Skip to content
AIAIPerformanceSaaS

Grok Build Was Secretly Uploading Entire Codebases. Here's What Every AI Coding Tool Actually Sends to the Cloud

Tayyab Aslam, Co-Founder and Full-Stack Lead Developer at Taylance Tech — web, mobile, and AI developmentTayyab Aslam
9 min read
Terminal window of an AI coding agent with an arrow showing a full Git repository being uploaded to cloud storage

On July 12, 2026, a security researcher publishing as cereblab did something most of us never think to do: they put a network proxy between an AI coding tool and the internet, and watched what actually left the machine.

The tool was Grok Build, xAI's terminal coding agent — a direct competitor to Claude Code and OpenAI's Codex, launched in May 2026 with a roughly 70% score on SWE-bench. The instruction the researcher gave it was deliberately trivial: "reply OK, do not read any files."

Grok Build replied OK. It also packaged the entire Git repository — every tracked file, every commit ever made, including files it was explicitly told not to open — into a Git bundle and uploaded it to an xAI-controlled storage bucket on Google Cloud. The researcher cloned the captured bundle and recovered a canary file the agent never read, verbatim, along with the repository's complete history.

If your team uses AI coding tools — and in 2026, 92% of developers do, daily — this story is not about one company. It's about a question almost nobody was asking until this week: what does your AI coding assistant actually send to the cloud?

What the wire capture proved, in plain numbers

The analysis wasn't speculation or a leaked memo. It was raw network traffic, and the numbers are hard to argue with:

  • The whole repository left the machine, not just the files the AI read. Grok Build 0.2.93 sent the workspace as a Git bundle via a background POST /v1/storage request — a channel completely separate from the model conversation.
  • The scale test: ~27,800× more data uploaded than the task needed. On a 12 GB test repository of files the agent never read, the storage channel moved 5.10 GiB (all HTTP 200) while the actual model conversation moved just 192 KB.
  • Privacy toggles didn't stop it. Turning off "Improve the model" governed how xAI could use the data — not whether the repository left the workstation. The upload fired anyway.
  • Git history came along for the ride. A secret that was ever committed — even if deleted years ago — was in the bundle. Committed API keys, SSH keys, and credentials all travelled with it.

xAI had marketed Grok Build with the claim that nothing from your codebase was transmitted to xAI servers during a session. The wire data directly contradicted that.

What happened next: a server-side flag and an open-source release

To xAI's credit, the response was fast — but the details matter more than the headlines.

July 12–13: xAI flipped a server-side flag, disable_codebase_upload: true. Retests by the same researcher showed the whole-repository upload no longer fired — on the same client version. Nothing changed on users' machines; xAI simply told the existing code to stand down.

July 14–15: Elon Musk publicly committed to deleting all previously retained coding data, and xAI acknowledged that data retention had been enabled by default for all non-enterprise users during the beta. Enterprise customers on Zero Data Retention contracts were reportedly never affected — the default-on behavior applied to everyone else.

July 15: xAI open-sourced Grok Build under the Apache 2.0 license — 844,530 lines of Rust, published hours after the story peaked. Developers can now inspect the agent loop and even run the harness against their own model endpoints.

That sounds like a resolution. Here's why security researchers aren't fully satisfied:

  • The upload code is still in the shipped binary. It's held off by a server-side configuration flag that xAI can re-enable at any time, without pushing an update to your machine.
  • The public repository starts at a single commit. There's no history, so nobody can audit what the code did in earlier versions.
  • The data deletion has not been independently verified. Users are trusting a promise, not an audit.

How the other AI coding tools compare

The most useful part of the research wasn't the Grok finding — it was the side-by-side capture of what four major coding agents actually transmit. Same machine, same test repositories, fake canary secrets:

Tool Uploads whole repo? Sends files the agent opened? What actually goes over the wire
Claude Code (2.1.204) No Only files read for the task Model conversation to api.anthropic.com — nothing else observed
Codex CLI (GPT‑5.5) No Only files read for the task Model conversation over WebSocket, plus telemetry
Gemini CLI (0.38.2) No Only files read for the task Model conversation to Google's API — quiet when idle
Grok Build (0.2.93) Yes — historically; disabled server-side July 13 Yes Whole repo + full Git history as a bundle to cloud storage, plus model traffic and telemetry

Two things stand out. First, Grok Build's behavior was a documented outlier — the other three tools sent only what the agent actually opened. Second, and less comfortably: every one of these tools sends the files the agent reads to someone else's servers. That's how they work. The difference between "acceptable" and "scandal" is scope, consent, and retention — not whether data leaves your machine at all.

