Security

Grok Build Uploads Entire Repositories to SpaceXAI Servers

3 min read
Monitor with a terminal showing an upload progress bar, Grok logo visible, data center in the background. Image generated with GPT Image 2
Monitor with a terminal showing an upload progress bar, Grok logo visible, data center in the background.

TL;DR Too Long; Didn’t read

SpaceXAI's coding agent Grok Build transmits entire code repositories, including full git history, to company-owned cloud storage, according to an independent analysis – in one test, that meant just over five of twelve gigabytes. Unencrypted credentials from configuration files were also affected. Disabling the training toggle did not stop the uploads. SpaceXAI has not commented so far.

Key takeaways

  • Grok Build reportedly sends git bundles with complete history to a Google Cloud bucket run by SpaceXAI.
  • Files the agent never opened still ended up on the company's servers in the test, the analysis shows.
  • The storage channel carried roughly 27,800 times more data than the actual model channel.
  • A test file containing database credentials was transmitted unencrypted, according to the report.
  • Security researcher cereblab published the analysis on GitHub on July 10, 2026.
  • SpaceXAI has not yet responded to the allegations.

The AI coding assistant Grok Build from SpaceXAI transmits entire code repositories, including full git history, to the company’s servers, according to a technical analysis – regardless of which files the agent actually works on. In a twelve-gigabyte test project, security researcher cereblab recorded a data outflow of just over five gigabytes. Unencrypted credentials from configuration files were affected as well.

Two Transfer Channels Send Very Different Data Volumes

Cereblab analyzed version 0.2.93 of the command-line application using the tool mitmproxy, recording network traffic for test projects ranging from 64 megabytes to twelve gigabytes. In doing so, the researcher identified two separate transfer channels. Through the actual model interface, only the files the agent opened during editing were sent – 192 kilobytes in total across one test session.

In parallel, a second, far larger data stream ran through a separate storage interface. The software sent the entire repository as a git bundle, split into packages of roughly 75 megabytes each. For the twelve-gigabyte test repository, more than 73 individual packages added up to just over five gigabytes – according to cereblab, roughly 27,800 times more than through the model channel, a figure that has not been independently verified.

According to the analysis, the destination was a Google Cloud Storage bucket named grok-code-session-traces, which the researcher reconstructed from strings in the program code and from request metadata. A prepared test document that the agent never opened during the trial could still be recovered unchanged after cloning an intercepted bundle. That is presented as evidence that the transfer happens independently of actual usage behavior.

Disabling the Training Toggle Does Not Stop the Uploads

In Grok’s settings, users can disable the option “Improve the model,” which, according to marketing materials, limits the use of a person’s own data for training. Cereblab specifically tested this setting and found that uploads through the storage interface continued unchanged. The server’s responses still confirmed the status “trace_upload_enabled: true.” According to cereblab, this discrepancy between the setting and actual behavior occurred reproducibly.

Configuration files containing credentials were affected as well, according to the analysis. In one test scenario, the application transmitted a prepared test file containing database credentials in plain text over the model channel as soon as the agent opened it. Cereblab distinguishes between two separate problems here: the critical issue is not that the agent reads such files, but that their contents are then passed on unprotected.

According to several commentators from the security community, this finding raises a broader concern: a toggle that has no effect on the actual data flow could give users a false sense of security. The findings stem from a single technical analysis; SpaceXAI has not yet issued a statement.

Community Reacts With Criticism of Default Settings

The analysis spread within hours on the discussion platform Hacker News, where the post gathered more than 140 points and around 80 comments. Several users criticized the default setting as overreaching; one comment compared the behavior to a surveillance campaign. Others pointed out that cloud coding tools generally need to transmit code in order to function at all.

One GitHub engineer who took part in the discussion pointed, by comparison, to stricter access controls at Copilot, the AI tool from competitor Microsoft. Other commentators recommended running Grok Build in an isolated environment, for instance with the Linux sandboxing tool Bubblewrap, rather than allowing access to unprotected credentials in project directories. According to these commentators, such workarounds are no substitute for a fix from the maker itself.

Trade outlets such as byteiota picked up the findings on July 12 and confirmed the key figures from the original analysis. A response from SpaceXAI has not materialized so far; the company, renamed in July, has also not commented on any possible changes to the storage interface.

What matters now is whether SpaceXAI responds to the analysis and discloses or changes the storage interface. For companies deploying coding agents on sensitive projects, the case raises fundamental questions about control over source code and credentials. Whether independent security researchers confirm cereblab’s figures should become clearer in the coming days.

Frequently asked questions

Are the described uploads a risk for people who don't use Grok Build at all?

No. The transfers described only occur when users actively install the command-line tool and run it on a project.

Who can currently use Grok Build?

According to SpaceXAI, access is limited to SuperGrok and X Premium Plus subscribers, who have been able to use the beta since late May 2026.

How does this behavior differ from other AI coding tools?

According to discussion participants, competing products such as GitHub Copilot typically transmit only individual edited files rather than entire repository bundles with history. An independent comparison across providers is still lacking.

Can the described uploads be prevented technically?

Commentators recommend running the tool in an isolated environment, for instance with the sandboxing tool Bubblewrap, and avoiding unencrypted credentials in project directories.

Has SpaceXAI issued an official response?

As of this article's publication, the company has not publicly commented on the analysis or on any possible changes to Grok Build.


← Back to the blog