On July 13, SpaceXAI flipped a remote switch that immediately halted Grok Build’s quiet upload of entire Git repositories to its cloud servers. Independent testing had revealed that version 0.2.93 of the AI coding assistant was bundling everything tracked by Git — including years of commit history, long-deleted secrets, and files it was explicitly told to ignore — and pushing those bundles to Google Cloud Storage. For the thousands of Windows developers who used the CLI tool during its early access period, the finding turns a productivity experiment into a potential security incident.
A Stealth Upload That Bypassed Prompts
The upload behavior, first reported by WinBuzzer and independently confirmed by researcher Cereblab, operated through a separate storage endpoint distinct from the channel used for normal model requests. When Cereblab tested a 12 GB repository, the model request channel transmitted just 196 KB of data, while the storage channel accepted more than 5 GB before the test was halted. The same separation was later corroborated by The Hacker News.
What the tool sent wasn’t a filtered snapshot of working files. It was a full Git bundle — a compressed archive of every commit ever made in the repository. In a controlled experiment, Cereblab planted a canary file and instructed Grok Build not to open it, yet the file appeared inside the reconstructed bundle. That means even files the agent was ordered to avoid, along with their entire version history, left the developer’s machine.
The Peril Buried in Commit History
For security-conscious teams, the working directory is only part of the story. The real danger lives in git log. A token removed six months ago, a .env file accidentally committed and later deleted, or a vulnerability patch that reveals the original flaw — all of these remain permanently etched into Git history. They’re invisible in the current source tree but fully recoverable by anyone who eyes a complete bundle.
Conventional safeguards fall short here. .gitignore rules only prevent untracked files from being staged; they do nothing to purge tracked secrets that were committed in the past. Prompt-based restrictions — “only scan this folder,” “ignore this directory” — are equally powerless against a client that independently packages the entire repository. Grok Build’s collection layer, as revealed, did not respect those boundaries.
The fallout is especially acute on Windows development machines, where Git repos often contain deployment scripts, Azure configurations, test fixtures with hardcoded credentials, and PowerShell modules that touch production systems. If your team treated the tool as a harmless assistant for a quick code review, it may have silently exfiltrated far more than you intended.
A Privacy Toggle That Failed to Stop the Leak
SpaceXAI’s user-facing controls proved irrelevant. The company stated on July 13 that accounts using zero data retention (ZDR) and API-key users in that mode were not affected, and it directed non-ZDR users to the /privacy command to disable retention. But Cereblab’s research showed that flipping those consumer-facing settings did nothing to block the repository bundle from leaving the test machine.
What actually stopped the uploads was a server-controlled flag: disable_codebase_upload: true. After the server began sending that configuration, repeat tests showed no further storage traffic. The same Grok Build 0.2.93 client that had been uploading repositories hours earlier abruptly ceased doing so — without a single line of local code changing.
That difference cuts to the heart of enterprise trust. A remote feature flag is a swift firebreak during an incident, but it also means a binary can contain dormant capabilities that administrators cannot audit through version numbers alone. WinBuzzer noted that the upload-related code remained in place through version 0.2.99, even though the server flag kept it inactive. Without a formal client update, the risk of future reactivation — accidental or otherwise — persists.
What’s Fixed, What’s Still Unknown
The immediate leak appears plugged. Cereblab’s retests after July 13 showed zero /v1/storage uploads, and the server-side configuration now includes both disable_codebase_upload: true and trace_upload_enabled: false. That is a genuine mitigation, and it happens to be effective for anyone still using the tool.
But several critical questions remain unanswered. The destination bucket, identified as grok-code-session-traces on Google Cloud Storage, leaves open who could access those archives, how long the data is retained, and whether it was used for model training or other processing. Elon Musk stated on July 13 that all previously uploaded user data would be “completely deleted.” As of July 16, no independent evidence has surfaced to confirm that deletion, nor has SpaceXAI issued a formal security advisory detailing affected versions, retention periods, access controls, or an auditable deletion process. A tweet is not a certificate of destruction.
Organizations covered by a zero-data-retention agreement may have lower exposure, but only if they can prove that coverage existed at the time of upload. Today’s account settings don’t retroactively protect yesterday’s repository bundles. Windows administrators need to verify that status through contractual records, not assumptions.
Cleanup: Rotate, Audit, Restrict
If your team used Grok Build against sensitive repositories before July 13, treat it as a potential credential exposure event — regardless of whether the repository currently looks clean. The following immediate steps are defensible even in the absence of perfect information:
- Rotate every secret that appears anywhere in affected Git histories. That includes cloud access keys, GitHub or Azure DevOps tokens, package-registry credentials, certificates, database passwords, service-account secrets, and private API keys. If a secret was ever committed, assume it was captured in the bundle.
- Preserve forensic evidence before wiping anything. Collect endpoint telemetry, proxy and firewall logs, DNS records, VPN egress data, and the Grok Build logs themselves. On Windows, Microsoft Defender for Endpoint device timelines and network telemetry can help reconstruct which devices ran the tool, when, and against which repositories.
- Inventory your exposure. Identify every endpoint where Grok Build was installed, the version in use, the repositories opened during each session, and whether those repos contained tracked secrets or regulated data. Don’t limit this to managed build servers — developers often install CLI tools in user profiles and run them from PowerShell or Windows Terminal without formal approval.
- Verify your ZDR status. If you believe your organization had a zero-data-retention arrangement, confirm it through your contract or account representative. Do not rely on today’s dashboard toggles.
- Restrict outbound network access from developer workstations to the Grok Build domains until you’re confident the tool is safe. Windows Firewall rules, group policies, or endpoint security products can block the known endpoints while you investigate.
The goal isn’t to prove beyond doubt that your data was uploaded; that may never be possible. The goal is to take the same precautions you would after any cloud service inadvertently exposes your repository history. The cost of rotating secrets is trivial compared to the cost of a breach.
The Gap Between Privacy Claims and Network Reality
This incident isn’t a generic “don’t trust AI tools” cautionary tale. It’s a reminder that the collection layer of an AI coding assistant is a separate component from its prompt interface — and it can operate under rules you never agreed to. The user-facing privacy toggle controlled retention policies; it did not control transmission. That’s a nuance that most developers, and many administrators, would not have guessed.
For Windows teams evaluating any cloud coding assistant, the checklist must now include: What does the client enumerate on the local machine? What does it package? What endpoints does it call, and under what conditions? A vendor’s statement that “data isn’t retained” is not the same as “data never leaves the network.”
SpaceXAI has demonstrated that it can stop a risky behavior remotely in hours — a genuine operational strength during an incident. But the presence of upload-capable code in current binaries, combined with the lack of a formal security advisory or verifiable deletion, leaves customers in limbo. The strongest signal of a resolved incident is a client update that removes the offending code path entirely, or at minimum, a public attestation with audit trails.
Outlook: Demand Transparency, Enforce Boundaries
The next milestone will be a transparent, verifiable remediation from the vendor. Until then, Windows developers and administrators must operate on the assumption that the safest control is not a checkbox inside a CLI tool — it’s restricting the tool’s access to sensitive repositories and outbound destinations in the first place. For many organizations, the simplest risk decision will be to block Grok Build at the firewall until a clean client build ships with the upload mechanism removed and documented.
This episode is not evidence that every AI coding assistant is secretly cloning repositories. It is, however, proof that without independent verification, privacy settings and prompts are not technical boundaries. Trust, but verify. Or better yet, verify and block.