Skip to content

Grok Build Uploaded Entire Repos to the Cloud. xAI Just Open Sourced It to Win Back Trust

July 17, 2026. The biggest AI story of this week was not a model launch. It was a trust failure, and an unusually fast attempt to repair it. Security research published this week showed that Grok Build, the terminal coding agent from xAI, had been uploading users' entire Git repositories to a cloud storage bucket by default, far beyond the files a task actually needed. Within four days, xAI killed the behavior server side, Elon Musk promised that previously uploaded data would be deleted, and the company published the entire Grok Build codebase on GitHub under an Apache 2.0 license.

For any business that lets AI agents touch its code, files, or customer data, and that is exactly what our AI automation clients do every day, this week is the clearest lesson yet in how to evaluate agent tooling. Here is what happened, verified against the researcher's published captures and xAI's own statements, and what to do about it.

What the researcher found

A researcher publishing as cereblab documented the behavior in a detailed teardown of Grok Build version 0.2.93, reported by The Hacker News on July 14. The key developments:

  1. Whole repositories left the machine, not task files. On a 12 GB test repo of files the model never read, traffic to the model endpoint came to about 192 KB while a separate storage channel moved 5.10 GiB, a roughly 27,800x gap between what the model needed and what was uploaded. The upload ran as 73 chunks of about 75 MB to a bucket named grok-code-session-traces.
  2. Git history came along, including deleted secrets. The researcher cloned the captured Git bundle and recovered a canary file the agent had been explicitly told not to open, plus full commit history. A committed credential that was deleted months ago still rides along in history.
  3. A tracked .env file went out unredacted. Canary API keys and database passwords planted for the test appeared in the model turn and in a stored session archive with no redaction.
  4. The privacy toggle did not control it. With the "Improve the model" setting turned off, the upload continued. That toggle governed training consent, not whether code left the machine. Those are two different controls, and only one was exposed to users.
  5. On July 13 the uploads stopped via a server-side switch. The same binary stopped making storage requests and the server began returning a disabled flag, a change other developers independently confirmed. A separate analysis of build 0.2.99 found the upload code still present in the binary, held off by that server flag.
  6. On July 15-16 xAI open sourced the whole tool. The company published Grok Build at github.com/xai-org/grok-build under Apache 2.0 and reset usage limits for all users.

One user report cited by independent analyst Simon Willison described running the command in a home directory and watching it upload SSH keys, a password manager database, documents, and photos. Willison's review of the released code also counted 844,530 lines of Rust and found the old upload routines still present but disabled, now returning a hard-coded unavailable error.

What xAI actually committed to

xAI's public response came through X posts rather than a security advisory. The company said enterprise teams on zero data retention never had code or trace data stored, that API key usage respects those settings, and that consumer users can run a /privacy command in the CLI to disable retention and delete previously synced data. In its open sourcing announcement, xAI said retention defaults were switched off for all Grok Build users starting July 12 and that all previously retained coding data is being deleted. Musk went further, posting that all user data uploaded before now would be "completely and utterly deleted."

Worth stating plainly: the researcher's captures establish transmission and storage, not training, and xAI has still not published a formal account of why full repositories were uploaded by default, how long they were kept, or how many users were affected. The deletion promise is currently a statement on X, not an audited process.

How other coding agents behaved

The same researcher ran a cross-tool comparison. Claude Code and Codex sent no repository bundle, and Gemini's CLI sent none in an idle test. Every cloud coding agent sends the files it opens to a remote model, that is how they work, so "local only" is the wrong mental model for all of them. But wholesale collection of the entire workspace was specific to Grok Build. This distinction matters when your agency or dev team picks its stack, and it is the same class of question we covered when OpenClaw patched three flaws that could chain WhatsApp messages into host code execution on July 10. Agent capability and agent containment are now separate line items on the evaluation sheet, which is why hardened OpenClaw setup and agent configuration has become real client work.

