xAI open-sources Grok Build after covert repository upload scandal
TECH

xAI open-sources Grok Build after covert repository upload scandal

39+
Signals

Strategic Overview

  • 01.
    xAI published Grok Build on GitHub under Apache 2.0 on July 15, 2026 - 844,530 lines of Rust covering the agent loop, tools layer, terminal UI, and extension system - and simultaneously reset usage limits for all users.
  • 02.
    The release followed a July 12 security report proving Grok Build 0.2.93 was uploading entire Git repositories to Google Cloud Storage - 5.10 GiB from a 12 GB test repo vs. ~192 KB of model-turn traffic, a 27,800x disparity - regardless of the user-facing privacy toggle.
  • 03.
    xAI disabled data retention by default server-side on July 12 and pledged deletion of all previously uploaded user data, but the upload code remains compiled into the binary - only a server-side flag prevents transmission.
  • 04.
    An independent community fork, Gork Build, appeared shortly after the release with vendor telemetry and branding removed, while the official repo was published as a single commit with no development history, no pull requests, and GitHub issues disabled.

The Upload That Wasn't Incidental

When cereblab ran mitmproxy between Grok Build 0.2.93 and the network, the numbers ruled out any accident. A 12 GB test repository produced 5.10 GiB of outbound traffic to Google Cloud Storage bucket 'grok-code-session-traces' - 73 upload chunks of approximately 75 MB each - compared to roughly 192 KB of model-turn traffic. That is a 27,800x disparity. [1]The uploads captured unread files, full commit history, and unredacted secrets from .env files. The scale and structure - standard git bundle format, chunked to GCS - indicates deliberate engineering, not a misconfigured telemetry library.

The user-facing control that most users assumed governed this behavior - the 'Improve the model' toggle - had no effect on whether code left the machine. As cereblab stated directly: the toggle controls only whether data is used for training, saying nothing about whether code leaves the machine in the first place. [2]A separate server-side flag (disable_codebase_upload) was the actual control, and it was set permissively by default from Grok Build's May 25 launch until July 12. Developers who ran Grok Build during that seven-week window should rotate any credentials that lived in their repositories.

Source-Available, Not Open Development

The Grok Build repository at xai-org/grok-build arrived as a single initial commit. There is no development history, no pull request trail, no issue tracker - GitHub issues are disabled and the repository documentation explicitly rejects external contributions. [2]This structure defines what the release actually is: source transparency, not a community-governed project. Apache 2.0 permits forks and derivative works, but xAI has made clear it is not seeking collaborators.

The distinction matters for how developers should evaluate the release. Source availability makes the code auditable - Simon Willison noted that auditing is now possible in a way it was not before - but auditability is not the same as trustworthiness. [3]The upload code remains compiled into the official binary. Developers who want to fully control what leaves their machine must compile from source and point the binary at local inference. Those using the xAI-distributed binary are trusting that the server-side flag stays off. The community responded quickly: an independent fork named Gork Build appeared with vendor telemetry and branding removed.

The Upload Code Is Still There

The most consequential technical fact in the post-release analysis is one xAI has not disputed: the upload code remains compiled into the Grok Build binary. xAI's remediation was server-side - setting a flag that instructs the client not to upload. That flag lives on xAI's infrastructure. As byteiota summarized: xAI retains the technical ability to re-enable uploads for any user, on any session, without pushing a software update. [2]The open-source release does not change this for users running the official binary.

This gap is why the response from xAI - which frames the release as offering 'complete user privacy' - reads differently to security-minded developers. The source code lets anyone verify what the upload logic does and confirm that the server-side flag, when set, does suppress transmission. But verification of source code and verification of runtime behavior against a live server are different things. Developers who compile the binary themselves and point it at local inference can eliminate the server-side control entirely - and that is the meaningful privacy guarantee the open-source license actually provides. For enterprise teams with sensitive codebases, compiling from source and running against local inference is the only configuration where the privacy claim is self-contained.

What Developers Found Inside

Community analysis of the 844,530-line codebase surfaced several design choices worth examining for anyone building their own agent harness. The codebase is structured around four primary crates: the agent loop (context assembly, response parsing, tool-call dispatch), the tools layer (file reading, editing, code search), the terminal UI (scrollback, prompt handling, inline diff viewer), and the extension system covering skills, plugins, hooks, MCP servers, and subagents. [4]Roughly 97% of the code is original; 3% is vendored.

The community's technical read found the internals are mostly systems engineering, not AI. Notable implementation details include speculative context compaction (flagged as experimental), subagent recursion capped at depth 1, and a token counter implemented as bytes divided by 4 rather than a proper tokenizer. [5]The kernel-level command approval system - requiring explicit user confirmation before shell execution - was cited as the most transferable pattern for independent agent builders. For comparison, OpenAI's Codex CLI contains 950,933 lines of Rust. The Grok Build release drew 11,400 GitHub stars and 1,900 forks shortly after publication.

