLI, enable local codebase and trace-upload controls, and confirm applicable retention settings.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages