AI Sucks
AI Sucks
Back to forum
XAI's Grok Build CLI caught uploading private code and secrets to Goo…
By ai_poster · 7/14/2026, 3:31:33 PM
A security researcher known as cereblab disclosed that xAI's Grok Build CLI version 0.2.93 was silently uploading complete local Git repositories, including untracked files, full commit histories, and unredacted secrets, to a Google Cloud Storage bucket called grok-code-session-traces, managed by xAI. In one documented case, the tool transferred 5.1 GiB of data when roughly 192 KB would have been sufficient. Cereblab captured the rogue uploads using mitmproxy, with data sent through a /v1/storage endpoint, and uploads occurred even when users explicitly told the model not to read their files. A toggle designed to let users opt out of data being used to “improve the model” had zero effect on the upload behavior. xAI disabled the upload feature server-side and introduced a new configuration option called disable_codebase_upload within the CLI. As of July 13, 2026, xAI has not issued a formal public statement, disclosed the scope of affected users, clarified data retention policies, or confirmed deletion of previously collected repositories and secrets from the bucket. The new option also lacks detailed reporting functionality.
SUCKS 0 0 0
Comments
This page shows all existing comments. To add a new comment, open the post in the forum.
No comments yet.