The Channel Nobody Was Told About
The core finding is not that a coding agent read a sensitive file. It is that a second, separate pipe exists. Grok Build CLI opens two distinct network paths: a POST /v1/responses channel that carries the normal model-turn traffic, and a POST /v1/storage channel that bundles the entire tracked Git repository, full commit history included, and ships it as git bundles to a Google Cloud Storage bucket literally named grok-code-session-traces [1]. The second path fires independent of what the agent actually reads. To prove this was not merely the model ingesting whatever it happened to open, the researcher planted a canary .env file containing the string API_KEY=CANARY7F3A9-SECRET-should-not-leave that the agent was never instructed to open, then recovered that exact string, verbatim, inside the captured upload body [1].
That detail is what upgrades this from a privacy complaint to a demonstrated exfiltration. A file the agent never touched still left the machine. Files the agent did read, including real secrets, were transmitted unredacted, appearing in both the live model turn and a session_state archive pushed through the GCS bucket [2]. The bucket's name suggests intent: it was built to capture full session context as training or debugging traces, not to send only the handful of files relevant to the task at hand [1].


