What xAI's Grok build CLI sends to xAI: A wire-level analysis (gist.github.com)

368 points by jhoho 19 hours ago

phaseleza 17 hours ago

I always separate the coding tools from LLM providers, and use bubblewrap to sandbox the coding tools so they:

1. Can only read the working project directory, with .git read-only and sensitive directories hidden (mounted as empty directories).

2. Have an isolated network namespace; they can only access the internet through an HTTP proxy hosted on a Unix socket, can only access specific LLM provider hostnames, and exclude the tool's own hostname.

For example, with Crush, I will let it access *.openrouter.ai (LLM providers) but not *.charm.land (Crush's domain for auto-updating the LLM list).

This makes me feel much more comfortable enabling "yolo" mode and letting the tools do everything.

teravor 16 hours ago

with bubblewrap it's better to pull a rootfs from dockerhub (eg. debian:unstable) then bootstrap it into a fully fledged distro rootfs living in its own folder. install the AI agents right into it, then create launch scripts that invoke bwrap with the distro rootfs (readonly) and a custom read-write /home/user and run whatever you want inside it - it will not see anything important outside the directory you give it. you can also run multiple agents each invisible to the others.

for bonus points you can uplift the bwrap container into an actual sandbox by invoking gvisor (`runsc ... do ...`) from inside it, or a virtual machine monitor like muvm. I'm really fond of this pattern because you can trust bwrap to set up the environment, then you just need a sandbox tool to lock it down.

bwrap by itself will probably be sufficient against most adversaries as assuming proper config it would require committing to using a linux kernel 0day to escalate privs.

phaseleza 14 hours ago

Thanks for the suggestions. I've used debootstrap to build a Debian rootfs for bwrap before, but my threat model is simpler: nothing sensitive lives outside $HOME on my machine. So I just ro-bind the system dirs I need and give the sandbox a tmpfs home (one-shot apps) or a persistent fake home (stateful apps, under ~/.var/app/<appname>). This is good enough for my case.

The gvisor layering looks promising though. I'll take a look and see if it would be useful.

timr 16 hours ago

What's your mechanism for doing this?

phaseleza 14 hours ago

I use bubblewrap to unshare all namespaces (net, pid, ipc, user) and ro-bind necessary system paths like /etc, /lib, create a tmpfs home, mount the project folder under it (writable), then mount tmpfs over sensitive directories inside the project to hide them.

For the network part, a daemon outside the sandbox serves a filtering HTTP proxy on a Unix socket. I mount the Unix socket into the sandbox and bridge it to localhost with socat. With the net namespace unshared, the app can't reach the network at all except through this proxy, which only allows LLM providers.

By separating the coding tool from the LLM provider, I feel safer: the coding tool cannot leak anything on its own. It can only talk to the LLM provider, so a real leak would require the provider to be complicit too. And any sensitive files, inside or outside the project, are hidden by the mount namespace, which I suppose is hard to escape.

khurs 11 hours ago

Think they are referring to this https://github.com/containers/bubblewrap

perching_aix 8 hours ago

> This makes me feel much more comfortable enabling "yolo" mode and letting the tools do everything.

But is this only a feelings thing, or did this additional hardening ever actually catch something nasty?

I find that models that do really dumb shit where constraints pay off are models not worth using in general.

Not a knock on the practice, I'm in the process of hardening my own stuff too, just curious.

gitgud 17 hours ago

This is one of the reasons why native proprietary coding agent runners like claude-code, codex, grok-build etc are so dangerous for privacy… you just don’t know what “secret sauce” they’ll add in the next update…

It’s much safer to use something like opencode and use models via their API… however, the tradeoff is that it will never perform as well as it does in their native agent runners…

gruez 17 hours ago

Give enough usage, you can reconstruct an entire codebase via tool calls alone, and it'll be entirely undetectable because it's all done server side. Whatever grok's doing is just more blatant, but using opencode or whatever doesn't create a meaningful security boundary. It's like the meme of using cheetos as a lock.

rohansood15 17 hours ago

I agree with you, but Codex is open source.

msdz 15 hours ago

Is the server side open-source too, as gruez brought up in the sibling comment?

