
TL;DR
A security researcher intercepted Grok Build's network traffic and found it uploads entire repositories - including .env files with secrets - to xAI servers. Here's what the data shows.
A security researcher at Cereblab ran xAI's Grok Build CLI through a proxy and captured everything it sends home. The findings are raising serious questions about what coding agents do with your codebase.
The wire-level analysis, published as a GitHub Gist and discussed extensively on Hacker News, documents three primary data transmission behaviors in Grok Build CLI version 0.2.93.
The CLI transmits file contents to xAI servers without redaction. This includes .env secrets files. The researcher captured traffic showing API keys and database passwords appearing verbatim in both the live model-turn channel (POST /v1/responses) and in persisted archives uploaded via POST /v1/storage.
This is the baseline expectation for any coding agent - it needs to see your code to help you write it. But the scope of what gets transmitted goes much further.
Beyond files the agent actively reads during your session, Grok uploads entire repository snapshots independent of what code it actually processes.
The numbers from the researcher's testing:
The researcher proved the upload captures the full codebase by cloning the git bundles uploaded via POST /v1/storage and recovering files that were never read during the agent session.
The uploads land in a GCS bucket called grok-code-session-traces. The researcher identified this through binary strings in captured traffic, metadata inspection, and direct observation of GCS PUT requests.
The discussion on Hacker News has been substantial, with several key threads emerging.
One commenter suggested a benign explanation: uploading the full codebase lets the model inspect it during "thinking" without round-tripping back to the client for tool calls. Others pointed out this is a weak justification given the privacy implications.
The security-conscious crowd is recommending sandboxing approaches. One detailed comment described using bubblewrap to isolate coding tools so they can only read the working project directory with .git read-only and sensitive directories hidden, plus network namespace isolation that only allows connections to specific LLM provider hostnames.
Several commenters noted the timing irony - concerns about Chinese AI companies copying code have been prominent, while a US-based company is uploading entire repositories without clear disclosure.
A Grok user shared that there is apparently a config option to disable this:
[harness]
disable_codebase_upload=true
However, the researcher's analysis found that even with the "Improve the model" toggle disabled in the UI, the server still returned trace_upload_enabled: true. The relationship between these settings is undocumented.
Newsletter
Get the weekly deep dive
Tutorials on Claude Code, AI agents, and dev tools, delivered free every week.
From the archive
Jul 13, 2026 • 9 min read
Jul 12, 2026 • 9 min read
Jul 12, 2026 • 11 min read
Jul 12, 2026 • 7 min read
This research lands in a context of increasing scrutiny on coding agent telemetry. Earlier analysis comparing Claude Code and OpenCode found significant differences in how much data different harnesses send before even reading your prompt.
The tension is fundamental: coding agents need context to be useful, but the boundary between "context for the current task" and "persistent data collection" is not always clear - or clearly communicated.
As one HN commenter put it: "With all the coding agent options, you're choosing to trust your computer, code, and business to whichever harness, model, and provider you pick. It's not a great state of affairs, but that's where we are. Choose wisely."
If you're using Grok Build or evaluating coding agents generally:
Check configuration options. The disable_codebase_upload=true setting exists, though the researcher's findings suggest server-side behavior may not fully respect client preferences in all cases.
Separate credentials from code. Never store production secrets in .env files within repositories that coding agents access. Use external secret managers, environment variable injection at runtime, or at minimum keep credentials in gitignored files outside the project directory.
Consider network isolation. Tools like bubblewrap can restrict which hosts coding tools can reach. This doesn't prevent data transmission to the LLM provider, but it can limit unexpected communication with other services.
Prefer open-source harnesses with API access. Tools like OpenCode let you use models via their API while maintaining more control over what leaves your machine. The tradeoff is potentially reduced performance compared to native agent runners with custom optimizations.
Audit what you're sending. If you're working with sensitive code, run your coding tools through a proxy periodically and review the traffic. The researcher used mitmproxy; Charles Proxy and Proxyman are other options.
This analysis highlights a gap in the current coding agent ecosystem. Users are making implicit trust decisions without full information about what data leaves their machine.
The technical capability exists to upload anything a tool can access. The question is what policies and disclosures are in place, and whether those policies are actually enforced at the protocol level.
For Grok Build specifically, the mechanism for repository uploads was undocumented in CLI setup materials the researcher reviewed. That's the core issue - not that data collection happens, but that the scope of data collection exceeds what users reasonably expect based on available documentation.
Until coding agents standardize around transparent telemetry disclosure - perhaps through required data manifests or auditable upload logs - the burden falls on developers to verify tool behavior independently.
Read next
A developer reverse-engineered Claude Code and found hidden markers that classify users by timezone, domain, and API keywords - using unicode apostrophe swaps and date format changes.
7 min readxAI launched Grok 4.5, trained on trillions of Cursor interaction tokens. At $2/M input pricing, it undercuts Claude and GPT while benchmarking near Opus 4.7 level.
5 min readAndrew Kelley's blunt response to Anthropic's AI-assisted Bun rewrite sparked debate about AI marketing, language choices, and what makes engineering decisions honest.
7 min readTechnical content at the intersection of AI and development. Building with AI agents, Claude Code, and modern dev tools - then showing you exactly how it works.
AI app builder - describe what you want, get a deployed full-stack app with React, Supabase, and auth. No coding requi...
View ToolStackBlitz's in-browser AI app builder. Full-stack apps from a prompt - runs Node.js, installs packages, and deploys....
View ToolFull-stack AI dev environment in the browser. Describe an app, get a deployed project with database, auth, and hosting....
View ToolxAI's model with real-time X/Twitter data access. Grok 3 rivals top models on reasoning. Built-in web search and current...
View ToolWhat MCP servers are, how they work, and how to build your own in 5 minutes.
AI AgentsSet up Codex Chronicle on macOS, manage permissions, and understand privacy, security, and troubleshooting.
Getting StartedA complete, citation-backed Claude Code course with setup, prompting systems, MCP, CI, security, cost controls, and capstone workflows.
ai-development
In this video, we explore Rich Sutton's 'Bitter Lesson' and its implications for the future of software development, particularly as we approach 2026. We discuss the key principles from Sutton's...

In this video, I introduce the beta release of Grok 2 and Grok 2 Mini. I discuss the new models available on the X platform and their impressive performance, including their ranking on the...

A developer reverse-engineered Claude Code and found hidden markers that classify users by timezone, domain, and API key...

Andrew Kelley's blunt response to Anthropic's AI-assisted Bun rewrite sparked debate about AI marketing, language choice...

New research shows Claude Code's system prompt and tool scaffolding consume 4.7x more tokens than OpenCode before proces...

A new experimental technology encodes messages in video using motion-based steganography, exploiting how AI models proce...

A new essay argues that letting AI generate sloppy code creates a downward spiral where future AI absorbs those bad patt...

A Haskell Foundation board member explains why Scarf moved to Python after 7 years in production. The culprit: LLM-drive...

New tutorials, open-source projects, and deep dives on coding agents - delivered weekly.