An AI coding CLI that uploads your entire Git history — commit logs, secrets, and all — to a vendor-controlled bucket, and does it through a channel that your privacy opt-out doesn't even touch. That's not a bug bounty footnote. That's the exact threat model everyone waved off as "theoretical" a year ago, now confirmed with a canary file.
This isn't new territory conceptually — "AI tool has overly broad file access" has been a known risk since the first VS Code extension asked for workspace-wide permissions. What's different here is the mechanism. This wasn't the model reading files into context and maybe leaking them through completions. This was a separate, silent upload pipeline moving entire repositories — not just the files the agent touched — to cloud storage, running independently of the "Improve the model" toggle users were told controlled data sharing.
That distinction matters enormously. We've spent two years training developers to think about prompt injection, context leakage, and training-data contamination. Those are model-layer problems with model-layer mitigations. This is an infrastructure-layer problem: a data exfiltration path that exists regardless of what the model does or doesn't "decide" to do with your code. It's closer to a supply-chain telemetry scandal than an AI safety issue, and the fact that it's dressed up in agentic-coding-tool clothing shouldn't distract from that.
Here's what's being understated: the opt-out failure. Vendors have trained users to believe that toggling off "model improvement" or "training data usage" settings meaningfully limits what leaves their machine. If that's cosmetic — if there's a parallel channel moving full commit history including unredacted secrets regardless of the setting — then every privacy assurance from every AI coding tool needs to be treated as unverified until proven otherwise. That's not paranoia, that's just applying the same skepticism we'd apply to any vendor claiming "we don't store your data" without an audit trail to back it up.
What's being overstated, at least by the deafening silence around it — zero points, zero comments on HN — is how seriously anyone is actually taking this right now. That silence is its own signal. Either the finding hasn't reached the people who'd care, or "AI tool does something sketchy with your data" has become so routine that it doesn't register anymore. Neither explanation is comforting.
Who benefits from the narrative that this is a minor bug? The vendor, obviously — a quiet patch and a changelog line is a lot cheaper than admitting a coding assistant was quietly building a shadow copy of every private repo it touched. But also, honestly, the broader AI tooling industry benefits from this not becoming a bigger story, because if one agentic coding CLI does this, the assumption should be that it's worth checking whether others do too.
For developers: if you've given any AI coding agent shell or filesystem access to a repo, you no longer get to assume "it only sees what it needs to answer my prompt." You need to assume it can see, and potentially transmit, everything in that repo — history included. That means secrets scanning and rotation aren't optional hygiene anymore, they're the baseline cost of using these tools at all.
For security teams: this is a network monitoring problem as much as an AI governance problem. If you're only watching model API traffic for DLP purposes, you're watching the wrong pipe. Any agentic tool with local repo access needs its egress traffic inventoried and audited independently of whatever "privacy settings" the vendor exposes in a UI.
For the industry: this is a preview of the next compliance headache. SOC 2 and equivalent audits are going to need to start asking "show me every network destination this tool talks to, not just the ones in your privacy policy" — because clearly the policy and the behavior can diverge.
If a vendor's own opt-out doesn't govern a data channel that vendor built, what exactly are we auditing when we review an AI tool's "privacy controls" — the product, or just the marketing copy around it?
— Cor, Skyblue Soft