Technically they can still do potentially any- and everything undetected there; and for what it’s worth, even with a closed-source client bad behavior would get detected eventually through network inspection.

maxloh 16 hours ago

Yeah. Not the Desktop App though.

zuzululu 15 hours ago

hansvm 16 hours ago

> the next update

That's a major problem in its own right. Yes, not updating an XP SP1 RCE immediately is dangerous, but in the last couple decades I've seen far more damage inflicted from automatic updates than what I think the lack of them would have caused.

_davide_ 15 hours ago

I'm using my own agent, but i can't risk blocking the company account with it.....

jimmydoe 17 hours ago

last time I checked, codex is still open source w Apache-2.0 license

freakynit 18 hours ago

"It uploads the whole repository — every tracked file's content plus git history — independent of what the agent reads"

Holy cow!!!! I mean I kinda expected Elon would do something like this to try to catch-up.. but this is extremely concerning.

This is precisely the reason, even though their pricing is competitive and grok-4.5 is actually good enough, I chose not to go with them.

whateveracct 14 hours ago

it's straight up data exfiltration and should be illegal

faangguyindia 17 hours ago

Does OpenAI also have access to all github repos via partnership with microsoft?

taywrobel 16 hours ago

GitHub Copilot engineer here working on identity, safety, and privacy - no, even Microsoft doesn’t have access to all GitHub repos.

As years have passed since the acquisition “company” delineations have blurred a bit, but Microsoft employees still need to go through a separate onboarding process to access any GitHub company resources (internal repositories, telemetry, documentation, etc.), and then we have an additional layer of entitlements to gate and audit access to any sensitive data, including user data.

Very few employees within GitHub proper even have access to view private repositories, and in the rare cases where that’s done for legal or safety reasons the repository owner is notified.

There are currently no OpenAI employees with access to GitHub systems, so there’s about 4 layers of protection in place to prevent private repositories access. We do genuinely take user data protection and privacy seriously.

csande17 14 hours ago

anonymousiam 15 hours ago

jpollock 17 hours ago

It would be _extremely_ surprising if private repos were available via that contract. Corporations wouldn't use GitHub at all if anyone other than those given direct access had read/copy permission.

processunknown 16 hours ago

t_gamer_kle 17 hours ago

gorgonian 17 hours ago

culi 17 hours ago

Absolutely not. That would be an absurd violation. If you have Copilot enabled then they can use your interaction data for training but you can turn that off as well

Frannky 15 hours ago

I was hesitant to try the free trial exactly because I haven't found any info about what data was required to share...

ashishb 17 hours ago

There is a reason I run all such CLIs inside a sandbox [1] giving limited directory access.

Imagine if the CLI pulled your SSH keys or other sensitive information by mistake?

Programmers do make such mistakes all the time. I don't want to count on whether "uploading all files it can access" is intentional or a mistake.

1 - https://github.com/ashishb/amazing-sandbox

exitb 16 hours ago

What’s described here isn’t connected to the agentic/AI nature of the software at all. Every single program you run as a regular user could potentially do this.

ashishb 16 hours ago

potamic 14 hours ago

The readme is confusing. You say it has bubblewrap, but you also have an FAQ saying why not to use bubblewrap? Another FAQ says why not to use sandbox-exec for mac, yet the link for mac goes to sandbox-exec?

beepbooptheory 17 hours ago

But in this particular case isn't the problem that it's sending everything in the sandbox? Rather than what it might do in an otherwise un-sandboxed system?

ashishb 14 hours ago

oseityphelysiol 15 hours ago

It would be extremely naive to assume Elon, or even a real human had a hand in this. The whole analytics pipeline is very likely vibecoded and never reviewed by a human.

Karmakosmik 15 hours ago

Isn't that expected? I always assumed the agent owns (at least) the current workspace (whatever dir it's launched in) and so can do whatever it wants in there. If they actually use this try and do things in the backend and saving prompt RTTs and tool calls that would be in my interest, no?

dannyw 14 hours ago

No, there’s the normal messages API which is what’s used to read files and deliver responses.

The author has identified a second endpoint which exfils your whole project folder, into a GCP storage bucket. Anyone who designs large scale distributed systems can tell this is to scoop up training data.

j_bum 17 hours ago

I wish a human would’ve written the overview.

