Grok Builds Entire Git Repositories on xAI Storage, Not Just Read Files

The Grok Build code CLI for xAI was uploading all Git repositories, full commit history and all, to a Google Cloud Storage bucket managed by xAI, not just the files the coding work required.
Researcher publishing as cereblab, experimental version 0.2.93it captured some of the uploads, built a git bundle on the intercepted request, and returned the file that the agent had been told in no uncertain terms not to open.
The upload is on a different channel than the model itself, and the byte separation is hard to argue with. In the 12 GB repo of files the model has never been read, open traffic to it /v1/responses it reached about 192 KB while the last channel is /v1/storage moved 5.10 GiB, a gap of about 27,800x between what the model needed and what the machine left.
That storage load worked out as 73 chunks of about 75 MB, each returning an HTTP 200, and for every explorer size swept volume followed by the total repo size. local bucket, grok-code-session-tracescomposed both on and off the stage metadata.json which the paths of each file point to gs://grok-code-session-traces/.
The unread file was src/_probe/never_read_canary.txtplanted with a unique tag. Compiling the captured batch returned it verbatim and the full commit history of the repo, and the same test was repeated on a second, unrelated repo. What establishes capture is transfer, acceptance, and retention, not training.
Redundancy doesn’t mean that xAI is trained on the code, that employees have learned it, or that neglected files are always swept away. Traced files and history are what the strings show.
The secret path is different and simple. When Grok reads a file, its contents are entered into the model’s inversion, and tracked .env he went with them without turning, the canary API_KEY again DB_PASSWORD prices and everything. The same content also came to a session_state the archive is locked for storage. The secrets planted were false, so nothing real was leaked from the test. The behavior is still problematic: the authentication file read by the agent during the operation is exited and saved without being recreated.
The settings that most developers have access to do nothing here. With “Upgrade model” disabled, Grok still loads the cache, as well as the server itself /v1/settings the answer kept coming back trace_upload_enabled: true. That variable controls whether your data trains the model. It does not control whether your code leaves the machine. Those are two separate controls, and only one of them is exposed to the user.
Every cloud coding agent has to send some resource to the remote model to do its job, so the first channel is expected. Exporting the entire tracked archive and its history is a wider margin than exporting the files required for the job.
The repo can hold proprietary code, internal URLs, customer data, and information extracted from the working tree but still in the commit history. Compared to cereblab of various tools, Codex Claude and Codex did not send a lot of cache; Gemini did not send anyone to idle tests, even if their practical performance was restricted by the quota before it was completed.
Grok Build is the best. Those are still cloud tools that send the files they open, so “local only” is the wrong mental model for any of them. But the workspace cluster was specific to Grok Build.
xAI response
On July 13 the same 0.2.93 binary stop making storage requests. cereblab was retested six times and saw zero /v1/storage uploaded, and the server is now back disable_codebase_upload: true again trace_upload_enabled: false.
Developer Peter Dedene reported that the same flag was returned to his account, so the shutdown was not just an observation of one cereblab machine. The tested client remained open 0.2.93 while its server settings changed, so this was a server-side change, not a fix posted via update. xAI does not guarantee that it accesses every account or forever.
xAI has so far addressed the issue in X instead of using a security advisory or change note. The @SpaceXAI account said that enterprise groups that store zero data never code or track stored data, that API key usage respects ZDR, and that consumers who haven’t enabled it can’t work. /privacy in the CLI to disable backup and delete previously synced data.
Elon Musk went further, saying that all previously uploaded user data will now be “totally and completely deleted,” leaving nothing behind. ZDR includes business groups and API implementations, so for individual subscribers /privacy command is a given control.
For anyone who is already using the tool, the move is not to wait for xAI. Rotate any commits Grok might have sent: anything it reads, anything in the tracked file, and anything in the git history of the managed bundle, including a secret you created and later deleted.
An ignored and uncommitted file is always outside the stack. You committed to riding in history, and removing it later does not bring it back. A separate analysis of build 0.2.99 found that the loading code is still in the binary, caught by the server flag, so that xAI can open it again without an update.
And it still hasn’t said why the full repositories were automatically uploaded, how long they were stored, or how many users were affected. Coming out of training isn’t a promise that your code will stay put, and that leaves the machine to test yourself.



