xAI's Grok Build CLI transmits sensitive file contents, including secret variables, to its servers. It uploads entire repositories independently of the files actually accessed, raising significant privacy concerns regarding user data handling.
The xAI Grok Build CLI has been found to transmit the contents of files, including sensitive data from .env secrets files, to xAI servers. This occurs during normal consumer logins, where data is sent through both the live model interaction and during session state uploads.
In addition to sending file contents, Grok uploads the entire repository, including all tracked files and git history. This behavior was evidenced when prompts instructing the agent to refrain from reading files still resulted in the complete repository being uploaded.
The uploaded data is stored in a Google Cloud Storage bucket specifically named grok-code-session-traces. This storage method was not disclosed in the CLI's documentation, and the feature is active by default even if users disable related settings.
While the findings do not confirm that xAI trains on the transmitted data, they highlight a significant lack of transparency in data handling practices within the Grok Build CLI. The persistent upload of sensitive data without user consent raises privacy concerns that may affect user trust in xAI.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
xAI's Grok Build CLI transmits sensitive file contents, including secret variables, to its servers. It uploads entire repositories independently of the files actually accessed, raising significant privacy concerns regarding user data handling.