Why this matters even if you've never heard of Grok Build

You might be thinking: my team uses Claude Code or Cursor or Copilot, this isn't my problem. Here's why it is.

AI coding agents are becoming infrastructure. Searches for agentic AI now run at roughly 110,000 per month (up 39% year over year), and searches for autonomous AI agents are up 770%. Analysts expect 40% of enterprise applications to embed task-specific agents by the end of 2026. These tools aren't a novelty developers play with — they sit inside your repositories, your CI pipelines, and increasingly your production credentials.

Your codebase is a liability map. A modern repository contains far more than source code: committed environment files from three years ago, internal API endpoints, database schemas, hard-coded test credentials someone forgot about, customer data in fixture files. When a tool uploads full Git history, everything that was ever committed is exposed — deleting a secret in a later commit does not remove it from the bundle.

The default settings are the product. The single most important detail in this story is that retention was on by default for everyone except enterprise contracts. Companies with lawyers negotiating Zero Data Retention were protected. Everyone else — freelancers, startups, small agencies — was the training data. If you don't explicitly know your tool's data posture, you have your answer.

The 6-point checklist before an AI agent touches your codebase

You don't need to ban AI coding tools — the productivity gains are real, and we use them ourselves. You need to treat them like any other vendor with access to your source code. Ask these six questions:

  • 1. What is transmitted, exactly? Only files the agent opens, or the whole workspace? If the vendor's documentation doesn't say clearly, assume the worst. Wire-level third-party analyses (like cereblab's) exist for the major tools — read them.
  • 2. What is retained, and for how long? "We respect your privacy" is not a retention policy. Look for explicit Zero Data Retention terms, and note whether they apply to your plan or only to enterprise contracts.
  • 3. Is your data used for training by default? Find the toggle. Verify what it actually controls — in Grok Build's case, the toggle governed data use, not data transmission.
  • 4. Purge your Git history of secrets — now. Run a scanner like gitleaks or trufflehog against full history, not just the working tree. Rotate anything it finds. This protects you against every tool, breach, and employee laptop theft simultaneously.
  • 5. Keep real secrets out of tracked files entirely. Environment variables, secret managers, and gitignored files that were never committed did not appear in the captured bundles. That boundary held. Make it your standard.
  • 6. Prefer tools you can audit — or at least observe. Open-source harnesses, local-first modes, and self-hosted model endpoints shrink the trust surface. If a vendor's response to a privacy incident is transparency and verifiable changes, that's a good sign. If it's a press release, be careful.

The bigger shift: trust is becoming the benchmark

For two years, AI coding tools competed on model quality — SWE-bench scores, context windows, tokens per second. That race has largely converged: the top models are close enough that most teams can't feel the difference on day-to-day work.

What this week made obvious is where the competition goes next. Anthropic reportedly pays xAI $1.25 billion a month for compute while their coding tools fight for the same developers — the economics of this market are strange enough that giving away the tool is now a strategy. When the product is free and the models are comparable, the thing vendors actually compete on is trust: what they take, what they keep, and whether you can verify either.

A quarter of European firms had already banned Grok before this incident over earlier data practices. Post-incident, every serious engineering organization is going to start asking the six questions above — and the vendors with clean, auditable answers will win deals that benchmarks used to win.

Where we land on this

We build web apps, SaaS platforms, and AI workflows for clients, which means client code passes through our tooling decisions. Our position after this week:

  • AI coding agents stay — the productivity math still works decisively in their favor.
  • Tools get the same vendor review as anything else with repository access: transmission scope, retention terms, training defaults, audit trail.
  • Secret hygiene is non-negotiable: nothing sensitive in tracked files, full-history scans on every repository we take over.
  • Default settings are never trusted. If we haven't verified what a toggle does, it doesn't count.

