Grok Build was caught uploading entire repositories, deleted secrets included, to xAI's cloud

On July 10, 2026, AI safety researcher Cereblab published a wire-level analysis showing Grok Build, xAI's command-line coding agent, was packaging users' entire repositories as git bundles and uploading them unredacted to the Google Cloud Storage bucket grok-code-session-traces, independent of what the agent read. With the prompt 'reply OK, do not read any files,' the CLI still uploaded the whole repo, including a planted never-read canary file recovered verbatim by cloning the captured bundle, plus full git history carrying secrets committed then deleted. Disabling 'Improve the model' did not stop it. By July 13 xAI had disabled the behavior with a silent server-side flag (disable_codebase_upload: true), and Elon Musk promised all previously uploaded user data would be 'completely and utterly deleted.' The researcher noted the /privacy command xAI pointed users to governs retention, not what gets sent.

xAI · Incident Jul 10, 2026 · Indexed Jul 17, 2026 · 3 sources

Records by entity: xAI

The short version

xAI's coding CLI quietly shipped whole repos, Git history and dead secrets included, to its cloud. The fix was a silent server-side flag, and Musk promised a full purge of the collected data.

No developer should have to run an opt-out after every session to keep their own code off someone else's servers.
What
On July 10, 2026, AI safety researcher Cereblab published a wire-level analysis showing Grok Build, xAI's command-line coding agent, was packaging users' entire repositories as git bundles and uploading them unredacted to the Google Cloud Storage bucket grok-code-session-traces, independent of what the agent read.
Incident date
Jul 10, 2026
Who
xAI
Failure mode
Data Leakage
AI surface
Code Assistant
Severity
High

What happened

Cereblab instrumented the traffic between Grok Build and xAI's servers and found that when the CLI read or processed a file, it transmitted the contents without redaction to a Google Cloud Storage bucket, and that it went further by packaging entire repositories, with their full Git histories, as Git bundles for upload regardless of what the prompt required. That history included secrets deleted months prior, a finding reproduced on a second repository. Comparable CLIs (Claude Code, Gemini, Codex) open individual files as needed. The findings drew responses from xAI staff and Musk, a public statement that zero-data-retention customers were unaffected, and a recommendation that others run the /privacy command. The transfers stopped only after a server-side change set a global disable_codebase_upload flag. Musk promised deletion of everything previously uploaded, while separately asking users to keep sharing data to help with debugging.

What broke inside the model

Failure path · mode profile · Data Leakage
  1. 01 · TriggerA request triggers retrieval or context loading.
  2. 02 · Model stepThe context pulls in another user's content.
  3. 03 · Control gapNo boundary enforces isolation at the moment of output.
  4. 04 · FailurePrivate data crosses into the response.
  5. 05 · ConsequenceOne user sees another's data, and disclosure follows.

One user's content crosses the retrieval boundary into another's response.

This was a harness failure rather than a model failure: the agent's context-gathering layer treated the entire repository, rather than the minimal file set the task required, as fair game for transmission and retention. Nothing in the pipeline distinguished code the user asked about from code the user never surfaced, and nothing scrubbed Git history, so credentials that developers believed deleted rode along. The consent surface then compounded it: the control users were pointed to governed per-session retention, not the collection behavior itself, meaning the data flow and the user's mental model of the data flow had nothing to do with each other.

Public visibilityHigh
Regulatory exposurePossible
Customer impactMany customers
Financial impactUnknown
Time to disclosureDays
  1. PrimaryWhat xAI Grok Build CLI actually sends to xAI, a wire-level analysis (grok 0.2.93)gist.github.com
  2. PressMusk promises purge after Grok Build caught sending entire repos to the cloudtheregister.com
  3. PressGrok Build Uploaded Entire Git Repositories to xAI Storage, Not Just Files It Readthehackernews.com
Permalinkhttps://failureindex.ai/failures/grok-build-uploaded-entire-repos-cloud
CitationAI Failure Index. "Grok Build was caught uploading entire repositories, deleted secrets included, to xAI's cloud" (FI-0720). Realm Labs. https://failureindex.ai/failures/grok-build-uploaded-entire-repos-cloud (indexed Jul 17, 2026).
Share cardA branded image of this record for posts and slides.

Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0720. Full dataset at /data.

Note from Realm Labs, the Index steward

How Realm would have caught this

Controls for this failure mode
  • Prism
  • OmniGuard
  • AI Detection & Response (AIDR)

OmniGuard watches what leaves the runtime boundary, so a coding agent bundling files outside the task's working set and shipping them to external storage gets held and blocked before the first megabyte moves. Prism surfaces the gap between what the user asked the agent to read and what the harness actually collected. AgentRealm enforces per-task data scope for agents, which makes whole-repo exfiltration a policy violation rather than a default.