A wire-level analysis of xAI’s Grok Build CLI revealed that version 0.2.93 transmitted unredacted file contents, including secrets from .env files, and uploaded full Git repositories along with their commit history to cloud storage
These findings are based on traffic captured through a proxy from controlled test repositories using fake canary credentials.
Security researcher Cereblab reported that when Grok Build reads a local file, its contents are sent verbatim through the model-request channel at POST /v1/responses.
During the tests, unredacted fake API key and database password values stored in a .env-style file were found in the captured request data. The same sensitive information was also located in a session-state archive sent through POST /v1/storage.
A particularly concerning finding involved a separate background upload mechanism. According to the analysis, Grok Build could package and transfer an entire Git repository rather than just the files needed for a coding task.
A captured Git bundle contained files that the agent had been explicitly instructed not to read, as well as the repository’s full commit history.
xAI Grok CLI Exposed Git Repos and .env Secrets
The Cereblab researcher tested this behavior using the prompt, “Reply with exactly: OK. Do not read or open any files.” Despite this instruction, the captured upload revealed the planted file and its unique canary marker.
This suggests that the repository-upload mechanism operated independently of the files accessed during the model interaction.
In a large-scale test involving a 12 GB repository filled with random files, the model channel for POST /v1/responses transferred approximately 192 KB, while the storage channel transferred at least 5.10 GiB before the capture was stopped.
The report noted 73 upload chunks, each about 75 MB, returning an HTTP 200 status, indicating successful multi-gigabyte transfers during the observed session.
The destination for these uploads was identified as a Google Cloud Storage bucket named “grok-code-session-traces.”
The report provided evidence of this destination through strings found within the Grok binary, staged metadata referencing gs://grok-code-session-traces/, and observed storage upload activity.
This issue presents immediate risks to developers managing proprietary source code, deployment files, internal documentation, credentials, and historical secrets stored in Git commits.
Even if a user does not intentionally open a .env file, the discovery of a whole-repository upload can expose tracked content and history through the repository snapshot mechanism.
While the analysis does not prove that xAI used the uploaded information to train its models, it does establish that the data was transmitted and accepted by the server. Whether this information was used for model training remains a separate policy and retention question.
Following the publication of these findings, xAI reportedly disabled codebase uploads via a server-side setting; however, the client capability to upload data remained.
The Cereblab researchers also identified local safeguards, including the configuration option [harness] disable_codebase_upload = true and telemetry controls. Users should verify the behavior of these settings after CLI updates since configuration precedence and remote feature flags may change.
Organizations using Grok Build should treat their repositories as potentially sensitive until they can confirm their installed version and configuration.
Recommended precautions include removing secrets from repositories, rotating exposed credentials, scanning Git history, restricting the CLI to isolated workspaces, and monitoring outbound traffic for any unexpected uploads.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post xAI Grok Build CLI Uploaded Entire Git Repositories and Unredacted .env Secrets to Cloud Storage appeared first on Cyber Security News.



.webp?w=0&resize=0,0&ssl=1)