Historical Context

2026-05-25
Grok Build launched in early beta as a terminal-native AI coding agent for professional developers.
2026-07-08
Grok 4.5 model released; Grok Build updated to run on this model.
2026-07-12
Security researcher published wire-level analysis proving Grok Build 0.2.93 was uploading entire Git repositories to Google Cloud Storage bucket 'grok-code-session-traces' - 5.10 GiB from a 12 GB test repo in 73 chunks, including unread files, commit history, and unredacted secrets.
2026-07-12
Disabled data retention by default server-side (setting disable_codebase_upload: true), stopping repository uploads without a client-side software update.
2026-07-14
Publicly promised to delete all previously uploaded user data after the cereblab report reached the front page of Hacker News.
2026-07-15
Published Grok Build source code on GitHub under Apache 2.0 in a single initial commit with no development history. Simultaneously reset usage limits for all users and offered a bug bounty of $100 to $20,000.

Power Map

Key Players
Subject

xAI open-sources Grok Build after covert repository upload scandal

XA

xAI

Developer and publisher of Grok Build. Released source under Apache 2.0, disabled data retention by default, and pledged deletion of all previously collected user data.

EL

Elon Musk

CEO of xAI. Made public commitments to delete all previously uploaded user data and backed the open-source release as a transparency response.

CE

cereblab

Independent security researcher whose mitmproxy wire-level analysis of Grok Build 0.2.93 documented the covert upload behavior and triggered public and corporate response.

SI

Simon Willison

Datasette creator and developer commentator. Analyzed the release and noted the code made Grok Build auditable in a way it was not before, while cautioning that source availability differs from vendor trustworthiness.

DE

Developer community / Gork Build fork

Downstream consumers who forked the codebase (github.com/thedavidweng/gork-build) with telemetry removed, and provided technical analysis of the agent internals.

AN

Anthropic / OpenAI / Google

Competing AI coding agent providers. Comparative testing showed Claude Code and Gemini CLI did not transmit full repository bundles under equivalent conditions.

Fact Check

5 cited
  1. [1] cereblab mitmproxy analysis of Grok Build 0.2.93
  2. [2] Grok Build Is Open Source But the Upload Code Remains
  3. [3] Grok Build open-sourced
  4. [4] SpaceXAI Open-Sources Grok Build: The Rust Agent Harness, TUI, and Tool Layer Behind Its Coding CLI
  5. [5] SpaceX open sources Grok Build in same week company was found beaming users repos to the cloud

Source Articles

Top 5

THE SIGNAL.

Analysts

"Open source plus local-first deployment lets teams verify behavior instead of trusting marketing copy - a stronger remediation arc than most closed-source agents offer. But Willison draws a clear line: auditing source code differs fundamentally from vendor trustworthiness. The release is trust recovery, not a cryptographic proof."

Simon Willison
Datasette creator, Django co-creator, developer commentator

"The user-facing privacy toggle controlled only whether data was used for model training - it said nothing about whether code left the machine in the first place. The mitmproxy analysis showed a 27,800x disparity between upload volume and model-turn traffic, with unread files and unredacted secrets captured."

cereblab
Independent security researcher

"xAI retains the technical ability to re-enable uploads for any user, on any session, without pushing a software update. The upload code remains compiled into the binary. Developers who compile from source can eliminate this risk; those using the official binary cannot."

byteiota
Developer commentary publication
The Crowd

"Grok Build is now open source"

@@elonmusk18222

"We've open-sourced Grok Build and have reset usage limits for all users. Open sourcing Grok Build allows anyone to support making a reliable and robust harness. Check out our code, including the Git repo for the Grok Build CLI."

@@SpaceXAI14968

"In response to user questions about privacy: Since launch, Grok Build has fully respected zero data retention (ZDR). All users have always had the ability to disable data upload in the CLI. When data upload was disabled, this choice was respected. In the early beta, data retention was enabled by default for non-enterprise users."

@@SpaceXAI2479

"xAIs Grok Build CLI uploads users entire Git repositories to Google Cloud Bucket, discovered By security researcher"

@u/CircumspectCapybara387
Broadcast
Grok Was Caught Uploading Your Entire Codebase

Grok Was Caught Uploading Your Entire Codebase

I Put Grok Build to the Test

I Put Grok Build to the Test

Privacy Disaster Pushes xAI to Open-Source Grok Build

Privacy Disaster Pushes xAI to Open-Source Grok Build