Nonetheless, this is disturbing.

gruez 17 hours ago

Yeah this could be boiled down to maybe 2-3 paragraphs with maybe a few code blocks to show what's uploaded. This AI report is just a slog to read through and turned me off after 10s of skimming.

eternauta3k 14 hours ago

Or even just that a human had iterated a bit more with the LLM to improve the style.

5701652400 18 hours ago

will this endup in their "macrohard" (automate any business) project?

will this endup in their "everything app"?

guess you do not need to build "everything" yourself, when you can steal it.

avaer 17 hours ago

The icing on the cake is that users are ostensibly paying for the privilege. What a business model...

If I had no morals and was running one of these companies I would be stealmaxxing before anyone notices the scale of the grift and regulations start getting in the way.

I'm not saying they are doing this, but that's what the incentives are lined up for.

5701652400 17 hours ago

exactly. looks like this is what they doing

Geee 16 hours ago

Isn't it assumed that the AI agent is allowed to read your files in the directory you launch the harness? Most agents read your code on the first prompt, including any secrets you have there, which you shouldn't have. Also the .env file is for local environment, and shouldn't contain any actual secrets. AI agents should be isolated from any actual secrets, because they can't be trusted to follow instructions.

If you adjust your expectations, I think it's be better to upload the code to their servers instead of sending it through context over and over again.

dminik 12 hours ago

It will have to be sent through the context again. That's how LLMs work.

The only reason to do this is so that Musk has clean training data for his next model. Project setup, popular libraries, CI workflows, etc.

edg5000 16 hours ago

Even if it's uploaded once, it's still being ran through inference. It saves a bit of HTTP traffic I suppose.

timr 16 hours ago

> Isn't it assumed that the AI agent is allowed to read your files in the directory you launch the harness?

Yes. There's very little story here. Maybe Grok is being like 10% more aggressive than other providers in how they assemble context (more likely: it was faster to ship this way), but any provider has the ability to do the same thing, and will happily do it if it helps improve results. Authors acknowledge this openly, but it's buried:

> "Cloud AI tools send context; this is normal." True, and conceded: any cloud coding agent must send code to its server to act on it. The novel deltas here are (a) a secrets file (e.g. .env) is transmitted unredacted, (b) the content is persisted to a named GCS bucket, not just processed transiently, and (c) the upload mechanism is not surfaced in the CLI's setup materials (§7) and on by default.

This is the entire controversial portion of the finding, in a single paragraph.

As far as the .env thing goes, you shouldn't be putting unencrypted .env files in the accessible path of any LLM. If you do, you're asking for trouble. It would obviously be better if Grok identified secrets and ignored them, but this is not a behavior you should rely on.

pedromoss 13 hours ago

This is exactly why tools like Landstrip[1] exist. Sandboxing is a good mitigation to an extent, but it cannot address every class of attack. If an agent allows untrusted content to influence privileged decisions, the underlying design still has a large attack surface. Claude Code is also susceptible to this class of issue because of how its plugin interface works.

[1]: https://github.com/landstrip/landstrip

pedromoss 13 hours ago

Also, I'm not particularly fond of using VM/microVM for sandboxing agents. This aligns with my line of thought: https://www.linkedin.com/pulse/why-your-microvm-sandbox-solv...

jstanley 18 hours ago

One reason to want to upload the entire codebase is that it allows them to have the model inspect the codebase during "thinking" without going back to the client to do real tool calls.

It's not a really great reason, because what's the downside of going back to the client? But that's the best reason I can think of.

5701652400 18 hours ago

more like it allows them to steal your trade secrets, app designs, internal business knowledge, or even just replicate whatever code/app/tool/process you had.

what was your private code, becomes their code now.

faangguyindia 17 hours ago

Your trade secret is already gone the moment you unleashed non local ai agents on your codebase.

This is why I keep a separate repo for important parts that I do not want competitors to get access to, and only use ai on dumb parts which I don't care if get leaked tomorrow.

5701652400 17 hours ago

Gagarin1917 17 hours ago

If you’re worried about this why are you using a third party AI in the first place?

Running any query in Claude or Codex could result in the AI reading/uploading any file in your codebase.

