Grok Build leak

The Grok Build Leak Isn’t About 5GB. It’s About the 27,800x Number Nobody Expected

Every AI coding assistant has to answer an uncomfortable question sooner or later: what, exactly, leaves the laptop when a developer asks it for help? This week, xAI’s answer to that question turned out to be “almost everything,” and the way it was measured is more interesting than the leak itself.

A 27,800x gap

Security researcher Cereblab set out to test SpaceXAI’s Grok Build CLI, version 0.2.93, with a deliberately boring prompt: reply “OK,” and don’t open any files. Grok Build replied “OK.” It also quietly packaged the entire repository into a Git bundle, commit history included, and shipped it to a Google Cloud Storage bucket run by xAI.

The forensic detail that turns this from an anecdote into an industry benchmark is the byte accounting. On a roughly 12GB test repository, the model-facing channel — the traffic actually used to generate Grok’s response — carried about 192KB. The storage channel, the one nobody asked for, carried 5.1GB, arriving in 73 chunks of about 75MB apiece, every one logging a clean HTTP 200. That’s a gap of roughly 27,800 times more data moving through the back channel than through the front one.

That ratio is the real story. Data volume alone tells you a tool is chatty. A near-total mismatch between what a task needs and what a tool takes tells you the upload wasn’t a side effect of doing the job — it was the job, running in parallel to the one the user actually requested.

The privacy toggle that didn’t do the thing it said

The second finding compounds the first. Grok Build ships with an “Improve the model” setting that, by its own framing, should have been the relevant control. Cereblab turned it off. The repository upload happened anyway, and the server’s settings endpoint kept reporting a training-data flag as active regardless. The control users would reasonably reach for something governed adjacent to the actual data flow, not the flow itself.

xAI’s public statement, issued through its @SpaceXAI account rather than a security advisory, pointed instead to zero data retention (ZDR) as the safe configuration and to a new /privacy command as the consumer-facing fix. Cereblab’s follow-up testing found that the command wasn’t what stopped the transfers. A separate, undocumented server-side flag — disable_codebase_upload: true — was. The client binary never changed; the behavior did, purely because xAI flipped a switch on its own servers. Which means the same binary could, in principle, have that switch flipped back with no update, no changelog entry, and no way for a user to detect it.

Elon Musk’s response went further than the company’s, pledging a full deletion of previously uploaded user data. He also, separately, suggested some retention helps with debugging — a framing that sits awkwardly next to a promise to delete everything.

What this actually changes for developers

Practically, the fix means the tool has stopped moving whole repositories in the configurations tested so far. That is not the same as a resolved incident. Nobody outside xAI has confirmed how long the collected repositories were retained, whether any of that code touched training or human review pipelines, or whether the fix reaches every account rather than the ones researchers happened to probe. The upload code itself reportedly remains present in later builds — dormant, not removed.

For anyone who ran Grok Build against a real project before July 13, the practical advice from the researchers is blunt: rotate anything the agent could have reached, not just files it read in a session, but tracked files and anything sitting in Git history — including secrets committed and later deleted, since a bundle carries history that a working tree does not.

Why the comparison to other CLIs matters more than the scandal

The detail that should worry the coding-assistant category more broadly isn’t that one company got this wrong. It’s that the industry’s other major agentic CLIs — Claude Code, Gemini, Codex — were reported to open individual files as needed rather than bundling entire repositories with commit history by default. That’s not a marketing distinction; it’s an architectural one, and it’s the kind of thing that’s usually invisible to a user until someone runs a wire capture.

As agentic coding tools become the default way developers touch production codebases, the byte-ratio test Cereblab used here — what the model needed versus what actually left the machine — is a more honest audit than any privacy policy. It doesn’t require trusting a company’s language about consent or training opt-outs. It just requires watching the wire.

Related: Grok 4.5: Benchmarks, Pricing & Is It Worth It? (2026)

Tags: