Grok Build CLI Shipped Whole Repos And Secrets To xAI

TL;DR

Grok Build CLI 0.2.93 silently uploaded entire Git repositories, including full commit history, to xAI-controlled Google Cloud Storage.
– A 12 GB repository generated 5.5 GB of data transmission before the test was stopped, confirming that even unmodified and unread files were uploaded.
– Sensitive information in `.env` files was transmitted verbatim, without masking or redaction.
– xAI’s documentation only mentioned sending “file contents” and did not disclose full repository uploads.

Grok Build CLI 0.2.93 silently uploaded entire Git repositories, including commit history and unredacted `.env` secrets, to Google Cloud Storage controlled by xAI. Wire-level packet captures confirmed that the tool packaged the full repository as a Git bundle and transmitted it through a separate storage endpoint.

Even files the AI agent never accessed were included in the upload.

If you build with AI coding tools and your repository contains anything sensitive, this is the kind of finding that should make you check what your CLI is actually sending over the network.

What Did Grok Build CLI Actually Upload?

The answer is the entire tracked Git repository.

Not just the files you opened or the context the model needed to see. The tool packaged the whole repository, including all tracked files and the full commit history, as a Git bundle and shipped it to Google Cloud Storage.

A security researcher ran wire-level packet captures on Grok Build CLI 0.2.93 and found two distinct outbound data channels.

The first, `POST /v1/responses`, sends the raw contents of files the agent reads to the live model endpoint. That is expected behavior for a cloud-based coding assistant. The second, `POST /v1/storage`, sends a session-state archive and the full Git repository bundle to Google Cloud Storage. That channel was not expected, and it was not disclosed.

The numbers back up the claim. During a test with a 12 GB repository, 5.5 GB of data had already been uploaded before the process was halted. The upload covered files the AI never touched, files that had not been modified. And the entire commit history going back to the repo’s first commit. The bundling mechanism operated independently of what the agent actually accessed during the session.

A fact-check summary based on the packet capture concluded that Grok Build CLI 0.2.93 “silently uploads entire Git repositories as bundles to Google Cloud Storage,” transmitting gigabytes of data far exceeding the size of files actually read during the session. The researcher verified this by reconstructing the repository from the captured bundle and confirming that every tracked file and the full history were present.

Your Secrets Were Sent Unmasked

The repository upload is bad enough on its own.

But the same teardown revealed that any file the CLI reads, including `.env` files, was sent without masking or redaction.

That means sensitive information in your environment files went directly to xAI. The researcher demonstrated that a secret appeared in two places: the live model turn via `POST /v1/responses`. And a session-state archive accepted with HTTP 200 via `POST /v1/storage`.

Both channels carried the raw, unredacted values.

For a small agency or solo developer, this is the scenario you hope never happens.

Your `.env` file probably holds your Stripe secret key, your database URL with credentials embedded, your AWS access keys. And your third-party API tokens. All of those would have been transmitted to a third-party cloud storage endpoint without your knowledge or consent.

An AI news digest summarized the incident plainly: Grok Build CLI 0.2.93 uploads whole Git repos plus unredacted `.env` secrets to a Google Cloud bucket.

The Gap Between Docs And Reality

xAI’s public documentation for Grok Build mentioned sending “file contents” for cloud inference.

It did not disclose that entire Git repositories and full commit histories would be uploaded and stored. That documentation gap is the part that should anger every developer who trusted the tool.

Developers who read the docs and thought they understood the data flow were making decisions based on incomplete information. The documentation described a system that reads your files and sends context to a server for inference. The reality was a tool that clones your entire repository, bundles it with full history. And stores it on Google Cloud infrastructure controlled by xAI.

A Q&A-style analysis asked the question directly: “Does Grok Code upload your entire repository to xAI?” The answer was yes.

Technical wire-level analysis of Grok Build CLI 0.2.93 confirmed that the full workspace and history are packaged and uploaded as a Git bundle. The security-focused summary described it as a “security vulnerability,” noting that the tool uploads “all Git-tracked files and the full commit history,” with an explicit warning that `.env` secrets may be exposed.

Multiple independent analyses converged on the same conclusion. Grok Build CLI 0.2.93 established a background storage channel that silently uploaded entire Git repositories, including commit history, to Google Cloud Storage. This channel operated completely separate from the visible model interaction endpoint.

What Small Operators Should Actually Do

If you used Grok Build CLI 0.2.93 on any repository containing secrets, assume those secrets were transmitted.

Rotate every sensitive credential that was present in your `.env` files during that period. The packet capture evidence is unambiguous: secrets went through unredacted to two separate endpoints, with no masking applied.

Going forward, treat any AI coding tool that requires cloud access as untrusted by default. Run it inside a container or virtual machine with no access to your real `.env` files. Use a disposable repository with mocked credentials for testing. If the tool needs to read your actual codebase to be useful, use Git-level isolation: a separate branch, stripped of history, with secrets injected at runtime rather than committed to the repo.

The broader lesson is that documentation disclosures and actual wire-level behavior can diverge wildly. xAI is not the first company to under-disclose what its tools send home. And they will not be the last. Packet captures do not lie.

Privacy policies and marketing pages sometimes do, often by omission rather than by direct falsehood.

If your agency ships client work and you ran Grok Build CLI on those repositories, you owe your clients a conversation about what happened. That disclosure might be uncomfortable. It beats a breach notification six months down the line.

Sources

Grok Build CLI 0.2.93 Found to Upload Entire Git Repositories (KuCoin News)
Does Grok Code Upload Your Entire Repository to xAI? (Consens.io)
Grok Build CLI Ships Whole Repos and .env Secrets to xAI (AI/TLDR)
Wire-Level Teardown by cereblab (GitHub Gist)

Leave a Reply

Your email address will not be published. Required fields are marked *