The AI coding assistant Grok Build from SpaceXAI transmits entire code repositories, including full git history, to the company’s servers, according to a technical analysis – regardless of which files the agent actually works on. In a twelve-gigabyte test project, security researcher cereblab recorded a data outflow of just over five gigabytes. Unencrypted credentials from configuration files were affected as well.
Two Transfer Channels Send Very Different Data Volumes
Cereblab analyzed version 0.2.93 of the command-line application using the tool mitmproxy, recording network traffic for test projects ranging from 64 megabytes to twelve gigabytes. In doing so, the researcher identified two separate transfer channels. Through the actual model interface, only the files the agent opened during editing were sent – 192 kilobytes in total across one test session.
In parallel, a second, far larger data stream ran through a separate storage interface. The software sent the entire repository as a git bundle, split into packages of roughly 75 megabytes each. For the twelve-gigabyte test repository, more than 73 individual packages added up to just over five gigabytes – according to cereblab, roughly 27,800 times more than through the model channel, a figure that has not been independently verified.
According to the analysis, the destination was a Google Cloud Storage bucket named grok-code-session-traces, which the researcher reconstructed from strings in the program code and from request metadata. A prepared test document that the agent never opened during the trial could still be recovered unchanged after cloning an intercepted bundle. That is presented as evidence that the transfer happens independently of actual usage behavior.
Disabling the Training Toggle Does Not Stop the Uploads
In Grok’s settings, users can disable the option “Improve the model,” which, according to marketing materials, limits the use of a person’s own data for training. Cereblab specifically tested this setting and found that uploads through the storage interface continued unchanged. The server’s responses still confirmed the status “trace_upload_enabled: true.” According to cereblab, this discrepancy between the setting and actual behavior occurred reproducibly.
Configuration files containing credentials were affected as well, according to the analysis. In one test scenario, the application transmitted a prepared test file containing database credentials in plain text over the model channel as soon as the agent opened it. Cereblab distinguishes between two separate problems here: the critical issue is not that the agent reads such files, but that their contents are then passed on unprotected.
According to several commentators from the security community, this finding raises a broader concern: a toggle that has no effect on the actual data flow could give users a false sense of security. The findings stem from a single technical analysis; SpaceXAI has not yet issued a statement.
Community Reacts With Criticism of Default Settings
The analysis spread within hours on the discussion platform Hacker News, where the post gathered more than 140 points and around 80 comments. Several users criticized the default setting as overreaching; one comment compared the behavior to a surveillance campaign. Others pointed out that cloud coding tools generally need to transmit code in order to function at all.
One GitHub engineer who took part in the discussion pointed, by comparison, to stricter access controls at Copilot, the AI tool from competitor Microsoft. Other commentators recommended running Grok Build in an isolated environment, for instance with the Linux sandboxing tool Bubblewrap, rather than allowing access to unprotected credentials in project directories. According to these commentators, such workarounds are no substitute for a fix from the maker itself.
Trade outlets such as byteiota picked up the findings on July 12 and confirmed the key figures from the original analysis. A response from SpaceXAI has not materialized so far; the company, renamed in July, has also not commented on any possible changes to the storage interface.
What matters now is whether SpaceXAI responds to the analysis and discloses or changes the storage interface. For companies deploying coding agents on sensitive projects, the case raises fundamental questions about control over source code and credentials. Whether independent security researchers confirm cereblab’s figures should become clearer in the coming days.


