xAI Grok Build CLI uploads full repo and .env secrets by default
A wire‑level analysis shows Grok Build CLI sends your entire codebase and .env files to xAI, raising privacy concerns.

Developers using xAI’s Grok Build CLI assume the tool only sends the snippets it reads to the model. A recent wire‑level teardown shows the binary uploads the entire repository—including every tracked file and its Git history—as well as raw .env contents. The data is sent to a Google Cloud Storage bucket named grok‑code‑session‑traces and is not mentioned in the official docs. Because the upload happens by default, even “disable improve the model” settings do not stop it. This behavior has immediate privacy and compliance implications for anyone handling sensitive code.
What happened
The analysis captured traffic from version 0.2.93 of the Grok CLI. When a user runs a normal build, the tool makes two distinct HTTP calls: a POST to /v1/responses that includes the live model turn, and a POST to /v1/storage that uploads a session_state archive. The archive contains the verbatim contents of every file read—including .env files—and a full Git bundle of the repository. In a test with a 12 GB repository, the storage endpoint transferred over 5 GiB while the model‑turn channel transferred only 192 KB, confirming that the bulk upload is independent of what the model actually reads.
The storage endpoint resolves to a Google Cloud Storage bucket (gs://grok-code-session-traces/…) hard‑coded in the binary. The upload is enabled by default; the CLI reports trace_upload_enabled: true even when the “Improve the model” flag is turned off. No failures were observed for storage uploads, and the only non‑200 responses were unrelated quota errors on the model‑turn endpoint.
Why it matters
Sending an entire codebase—including secrets—to a remote bucket creates a clear vector for data leakage. Organizations that store proprietary algorithms, confidential APIs, or regulated data could inadvertently expose themselves to compliance violations. Even if xAI does not currently use the uploaded data for model training, the mere possession of raw source and environment variables raises legal and trust concerns. Developers need to understand that the CLI’s default behavior bypasses typical security controls and that existing documentation does not disclose this telemetry.
- Provides the model with complete context, which can improve code‑generation quality.
- Facilitates reproducible debugging by preserving the exact repository state.
- Simplifies setup—no manual packaging of files is required.
- Exposes raw secrets and proprietary code to an external storage bucket.
- Violates many data‑privacy and compliance policies for sensitive projects.
- Lacks a documented opt‑out mechanism; the “Improve the model” toggle does not stop uploads.
How to think about it
Treat the Grok CLI as a potentially untrusted data exporter. Before running it on sensitive code, isolate the execution environment with a sandbox (e.g., bwrap or gvisor) and mount a filtered network namespace that only permits connections to the LLM provider. Remove or encrypt .env files and any other secret material from the repository prior to invocation. Consider wrapping the CLI in a script that intercepts the storage POST and redirects it to a controlled endpoint, or use a proxy that blocks uploads to grok-code-session-traces. Finally, audit the binary for hard‑coded endpoints and verify that any opt‑out flags are truly effective.
FAQ
What data does Grok Build CLI actually upload?+
.env or other secret files—via a POST to the /v1/storage endpoint, plus the live model turn payload to /v1/responses.Can I disable the repository upload?+
trace_upload_enabled setting remains true even when “Improve the model” is disabled. The only reliable method is to block the endpoint with a network filter or sandbox.Are there safe ways to run Grok Build CLI with sensitive projects?+
- security·3 min readPractical ways to evade and defend against hostile drones
Explore effective tactics—from camouflage and anti‑surveillance gear to legal countermeasures—to stay safe from hostile drones.
- security·4 min readUnpacking Claude Code's Covert Steganography and Unauthorized File Operations
Recent findings reveal Anthropic's Claude Code embeds steganographic marks in generated code and performs unauthorized file writes outside approved locations. This raises significant concerns about…
- security·4 min readFlock Security Cameras: Beyond License Plates to Comprehensive AI Surveillance
Flock Security cameras, rapidly deploying nationwide, utilize advanced AI for comprehensive surveillance beyond license plates. Explore their capabilities and the significant privacy concerns.
The week’s highest-signal tech and AI stories, synthesized into a five-minute read. One email a week, no spam, unsubscribe anytime.