The uncomfortable truth of the Grok Build story is that it was only discovered because one researcher looked. The tools your team installed this year have the same access. Someone should look — before the wire capture is of your codebase.

Need help auditing your team's AI tooling, cleaning secrets out of your Git history, or building AI workflows that don't leak? Talk to us — we've done this for our own stack and our clients'.

FAQ

Frequently Asked Questions

Quick answers to common questions about this topic.

Did Grok Build really upload entire codebases to xAI?

Yes. A wire-level analysis published July 12, 2026 captured Grok Build 0.2.93 uploading complete Git repositories — every tracked file plus full commit history — as Git bundles to xAI-controlled cloud storage, even when the agent was instructed not to read any files. xAI confirmed the behavior, disabled it via a server-side flag on July 13, and promised to delete previously retained data.

Is it safe to use AI coding tools like Claude Code, Codex, or Gemini CLI?

The same independent testing found that Claude Code, Codex CLI, and Gemini CLI sent only the files the agent actually opened during a task — no whole-repository uploads were observed. That's a much narrower boundary, but any file the agent reads still goes to the vendor's servers, so you should verify each tool's retention policy and keep secrets out of tracked files.

Does .gitignore protect my secrets from AI coding tools?

Partially. In the captured Grok Build bundles, gitignored files that were never committed did not leave the machine — but any file that was ever committed to Git history was included, even if it was deleted later. Scan your full Git history for secrets with a tool like gitleaks or trufflehog and rotate anything you find.

What did xAI do after the Grok Build incident?

xAI disabled the whole-repository upload with a server-side flag on July 13, switched data retention to off by default, promised to delete all previously retained coding data, and open-sourced the Grok Build harness under Apache 2.0 on July 15. However, researchers note the upload code remains in the binary behind a server-controlled flag, the public repo has no commit history, and the data deletion has not been independently verified.

What should a business check before letting developers use AI coding agents?

Verify four things: exactly what the tool transmits (opened files vs. the whole workspace), what the vendor retains and for how long, whether your data is used for training by default on your plan, and whether you can audit or observe the tool's behavior. Also purge committed secrets from Git history and move all credentials to environment variables or a secret manager.

More from the blog

Website Builder or Custom Development? The Real 2026 Answer, With Numbers — featured image from Taylance Tech
Web Development

Website Builder or Custom Development? The Real 2026 Answer, With Numbers

83% of small businesses now have a website, and most built it with a drag-and-drop tool in an afternoon. That's often the right call. But the $6.4 billion website builder market has a ceiling almost nobody tells you about before you hit it — and by then you've usually rebuilt from scratch once already. Here's how to tell which side of that ceiling your business is on before you spend a dollar.

SaaSPerformanceNext.js
Tayyab AslamTayyab Aslam8 min read
Your Website Runs on Code Nobody at Your Company Wrote. In 2026, That's a Problem. — featured image from Taylance Tech
SEO

Your Website Runs on Code Nobody at Your Company Wrote. In 2026, That's a Problem.

In 2026 alone, attackers have compromised Axios (100 million weekly downloads), node-ipc, and dozens of other packages that quietly power most modern websites — funneling malware straight into companies that never wrote a line of the malicious code themselves. Here's what a supply chain attack actually is, why 2026 has been the worst year on record, and the plain-English checklist to ask your developer or agency about before it's your business in the breach report.

PerformanceSaaSSEO
Tayyab AslamTayyab Aslam9 min read
Vibe Coding in 2026: When It Works, When It Breaks, and When You Need a Real Developer — featured image from Taylance Tech
AI

Vibe Coding in 2026: When It Works, When It Breaks, and When You Need a Real Developer

92% of developers now use AI coding tools daily, and $285 billion in SaaS market value evaporated because non-developers can vibe code their own tools. But developer trust in AI-generated code just dropped to 29%, and security firms are finding critical vulnerabilities in nearly every vibe-coded app they test. Here's the honest breakdown of what vibe coding is actually good for — and the exact point where it becomes expensive.

AISaaSPerformance
Tayyab AslamTayyab Aslam9 min read

Need help with something like this?

Tell us what you're building — we'll give you a clear, honest read on scope and the right next step.