Grok's Coding CLI Silently Uploads Your Whole Repo — Secrets and All — to xAI
A reproducible teardown of xAI’s official Grok Build CLI found that the tool leaks far more than users likely expect. Running under a normal consumer login, the binary transmits the contents of any file the agent reads — including a .env secrets file — to xAI verbatim and unredacted, surfacing in both the live model request (POST /v1/responses) and a separate archive uploaded to a Google Cloud Storage bucket named grok-code-session-traces. The researcher confirmed the leak using a throwaway repo seeded with canary markers, recovering planted API keys and DB passwords intact from captured, decrypted wire traffic.
More striking is a second channel that ignores what the agent actually reads. Even when prompted to reply ‘OK’ and open no files, Grok packaged the entire workspace — every tracked file plus full git history — as a git bundle and uploaded it to /v1/storage, and cloning that captured bundle recovered a file the agent had been explicitly told not to touch. Scale tests showed the upload tracks the codebase rather than the conversation: on a 12 GB repo of never-read files, the storage channel moved over 5 GiB while the model turn moved just 192 KB, a roughly 27,800x ratio with no observed storage size cap. The only failures seen were model-usage quota errors, not upload limits.
The collection appears active by default and is not clearly documented in the install or quickstart materials. Disabling the ‘Improve the model’ setting does not stop it — /v1/settings still reported trace_upload_enabled: true — and the upload machinery is a first-party Rust crate (xai-data-collector) baked into the binary. The author is careful to bound the claims: this proves transmission, acceptance, and storage of the data, not that xAI trains on it, and notes untested cases such as .gitignored files and whether high-entropy token formats get redacted. For developers, the practical takeaway is that pointing this CLI at a real repository ships that repository, its history, and any embedded credentials off your machine.
Read the full article
Continue reading at Hacker News →This is an AI-generated summary. Read the original for the full story.