cd /news/ai-tools/grok-build-was-uploading-entire-git-… · home topics ai-tools article
[ARTICLE · art-59605] src=thenextweb.com ↗ pub= topic=ai-tools verified=true sentiment=↓ negative

Grok Build was uploading entire Git repositories to xAI’s cloud, including committed secrets

XAI's Grok Build coding CLI was found uploading entire Git repositories, including committed secrets and API keys, to a Google Cloud Storage bucket, with upload volume 27,800 times greater than needed. Security researcher cereblab published a wire-level analysis on July 12 proving the breach, contradicting xAI's claims that nothing from codebases was transmitted. Elon Musk confirmed the uploads and said prior user data would be deleted, but no independent audit has verified the deletion.

read1 min views1 publishedJul 14, 2026
Grok Build was uploading entire Git repositories to xAI’s cloud, including committed secrets
Image: Thenextweb (auto-discovered)

A security researcher published a wire-level analysis on July 12 proving that xAI’s Grok Build coding CLI was packaging developers’ entire tracked repositories, including full Git history, committed secrets, and API keys, and sending them to a Google Cloud Storage bucket. The upload volume was roughly 27,800 times greater than the data the coding task actually required, according to the analysis.

The researcher, publishing as cereblab, tested version 0.2.93 of Grok Build, intercepted the upload, cloned the git bundle from the captured request, and recovered a file the AI agent had been explicitly told not to open. xAI had marketed the tool with claims that “nothing from your codebase transmitted to xAI servers during a session.” The wire data directly contradicts this.

The privacy toggle that was supposed to prevent data transmission did nothing, according to multiple reports. Grok has a history of privacy issues, including training on X user data without consent in what regulators called a “very likely” breach of EU law. A quarter of European firms have banned Grok entirely in favour of alternatives with better security controls.

Elon Musk confirmed the uploads and said SpaceXAI would delete all prior Grok Build user data. The company documented a “zero data retention” policy and added a /privacy endpoint. A same-client retest observed a server-side flag disabling the uploads. However, no independent audit has confirmed the deletion. Grok Build launched alongside Grok 4.5 as xAI’s answer to Claude Code and Cursor, making the privacy breach particularly damaging for a product positioned to win enterprise developer trust.

Get the TNW newsletter #

Get the most important tech news in your inbox each week.

── more in #ai-tools 4 stories · sorted by recency
── more on @xai 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/grok-build-was-uploa…] indexed:0 read:1min 2026-07-14 ·