What it means for operators

If AI coding agents or autonomous automations run anywhere in your business, run this six-step audit this week:

  1. Inventory every agent with filesystem or repo access. Coding CLIs, browser agents, automation runners, anything that can read directories. You cannot audit what you have not listed.
  2. Separate the two consents: training and transmission. This week proved a training opt-out is not a data-leaves-my-machine opt-out. Read the retention docs for each tool and find the control for each channel. If only one control exists, assume the other channel is open.
  3. Watch the wire once per tool. The whole story was uncovered with ordinary traffic interception. A one-hour session per tool, watching what leaves during a routine task, is now a reasonable onboarding gate for any agent that touches client work.
  4. If your team ran Grok Build, rotate credentials now. Anything the agent read, anything in a tracked file, and anything in Git history, including secrets you committed and later deleted. Do not wait on the deletion promise.
  5. Prefer inspectable or contractually bounded tools for sensitive work. Open source lets you verify behavior, the fix that made this story end well. Enterprise zero-data-retention agreements are the contractual equivalent. Consumer defaults are the weakest tier, treat them that way.
  6. Fix the Git hygiene that made this worse. Secrets in commit history were the multiplier here. Move credentials to a secret manager, gitignore env files, and treat any committed secret as burned the day it lands in history.

For teams that want this handled properly, this is the exact scope of an agent security pass our AI engineers run when standing up automation stacks: tool inventory, egress checks, credential rotation, and retention settings verified against the vendor's actual behavior rather than its marketing page.

The bigger picture

There is also a positive reading. A week after shipping Grok 4.5 as its strongest coding model, a frontier lab shipped a serious privacy failure, got caught by an independent researcher within days, and responded by open sourcing 844,530 lines of production Rust rather than lawyering up. Users can now run Grok Build fully local-first with their own inference. That is a better outcome than most data incidents produce, and it sets a precedent the next vendor caught doing this will be measured against. Trust in agents is earned in the transport layer, not the benchmark table. This week the market repriced accordingly.

Get AI agents working in your business without betting the codebase on trust

We design, build, and run it for you, integrated with the tools you already use. Free audit in 24 hours.

Get Your Free Audit

Frequently Asked Questions

Security researcher cereblab showed that Grok Build version 0.2.93 uploaded entire tracked Git repositories, including full commit history, to an xAI cloud storage bucket named grok-code-session-traces. On a 12 GB test repo, about 5.10 GiB moved to storage while the model itself only needed roughly 192 KB. A tracked .env file also went into the model turn and a stored session archive unredacted.

No. With the Improve the model setting off, the repository upload continued because that toggle only governed training consent, not data transmission. The uploads stopped on July 13, 2026 through a server-side change by xAI, and analysis of a later build found the upload code still in the binary, held off only by the server flag.

According to the researcher's published cross-tool comparison, no. Claude Code and Codex sent no repository bundle, and Gemini sent none in an idle test. All cloud coding agents transmit the files they open to a remote model, so no cloud tool is truly local-only, but wholesale collection of the entire workspace was specific to Grok Build.

Rotate every credential the agent could have transmitted: anything it read, anything in a tracked file, and anything in Git history, including secrets committed and later deleted. Consumer users can run the /privacy command in the CLI to disable retention and request deletion of previously synced data. Do not rely solely on the deletion promise, which is currently a statement on X rather than an audited process.

xAI published the full codebase on GitHub under an Apache 2.0 license on July 15-16, 2026, days after the upload behavior was exposed, saying it wanted to offer complete user privacy with retention off by default, retained data deleted, and an open source harness users can inspect and run local-first with their own inference. It is widely read as a move to rebuild developer trust.

Check four things: whether transmission controls are separate from training controls, whether the vendor publishes retention terms you can hold them to, whether the tool is inspectable through open source or bounded by an enterprise zero-data-retention agreement, and what actually leaves the machine when you watch its network traffic during a routine task. If you cannot verify any of the four, do not point the agent at sensitive repositories.

Free Strategy Audit

Ready to put this to work?

Join 200+ businesses already scaling with AI and automation. Get your free audit and a custom roadmap within 48 hours.

Website & marketing performance analysis
AI & automation opportunity mapping
Custom growth roadmap with ROI estimates
Delivered within 48 hours, 100% free
200+
Clients served
48hr
Turnaround
100%
Free, no strings

Get Your Free Audit

Takes 30 seconds. No credit card required.

Prefer to chat?

WhatsApp us