5701652400 17 hours ago

jstanley 18 hours ago

Possibly, but people were worried about this with cloud hosting when it first came out, and it turned out to be a total nonissue.

avaer 17 hours ago

5701652400 17 hours ago

SR2Z 17 hours ago

maronato 14 hours ago

I think it’s so people can “remote control” from their phones even if their computer is offline, via a container somewhere. Then they can get back to local dev, syncing the changes from their GCP bucket. Seems reasonably useful to me - not give-Elon-my-entire-repo useful, but useful. The fact that they made it something you can’t opt out of and wasn’t disclosed at all really reinforces that they shouldn’t be trusted with it.

goos 15 hours ago

> The "Improve the model" toggle makes no difference — ON or OFF, the whole repo is uploaded the same way.

Oh wow that's real bad. I'm assuming most AI shops' own harnesses do something similar when you opt in for their data collection, but them doing it even if you turn it off is diabolical.

outloudvi 15 hours ago

May I put some contents against GCP's AUP in my repo, wait for Grok Build to upload them, and report the bucket to Google?

rmunn 14 hours ago

I'd be happier if that gist had been actually written by a human. As it is, I have very little way of verifying, until someone else can confirm the findings, that the AI tool that produced that report didn't hallucinate part or all of it. It might all be accurate, for all I know, the point is that I'm having a hard time trusting an AI-generated report until it's been verified.

Does anyone know if there's anyone else who has reproduced these findings for themselves yet?

websap 15 hours ago

How do these findings compare to Codex, Claude code, and cursor

charcircuit 15 hours ago

Cursor is the closest as it uploads your entire source code to build a search index.

khurs 11 hours ago

SpaceX bought cursor, so one and same now

EdwardDiego 15 hours ago

Oh and they just shipped Grok in Cursor. Yay.

jacobgold 17 hours ago

With all the coding agent options, you're choosing to trust your computer, code, and business to whichever harness, model, and provider you pick.

It's not a great state of affairs, but that's where we are.

Choose wisely my friend.

IAmGraydon 28 minutes ago

A criminal is doing criminal things. Please, let’s not act surprised. The person who runs this company is the very worst kind of human being, literally shutting down agencies to stop investigations into his business practices. I would actually be surprised if he wasn’t doing shady things to try to catch his garbage product up with the competition.

dimgl 17 hours ago

Grok Build has had impressive performance in a couple of my projects. And fast. So this revelation has been very disappointing...

I will say, a majority of the code I'm writing now is fully through an online LLM. If a company wanted to reconstruct a project I'm working on, they could just replay all of the tool calls from their logs, if they decide to retain the data (I did this locally once to recover a project that I mistakenly clobbered in Git).

Still, this is a big overstep IMO. At the very least, they should make it clear in their terms of service and privacy policy, and not hidden through legalese. Not all usage of Grok Build will be through their enterprise plan which offers ZDR.

swat535 4 hours ago

Grok Build has been useless for me personally. Claude is the only one that works best.

I find Deepseek to be a great compromise between cost and performance. Anthropic and OpenAI are simply too expensive at this point.

rvz 17 hours ago

But you also have handed over your secrets, dotfiles and API keys alongside with your source code to xAI.

I'm afraid you have been scammed.

dimgl 17 hours ago

A bit hyperbolic, no? A majority of code is now written through Claude and similar services.

Catloafdev 17 hours ago

culi 17 hours ago

> It transmits the contents of files it reads — including a .env secrets file — to xAI, verbatim and unredacted.

This has to be the most successful mass surveillance campaign of all time

hansvm 16 hours ago

Downloading the SSN/tax/etc data from the entire US wasn't bad either.

lstodd 14 hours ago

since github. or you truly believed your code was private in private repos? I never understood that belief of a label on a button.

since jira-cloud, or you truly believed your processes were private?

leaks are assured, but centralisation amplifies impact. no one cares if your self-hosted something gets owned _because_ it does not affect anyone else.

...

culi 3 hours ago

Neither of those examples have access to, what are basically, passwords you use for other services

lstodd 2 hours ago

drnick1 16 hours ago

Claude gets its own UNIX account on my dev machine. I would never trust it not to read .ssh or other sensitive private information in my home directory or elsewhere.

