AI DevelopmentIndustry Guide12 min readPublished July 14, 2026

Whole repos left the machine · the privacy toggle addressed the wrong channel · the real switch sat on the vendor’s server

Grok Build Uploaded Entire Repos: What Actually Fixed It

On July 12, 2026, an AI-safety researcher published a wire-level capture showing Grok Build uploading entire repositories — full git history included — to SpaceXAI’s cloud storage. The user-facing privacy toggle never governed those uploads. A silent, server-side flag did. Here is the two-channel anatomy of the incident, and what it teaches every team adopting coding agents.

DA
Digital Applied Team
Senior strategists · Published Jul 14, 2026
PublishedJul 14, 2026
Read time12 min
Sources8 primary + press
Upload-vs-need disparity
27,800×
Cereblab's 12 GB test repo
storage vs model channel
Model channel needed
192KB
the files the agent actually read
Storage POSTs that failed
0/82
every upload returned HTTP 200
Per-file upload cap
1GiB
chunked multipart to cloud storage

The Grok Build privacy scandal broke on Sunday, July 12, 2026, when AI-safety researcher Cereblab published a wire-level network analysis showing SpaceXAI’s coding agent uploading entire repositories — complete git history, deleted secrets and all — to a cloud storage bucket, at roughly 27,800 times the volume the model actually needed to do its job.

What makes this incident worth studying is not the upload itself. It is what happened next: SpaceXAI pointed users to a privacy toggle that never governed the uploads, and the behavior only stopped when engineers flipped a silent, server-side configuration flag that no developer could see, set, or verify. The kill switch for a category of privacy-sensitive behavior sat on the vendor’s server the entire time.

This guide reconstructs the incident from the primary wire capture and the July 12–14 reporting: the two separate data channels and their two separate controls, what the git bundles actually carried, why the /privacy command addressed the wrong channel, what genuinely fixed it, and the durable lesson — agent trust is infrastructure, not a settings checkbox.

Key takeaways
  1. 01
    A wire-level audit exposed whole-repo uploads.Cereblab routed Grok Build 0.2.93 through mitmproxy on July 12, 2026. In a controlled 12 GB test repository, the model channel transmitted roughly 192 KB — the files the agent read — while a separate storage channel shipped the full repository as git bundles, in 73 chunks of about 75 MB each.
  2. 02
    Two channels, two controls — and users only saw one.The model-turn channel (/v1/responses) is gated by the user-facing training-consent toggle. The storage channel (/v1/storage) answered only to a cloud-issued server flag. SpaceXAI's public fix pointed users at the toggle — the wrong channel.
  3. 03
    The /privacy toggle did not stop the uploads.After Cereblab disabled the 'Improve the model' setting and reran the CLI, the settings endpoint still returned trace_upload_enabled: true and whole-repo uploads continued uninterrupted. What stopped them, on or around July 13, was a silent server-side disable_codebase_upload flag pushed by SpaceXAI engineers.
  4. 04
    Git bundles preserved deleted secrets.Uploads were packaged as git bundles — single-file archives of a repository's entire commit history. Canary secrets planted in a .env file appeared unredacted in captured traffic, and a file the agent was explicitly told never to open was recovered intact from the uploaded bundle.
  5. 05
    Agent trust is infrastructure, not a checkbox.Vendor statements, deletion promises, and settings screens are not verification. The durable fixes are wire-level audits of what a tool transmits, contractual zero-data-retention terms, and default-off retention — controls that hold regardless of who owns the switch.

01The DisclosureA Sunday wire capture nobody could unsee.

Grok Build is SpaceXAI’s Rust-based agentic coding CLI — the tool we covered at launch in our breakdown of Grok Build’s parallel-agent coding workflow. Its default model resolves to Grok 4.5, the flagship coding model SpaceXAI shipped on July 8, 2026 — which means the wire analysis landed just four days after the model’s launch, at the peak of developer attention. (SpaceXAI, if the name is new to you, is the rebrand of xAI under SpaceX revealed on July 6, following an acquisition that closed February 2, 2026.)

On July 12, the researcher publishing as Cereblab released a wire-level analysis of Grok Build CLI version 0.2.93, produced by routing the tool’s traffic through the mitmproxy interception proxy on macOS. The methodology matters: because Grok Build does not certificate-pin against mitmproxy’s custom certificate authority, any developer could reproduce the audit without modifying the binary — a key reason the finding spread and was independently reproduced within a day.

