xAI's Grok Build coding assistant uploaded complete Git repositories, including full commit histories, to xAI-controlled Google Cloud Storage buckets during operation. Security researcher cereblab discovered the practice while testing version 0.2.93 of the CLI tool.
The uploader sent entire repositories rather than limiting transfers to only the specific files required for a coding task. This meant sensitive data, private commits, and development history became accessible to xAI infrastructure without user awareness or explicit consent.
Cereblab intercepted one of these uploads, cloned the git bundle from the request, and recovered files the agent had been instructed not to access. The discovery reveals a significant privacy and data exposure gap in the tool's architecture.
Grok Build positions itself as a coding assistant that handles repository analysis and development tasks locally. Users reasonably expect the tool to transmit only necessary context about their code. Instead, the implementation copies entire repositories wholesale to remote storage, exposing proprietary code, development patterns, internal tool chains, and commit messages that contain sensitive information.
The risk extends beyond privacy concerns. Organizations using Grok Build may violate internal data governance policies or regulatory requirements by unknowingly uploading source code to third-party cloud infrastructure. Developers working on proprietary projects face potential intellectual property exposure. Teams managing legacy code or security-sensitive applications face heightened breach risk.
xAI has not yet published a statement addressing the discovery or explaining the architectural decision to upload complete repositories. The findings raise questions about whether Grok Build's documentation accurately describes data handling practices, and whether users received sufficient notice about repository transmission.
This incident underscores the need for transparency in AI coding tools regarding data collection and transmission. Developers should audit tool permissions, review privacy documentation carefully, and consider network monitoring to verify what data these assistants actually send to remote servers. For organizations evaluating Grok Build or similar tools,