In view of this, I should probably go further and bubblewrap it to restrict /etc, /proc and other things it legitimately does not need to do its job. I already do that for programs such as Steam (and games therein) to mitigate the possibility that they may spy on me.

dd8601fn 16 hours ago

Claude reads secrets all the time. It just also tells me when secrets enter context and reminds me that they should be rotated later.

khurs 10 hours ago

I imagine the terms and conditions state:

-All disputes to be dealt with by arbitration

-You agree to not have a trial by Jury

If you go with an Elon company, you kinda have to expect ruthlessness

5701652400 18 hours ago

haha so they just stealing entire codebases?

jeffnash 15 hours ago

This is precisely why I run a custom fork of CLIProxyAPI on a private railway server for all my agentic coding. The OG version is indispensable already and has XAI Oauth support, so you can use your subscription to call Grok from any Anthropic OR OpenAI compatible client (Claude Code, Pi, Codex, you name it). To be honest, though, I am bummed, as I do really like the grok build client. The TUI is great in the ways that matter without going out of its way to make it clear that "I'M A MID-LATE 2020s TUI LOOK AT ALL THE NOT USUAL STUFF YOU CAN DO WITH ME".

Grok aside, this has become an increasingly large concern of mine, especially now that I've expanded my usual provider rotation beyond the big 2. Out of arguably reasonable paranoia, I recently bolstered my own personal CLIProxyAPI fork to use an algo similar to gitleaks/betterleaks to, on the fly, scan the incoming (i.e. from my coding agent) stream for any secrets that may have been transmitted from disk, replace them with a unique identifier, send that off to the upstream provider, and then replace the secret (mapped to that identifier in memory, encrypted and with TTL) before sending any response back. That way, if the "secret" is either not really a secret and/or truly is needed in whatever tool call or response, the replacement is seamless to the client but the provider never sees your code.

No, it's not foolproof: it can't prevent some upstream actor from, say, using the on-disk key to your secret in a rogue tool call that uploads it from your device directly to an endpoint of theirs, but the low-hanging fruit like this is, IMO, the equivalent of not leaving all your windows open when you're naked. Virtually no downside or inconvenience to you, gets probably 3-4 9s of cases where someone would be inclined to see something they shouldn't because it's that easy.

The alternative is literally having to approve every read request (is this even a thing now?) and spend the mental energy ensuring that each and every file could not possibly contain a secret. I'd rather just code by hand at that point.

oxydite 11 hours ago

I wonder how many of you guys actually read this kind of reports (or even skim through)? At the first glance it looks to me like someone just asked an agent for a security review of this CLI and then pasted results to the gist.

When I see a report like that I just assume it's a low-effort AI slop and stop reading immediately. Why would I read it since I can do the same with my agent and with that understand it better? Or if I'm really lazy then just copy paste this report and ask for a summary or have a discussion.

luciana1u 16 hours ago

the Grok Build CLI phoning home with your code is just xAI's way of making sure someone, somewhere, is actually reading your pull requests

tkamado 12 hours ago

How is this not on the frontpage, this should be editorially pinned given the number of programmers here

Ardren 9 hours ago

You know why :-)

thejazzman 16 hours ago

So xAI now has a "legal" copy of all of Tesla's code? Convenient.

https://electrek.co/2026/07/10/musk-tells-tesla-staff-switch...

treexs 16 hours ago

To be fair, most coding agent cli's by the labs do this and are opt in by default, it's just this does too

edg5000 16 hours ago

None of them upload the whole repo, which is what this link claims it does. That's unheard of.

rvz 17 hours ago

Both Grok and Claude Code are malware.

This is another reason to use open source harnesses and open weight local models.

rescbr 17 hours ago

Now, where are the people afraid of the Chinese AI companies, who claim they are going to copy their very precious code...?