The headline numbers came from a controlled 12 GB test repository. The live model-processing channel — the requests that actually carry context to Grok 4.5 — transmitted roughly 192 KB (196,705 bytes): the files the agent opened for the task. A separate storage channel, meanwhile, uploaded the repository itself as git bundles, in 73 chunks of roughly 75 MB each, every one returning HTTP 200. Cereblab’s own arithmetic puts the gap between what the task needed and what left the machine at roughly 27,800× — a ratio from a defined test, not a universal constant, but one corroborated independently by Developers Digest and TechTimes against the same capture data.

Storage chunks
~75 MB parts to cloud storage
73

The 12 GB test repository shipped to a Google Cloud Storage bucket named grok-code-session-traces, packaged as git bundles and chunked into roughly 75 MB parts under repo_changes_dedup paths.

12 GB controlled test repo
Per-file cap
Observed upload ceiling
1GiB

Chunk sizes scaled with repository size: a 64 MB repo went out as a single ~48 MB POST, a 600 MB repo chunked at ~7.5 MB, a 3 GB repo used ~50 MB multipart parts — with a 1 GiB per-file cap observed throughout.

1,073,741,824 bytes
Failed uploads
Fully operational pipeline
0/82

Zero of the 82 storage-channel content POSTs observed across Cereblab's tests failed — every request returned HTTP 200, indicating an unthrottled, production-grade upload path during the test window.

Before the server flag flipped

Within 48 hours the story was everywhere developers look. The Hacker News thread reached the front page on July 14, and The Register’s July 14 report — “Musk promises purge after Grok Build caught sending entire repos to the cloud” — became the definitive mainstream account. The OECD.AI incident database logged the event as incident 2026-07-13-acb3, classifying it under privacy-and-data-governance and transparency violations.

02The AnatomyTwo channels, two controls, one blind spot.

Almost every account of this incident narrates it in prose — Grok uploaded things, then it stopped. The structure underneath is what actually explains both the failure and the misdirected fix. Grok Build was operating two separate data channels, governed by two separate controls, owned by two different parties. Most coverage — and, notably, SpaceXAI’s own public statement — conflated them.

The two data channels observed in Grok Build 0.2.93 during Cereblab’s July 12, 2026 wire analysis, compared across contents, nominal control, actual control ownership, and observed volume in the 12 GB test repository.
ChannelWhat it carriedNominal controlWho held the switch12 GB test volume
Channel A — model turn
POST /v1/responses
Prompts, context, and the specific files the agent opened for the task“Improve the model” training-consent toggle, via the /privacy commandThe developer — a genuine client-side setting~192 KB (196,705 bytes) — proportionate to the task
Channel B — storage
POST /v1/storage
The whole repository as git bundles — full commit history, including files never opened and secrets long since deletedNothing user-facing — undocumented in setup and quickstart materials at the time of the analysisSpaceXAI — a cloud-issued disable_codebase_upload server flag73 chunks × ~75 MB to grok-code-session-traces, 0 of 82 POSTs failed

Read the last two columns together and the scandal’s central confusion resolves itself. When SpaceXAI’s statement pointed users to Zero Data Retention for enterprise teams and the /privacy command as the remedy, it was describing the controls for Channel A. The behavior developers were furious about lived on Channel B — which answered only to a flag on SpaceXAI’s servers. Per securityonline.info’s technical breakdown, the two channels serve different purposes and are governed by entirely different mechanisms; the public fix addressed the wrong one.

The blind spot
Grok Build’s onboarding materials suggested that code from a developer’s session was not transmitted to xAI’s servers — a characterization Developers Digest reported as squarely at odds with the observed storage channel. Neither the grok-code-session-traces bucket nor whole-repo uploads appeared anywhere in the tool’s setup or quickstart documentation at the time of the analysis. A channel that is invisible in the docs and ungoverned by any visible setting is, for practical purposes, unauditable from the client side.

03The PayloadGit bundles carry everything you ever committed.

The packaging format is what elevates this from a telemetry overreach to a genuine security event. Uploads went out as git bundles — single-file archives of a repository’s entire commit history. A git bundle does not care what your working tree looks like today. An API key committed eighteen months ago and deleted the next morning is still in the history, and therefore still in the bundle that left the machine.

Cereblab proved the scope with planted canaries. A .env file containing a marker API key and a mock database password appeared verbatim and unredacted in captured traffic — on both the model channel and the storage archive. More striking: a probe file the agent was explicitly instructed never to open was recovered intact from the uploaded git bundle after cloning it back out. The uploads were not a function of what the agent read. They happened regardless.

The blast radius extended beyond repositories. The Register’s July 14 report relayed a user account of running Grok Build from a home directory — after which their entire user directory, reportedly including SSH keys and a password-manager database, was uploaded. That report traces to a social-media post rather than an independent wire capture, so treat it as a credible secondary account rather than an audited finding — but it is consistent with the mechanism Cereblab documented: the tool archived the workspace it was pointed at, whatever that workspace contained.

One important boundary on the claims, drawn by the researcher themselves: the capture proves what was transmitted and stored, not what was trained on.

"None of this proves xAI trains on the data — that is a policy question."— Cereblab, wire-level analysis, July 12, 2026

That distinction cuts both ways. It keeps the criticism honest — nobody demonstrated training on user code. It also exposes how little the training question matters for security purposes: once a secret has been transmitted to infrastructure you do not control and cannot audit, it is exposed. TechTimes’ guidance on July 14 was blunt — developers who had run Grok Build against codebases containing real API keys, database passwords, or cloud tokens should treat those credentials as potentially exposed and rotate them immediately, regardless of what their privacy settings displayed at the time.

04The False ControlThe toggle that governed nothing.

Grok Build’s primary user-facing privacy control is the “Improve the model” toggle, exposed through the /privacy command. It is the setting SpaceXAI’s statement pointed users toward. So Cereblab tested it directly: disable the toggle, rerun the CLI, watch the wire.

The result is the single most damning detail in the analysis. With the toggle off, the /v1/settings endpoint still returned trace_upload_enabled: true — and whole-repo uploads continued uninterrupted. The user had expressed a preference; the server had not changed its mind.

Why could a server disagree with a local setting at all? Because Grok Build resolves its configuration across three layers — environment variables, the local config file, and remote flags issued by SpaceXAI’s cloud. In Cereblab’s testing, the cloud-issued value could end up controlling upload behavior even against a developer’s local intent: a developer who somehow knew to set disable_codebase_upload=true in ~/.grok/config.toml could still find the remote flag deciding the outcome. Whichever way the precedence resolved in a given session, the operative fact was the same — the switch that mattered was issued by the vendor’s server, invisible to any client-side inspection or version control.

Layer 1
Environment variables
set per shell, per session

Visible and auditable — a developer can inspect, script, and version-control them. But they only matter for the flags the vendor has documented, and the upload flag was not documented.

Developer-owned
Layer 2
Local config file
~/.grok/config.toml

Also client-side and inspectable. The /privacy toggle writes here — which is why disabling it felt like control. The storage channel simply did not consult it.

Developer-owned
Layer 3
Remote server flags
/v1/settings · cloud-issued

Fetched from SpaceXAI's infrastructure at runtime. trace_upload_enabled and disable_codebase_upload lived here — the layer no developer could see, set, diff, or verify. This is where the uploads were actually governed.

Vendor-owned · the switch that mattered

Cereblab’s conclusion, paraphrased from the Register interview: the /privacy command should not be pointed to as the control for this behavior, and no developer should have to run an opt-out after every session. The deeper point is architectural. A privacy control is only real if the data path it claims to govern actually consults it. Grok Build’s storage channel never consulted anything a user could touch.

05The FixA silent server flag — not a setting, not a patch.

So what actually stopped the uploads? On or around July 13, SpaceXAI engineers pushed a server-side configuration flag — disable_codebase_upload: true — to the same remote settings layer that had been enabling the behavior. No client update shipped. No setting appeared in the UI. The uploads stopped because the vendor turned them off at the source, using exactly the kind of invisible switch that caused the problem in the first place.

Worth sitting with: as of the scandal’s peak window, per TechTimes, the upload code itself remained present in the shipped binary — only the server-side trigger was switched off — and no formal security advisory had been issued. The same mechanism that disabled the uploads could, technically, re-enable them. That is not an accusation of intent; it is a description of where the control sits.

The public response ran on two tracks. SpaceXAI’s official statement emphasized that for teams using Zero Data Retention, no trace or code data is ever retained, and pointed other users to the /privacy command — which, it said, also deletes previously synced data. Both halves of that framing are the company’s own claims: the ZDR assurance is not independently confirmed, and as Section 04 showed, the toggle it pointed to did not govern the channel in question. Elon Musk went further the same day.

An unverified promise
“All user data that was uploaded to SpaceXAI before now will be completely and utterly deleted... Zero anything whatsoever will remain.” — Elon Musk, via X, July 13, 2026, as reported by The Register. Note what this is: a promise, not an audit. No outside researcher or auditor can verify that deletion occurred, and no mechanism was offered by which anyone could. Treat it accordingly — as a statement of intent from the party that operated the undisclosed pipeline.

The incident’s paper trail closed out its first phase on July 14: The Register’s definitive report, the Hacker News front page, an Inc.com trust-crisis framing, and a formal OECD.AI incident record. What none of the July 12–14 record contains is independent verification of any remediation claim — deletion, retention, or otherwise. The scoreboard at the date wall: one wire-level audit anyone could reproduce on one side; settings screens, statements, and promises on the other.

06The FieldHow the other agent CLIs compare.

Grok Build’s behavior was an outlier, not the category norm — at least as far as the July 2026 reporting establishes. Comparative press coverage of the incident characterized Claude Code, Codex CLI, and Gemini CLI as transmitting only the specific files an agent opens for a task, not the full workspace. One honesty note before the table: that characterization comes from press coverage of the incident, not from Cereblab-grade wire audits of those three tools — nobody, to our knowledge, published equivalent captures for them in this window. The table separates the two evidence classes explicitly.

Upload-scope comparison of four agentic coding CLIs as of July 14, 2026, separating press-reported behavior from wire-audited behavior, across files transmitted per task, whole-repo transmission, and whether a user-facing toggle gates the behavior.
ToolTransmits per taskWhole repo / history?User toggle gates it?Evidence basis
As reported by press — not independently wire-audited in this window
Claude CodeFiles the agent opens for the task (reported)Not reportedReported as scoped-by-design rather than toggle-dependentPress characterization (Developers Digest, Jul 13)
Codex CLIFiles the agent opens for the task (reported)Not reportedReported as scoped-by-design rather than toggle-dependentPress characterization (Developers Digest, Jul 13)
Gemini CLIFiles the agent opens for the task (reported)Not reportedReported as scoped-by-design rather than toggle-dependentPress characterization (Developers Digest, Jul 13)
Wire-audited — Cereblab capture, July 12, 2026
Grok Build 0.2.93 (pre-fix)~192 KB to the model channel — plus the entire workspace to the storage channelYes — full git history as bundles, including deleted secrets and never-opened filesNo — the /privacy toggle left trace_upload_enabled: true; a vendor server flag governed the channelmitmproxy wire capture, independently reproduced

The right way to read this table is not “three tools are safe, one was not.” It is that only one row has wire-grade evidence behind it — the damning one. The other three rows describe the reported design intent of tools that happen not to have been audited this way in public. If the Grok Build incident has a market-level consequence, it should be that the evidence-basis column stops being a distinction anyone has to draw — because reproducible transmission audits become a normal thing vendors publish and buyers demand.

07The LessonAgent trust is infrastructure, not a checkbox.

Here is the trend this incident actually confirms, and it is bigger than one vendor. Agentic coding tools have acquired production-level access to the most sensitive asset most companies own — their codebase, with its embedded credentials, infrastructure topology, and commercial logic — while the trust model around them is still largely social: a settings screen, a marketing page, a founder’s post. The Grok Build scandal is what happens when someone finally checks the wire. The asymmetry it revealed — one afternoon of mitmproxy versus months of default trust from thousands of developers — is the real story, because that asymmetry exists for every agent CLI, not just this one.

Our projection: this becomes a procurement question within the year. Teams already run structured evaluations before adopting a new model — the same discipline we describe in building an LLM eval harness to qualify new models — and transmission behavior will join capability in that qualification gate. Expect enterprise buyers to start asking agent vendors the questions this incident taught everyone to ask: what leaves the machine, on which channels, governed by which controls, owned by whom. Vendors with good answers will publish them before being asked.

Until then, the burden sits with adopting teams. Four controls actually hold — none of them is a checkbox:

Verify
Wire-level transmission audits

Route the agent through an interception proxy (mitmproxy or equivalent) against a canary repository — planted fake secrets, a never-open probe file — before it touches real code. Cereblab's methodology is reproducible in an afternoon and requires no binary modification for tools that don't certificate-pin.

Trust the wire, not the docs
Contract
Zero-data-retention in writing

A ZDR arrangement is only as good as its enforceability. Get retention terms into the agreement — scope, channels, deletion timelines, audit rights — rather than relying on a vendor blog post or a settings screen that may not govern every data path.

Paper beats promises
Default
Default-off retention posture

Choose tools and plans where non-retention is the default state, not an opt-out a developer must remember to exercise — and where the setting demonstrably gates every channel. An opt-out that must be re-run per session, or that governs only one of two channels, is not a control.

Opt-in, never opt-out
Own
Control-ownership audit

For every data path an agent has, ask who holds the switch: an environment variable you set, a config file you version, or a server flag the vendor pushes silently. Any behavior governed solely by vendor-side flags should be treated as outside your control — because it is.

Map every kill switch

And the immediate hygiene item stands regardless of tool: if an agent with undisclosed transmission behavior has touched repositories containing live credentials, rotate them. Secrets hygiene — keeping credentials out of git history entirely, so a whole-history bundle has nothing to leak — is the one defense that works even when the vendor’s switch fails. This is the kind of agent-adoption groundwork our AI transformation engagements formalize: tool-by-tool transmission review, retention contracts, and rollout guardrails before an agent ever meets production code.

08ConclusionThe switch was never yours.

The durable takeaway

Agent trust is infrastructure — verify the wire, contract the retention, own the switch.

Strip the drama and the Grok Build scandal reduces to one architectural fact. Two channels left the developer’s machine; the user controlled one; the incident lived on the other. The fix that worked — a silent server-side flag — proved the point better than the failure did: at no moment, before or after, did the governing control pass into the developer’s hands.

That is why the settings-checkbox model of agent trust is over. A toggle that the data path never consults is theater. A deletion promise nobody can audit is theater. What is not theater: a wire capture anyone can reproduce, retention terms in a contract, defaults that fail closed, and a map of who owns every switch. The teams that adopt agents fastest over the next year will be the ones that build that verification muscle — because it is what makes saying yes to powerful tools safe.

Grok Build’s uploads stopped on July 13. The reason they stopped is the lesson: the vendor flipped a flag you could not see. Build your agent-adoption process so that sentence can never describe your stack.

Adopt agents without surrendering your codebase

Trust your agents because you verified them.

We help teams adopt coding agents with eyes open — transmission audits against canary repos, retention and ZDR contract review, secrets hygiene, and rollout guardrails — delivered in days, not quarters.

Free consultationExpert guidanceTailored solutions
What we work on

Agent-security engagements

  • Wire-level transmission audits of agent CLIs
  • Canary-repo test design — planted secrets, probe files
  • ZDR & retention contract review for AI tooling
  • Secrets hygiene — scrubbing credentials from git history
  • Agent rollout guardrails & tool-qualification gates
FAQ · Grok Build privacy scandal

The questions teams are asking this week.

On July 12, 2026, AI-safety researcher Cereblab published a network capture of Grok Build CLI 0.2.93, produced by routing its traffic through the mitmproxy interception proxy on macOS. In a controlled 12 GB test repository, the model-processing channel transmitted roughly 192 KB — the files the agent actually opened — while a separate storage channel uploaded the entire repository as git bundles to a Google Cloud Storage bucket named grok-code-session-traces, in 73 chunks of about 75 MB each. Every one of the 82 storage-channel POSTs observed across the tests returned HTTP 200. Cereblab's arithmetic puts the gap between what the task needed and what left the machine at roughly 27,800× in that test, a figure independently corroborated by TechTimes and Developers Digest against the same capture data.
Related dispatches

Continue exploring agentic development.