Grok Build secretly uploaded developer secrets, undermining EU enterprise push
xAI’s Grok Build coding tool was found sending entire repositories and committed secrets to its servers, dealing a fresh blow to the company’s credibility among European enterprises already wary of its privacy record.
A security analysis published on July 12 revealed that xAI’s Grok Build coding tool was packaging developers’ entire tracked Git repositories and transmitting them to a Google Cloud Storage bucket. By intercepting the upload of version 0.2.93, the researcher, publishing as cereblab, cloned the git bundle and recovered a file the AI agent had been explicitly instructed not to open. The analysis found the upload volume was roughly 27,800 times greater than the data required for the actual coding task.
Crucially, these transmissions included full Git histories, committed secrets, and API keys. The wire-level data directly contradicts xAI’s marketing claims that "nothing from your codebase transmitted to xAI servers during a session." Furthermore, multiple reports indicated that the tool’s built-in privacy toggle, designed to prevent such data transmission, did nothing to stop the uploads.
For xAI, the nature of this breach is particularly damaging to its commercial strategy. Grok Build launched alongside Grok 4.5 specifically as the company’s answer to Claude Code and Cursor. Capturing market share from those established rivals requires convincing enterprise developers that proprietary code will remain secure, a baseline standard xAI has now failed to meet.
The incident will likely deepen existing scepticism among European businesses. European regulators have previously warned that Grok's training on X user data without consent represented a "very likely" breach of EU law. Reflecting these ongoing data governance concerns, a quarter of European firms have already banned Grok entirely in favour of alternatives with better security controls.
Elon Musk subsequently confirmed the unauthorised uploads and stated that SpaceXAI would delete all prior Grok Build user data. The company has moved to document a "zero data retention" policy and added a /privacy endpoint to the tool. A subsequent test by the same client observed a server-side flag successfully disabling the uploads.
However, the damage to xAI's enterprise reputation may be difficult to reverse. No independent audit has yet confirmed that the previously captured repository data, including the exposed secrets, was actually purged from the cloud storage bucket. For European firms evaluating AI coding assistants, the lack of verified remediation leaves a significant trust deficit.