5701652400 17 hours ago

using them in VSCode all the time for months now. Qwen from Alibaba Cloud, Deepseek from deepseek.com. none of them upload entirety of codebase or even attempt to.

in fact, opposite. Chinese AI seem to post-process heaviliy locally.

they are always using head / tail, grep, sed, and do as much as they can locally and extrac meaningful data and send home (AI inference chunks). only what is really needed.

it is actually hard to force Chinese AI modesl to read full files, they really do not want to see them. even 400 lines files, is usally hit first for first line, first 50 lines. and at most 200 lines chunk reads, and give up at one or two reads.

tredre3 17 hours ago

> none of them upload entirety of codebase or even attempt to.

How do you know? Did you do an analysis like OP did?

5701652400 16 hours ago

rescbr 17 hours ago

For me, them allowing API usage on coding plans so we can use any harness, and returning the full unabridged reasoning back are how they earned my trust.

5701652400 16 hours ago

sroerick 17 hours ago

The second I opened Deepseek, it had my harness scan my entire home dir. Not sure what's worse here.

rpdillon 7 hours ago

I use omp with Deepseek v4 Flash and Pro. Probably put about 20 million tokens through it. I've never seen this. US-hosted versions. Opencode Zen.

rescbr 17 hours ago

Weird. I have seen it asking the harness to do `find ~ -type f | grep` to try and find my agent configuration .json file when I asked it to add a MCP server. Stupid, but they weren't sending the files back home. This was with older models though. Newer ones are a bit smarter than that.

higginsniggins 17 hours ago

Friendly reminder: since Musk now owns Cursor, there are a bunch of really good open-source alternatives you can use.

JumpCrisscross 16 hours ago

It still somewhat blows my mind that xAI is allowed to operate in Europe given e.g. GDPR et al. Closest I can come to is Musk is above the law even in the EU given his relationship to Trump.

supriyo-biswas 15 hours ago

Mostly like enforcement is slow and I’m not even sure if someone has sent in a complaint.

charcircuit 17 hours ago

The simplest way to disable uploading your repo is disabling it in the config.

    [harness]
    disable_codebase_upload=true

JumpCrisscross 16 hours ago

> simplest way to disable uploading your repo is disabling it in the config

Have you verified this flag is respected?

charcircuit 16 hours ago

I verified it statically that the config value is checked and skips the upload code if it is set to true. I don't have a subscription, so it would be cool if someone could verify it statically.

culi 17 hours ago

This is completely made up. The Grok Build CLI reference lists no such thing. Whatever LLM you asked probably hallucinated this.

charcircuit 17 hours ago

>completely made up

If you want easily verifiable evidence, run strings on the Grok Build CLI binary and you will see:

    Codebase upload skipped: disabled by config (harness.disable_codebase_upload=true)

fareesh 14 hours ago

sam altman: aww you're sweet

elon musk: hello human resources

looksjjhg 17 hours ago

[flagged]

dang 2 hours ago

"Eschew flamebait. Avoid generic tangents."

https://news.ycombinator.com/newsguidelines.html

Edit: I suppose I'd better add that this is not a defense of $THAT_GUY - just an attempted defense of HN comment quality.

Edit 2: Could you please stop posting unsubstantive comments and flamebait generally? It's not what this site is for, and destroys what it is for.

For example, we ban accounts that post things like https://news.ycombinator.com/item?id=48878096 and your account history unfortunately has quite a bit of this. If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.

datsci_est_2015 13 hours ago

Shades of:

> People just submitted it. I don't know why. They 'trust me'. Dumb f..ks.

- Zuckerberg circa 2004, in case anyone is out of the loop

jimmydoe 17 hours ago

there are 2.7 m starlink subscribers in US, I don't think they are fools.

Catloafdev 17 hours ago

Those are people without a better option.

Big difference vs xAI, where the sentiment is valid.

jimmydoe 5 hours ago

ahofmann 15 hours ago

There is a German proverb, that goes roughly like this: "eating shit is good for you, billions of flys can't be wrong!"

whateveracct 14 hours ago

that's like 1% of the US

we definitely have that level of mental deficiency in this country..

hippich 16 hours ago

this is bad... but just for chuckles, i asked grok cli to check disclosure and look through the binary and logs to see which config would stop it from doing that. no idea if it truly works, but here it is:

  Config after fix (~/.grok/config.toml)

  [harness]
  disable_codebase_upload = true
  
  [telemetry]
  trace_upload = false
  
  [features]
  telemetry = false