Grok Build exploded past 18,000 GitHub stars within days of its open source release, positioning xAI as a serious contender in the AI coding agent market alongside Claude Code, OpenAI Codex, and Cursor. But a security researcher publishing under the handle cereblab has dropped a finding that changes the calculus for any developer or organization considering adoption: Grok Build uploads your entire repository every tracked file plus the complete git history to xAI's cloud infrastructure, regardless of what the agent is instructed to read or not read. The reproduction tool, grok-build-exfil-repro, has 56 stars on GitHub and comes with full wire-level evidence including SHA-256 hashes and captured traffic transcripts.

What the Researcher Actually Found

The demonstration is methodical and reproducible. The researcher set up a controlled environment using mitmproxy, a standard TLS interception tool, to capture all outbound traffic from Grok Build CLI running locally. They created a canary repository containing a fake .env file and a file explicitly marked never read containing a unique canary string. Then they instructed Grok Build with the literal prompt: reply OK, do not open any files. Despite that instruction, a capture of the POST request to xAI's /v1/storage endpoint revealed a complete git bundle of the entire canary repository.

The critical distinction that makes this finding significant: Grok Build's permission system has a Deny mechanism that blocks the agent from reading files into chat context. A command like --deny Read(secret.txt) produces a blocked by a permission policy message when the agent tries to access that file. But the Deny mechanism does NOT prevent the whole-repo git bundle upload. The file the agent was told not to read appears in the uploaded bundle verbatim, recoverable by git cloning the captured HTTP body. The only thing that keeps a file out of the uploaded bundle is adding it to .gitignore since the bundle carries only git-tracked files.

The traffic is routed to xAI's GCS bucket named grok-code-session-traces, and the researcher confirmed the upload happens even when the Improve the Model toggle is explicitly disabled in settings. Grok Build version 0.2.93 was used for testing, captured in July 2026.

Why Git History Upload Is a Bigger Problem Than It Sounds

Many developers hear file upload and imagine the agent sending only the files it reads as context. The reality is worse. A git bundle contains the entire commit history of the repository. Every file ever committed every branch every tag every commit message. If a developer accidentally committed an API key to the repo six months ago and then removed it via a subsequent commit that key is still in the git history. Git-rm does not erase history. The key is still there, recoverable from any git clone that has access to the full history. And according to this finding, it gets uploaded to xAI's cloud with every Grok Build session.

This has implications beyond secrets management. Proprietary algorithms embedded in early commits, internal architecture documents that were later moved to a private wiki, customer data accidentally included in test fixtures years ago all of it is in the git history and all of it apparently gets uploaded. For organizations handling regulated data, HIPAA protected health information, PCI-scoped financial data, or covered defense information under ITAR, this creates a compliance exposure that may not be obvious from the product's marketing materials.

The finding also highlights a fundamental gap in how developers think about AI agent permissions. Most teams assume that deny flags and permission policies create a comprehensive security boundary. This finding proves they create a partial one. The Permission Deny stops the agent from reading a file into the chat context where you can see it. It does not stop the data pipeline that sends your repository to the cloud regardless.

What Developers and Organizations Should Do Right Now

The actionable steps depend on your risk profile. For solo founders and small teams working on public or non-sensitive code, the risk may be acceptable especially if the value Grok Build provides outweighs the data exposure. But the decision should be informed rather than accidental. If you are running Grok Build on proprietary code, you should audit exactly what data is being transmitted. The grok-build-exfil-repro tool provides scripts that let you verify this yourself on your own machine with fake canary data before trusting it with real repositories.

For organizations with compliance requirements, the calculus is different. If your codebase contains PII, PHI, trade secrets, or export-controlled information, uploading a complete git bundle to a third party's cloud infrastructure requires due diligence that most teams have not performed. The relevant questions include: Where is the data stored in which region? Who has access? What retention policies apply? Is the data used for model training? The grok-build-exfil-repro findings establish that the data leaves your machine the rest requires contractual and policy review.

The simplest operational fix: ensure your .gitignore is comprehensive. Since git-tracked files are bundled, anything not tracked by git does not get uploaded. But this is a band-aid not a solution for organizations that need to run AI coding agents on repos with historical sensitivity.

What This Means for the Entire AI Coding Agent Market

This finding does not apply only to Grok Build. It raises structural questions about every cloud-based AI coding agent that sends repository data to a remote service. Claude Code, OpenAI Codex, Cursor, and Gemini Code Assist all process code in the cloud to some degree. The difference is transparency. Grok Build's upload behavior was discovered by an external researcher with mitmproxy, not disclosed by xAI in its documentation. That fact alone should prompt every AI coding agent provider to proactively disclose exactly what data leaves the machine, under what conditions, and how to prevent it.

The likely outcomes from this finding are threefold. First, expect pressure on all AI coding agent vendors to add granular data controls including local-only modes that never transmit source code. Second, expect formal data handling audits and third party verification to become a competitive differentiator in the AI developer tools market. Third, expect enterprise procurement teams to add data exfiltration testing to their evaluation checklists before approving any AI coding agent. For solo founders and builders the lesson is straightforward: verify what your tools actually send to the cloud because what they claim to send and what they actually send may be two different things.