This week, a security researcher reported one of the sharpest examples yet of an AI tool overstepping its boundary. Grok Build, xAI's coding CLI, available to every SuperGrok and X Premium Plus subscriber since late May, was inexplicably uploading entire Git repositories to its service, far more than the files it needed to do its job. If your development team uses Grok, or if you even suspect AI coding tool usage, this one is worth five minutes of your day.
What happened
Grok Build is a command-line coding agent built by xAI. It works much like Claude Code, OpenAI's Codex CLI, or Google's Gemini CLI: developers point it at a repository, give it a task, and let it read and write code. Every tool in this category sends some source to a remote model to do its job, and reasonably, that means the files a task actually needs. That is where the peers draw the line: in the researcher's own cross-tool comparison, Claude Code and Codex sent no repository bundle at all.
But that is not what was happening with Grok Build. As reported by a security researcher who intercepted Grok Build's traffic (version 0.2.93), two extreme behaviors were documented:
- It was uploading the entire Git repository, every tracked file plus full commit history, to a cloud storage bucket run by xAI. This happened independent of the task it was prompted to execute. In one test, a 12 GB repo of files the model never opened left the machine.
- When it did read a file, the contents went to xAI verbatim, unredacted, both in the request to the model and in an archive bound for the same storage. That included a tracked .env file, with API keys and database passwords.
This was all happening regardless of privacy settings. Even with "Improve the model" (the setting that governs whether your data is used for training) turned off, the uploads continued.
Why nothing caught it, and why Bold can
This incident illustrates the mess that follows when organizations lack the visibility to know if and how they were affected. And in most security stacks, nothing would have flagged it.
Why?
- Grok Build is a desktop CLI. There is no browser session for a browser tool to inspect.
- Network and cloud tools see traffic to an approved-looking cloud provider, but completely lack the endpoint context and data activity: which repositories, which files, and what data.
- The endpoint is the one place a tool like this is visible. But the tools that live there, like EDR, look for malware and attackers, not for sensitive data flowing into a legitimate app.
But more than a shadow AI risk, it's a data risk. A repository is more than code. Repos hold proprietary IP, internal URLs, customer data, and infrastructure details. Commit history holds every version of all of it. Not to mention the unredacted secrets and credentials uploaded, giving attackers keys to the front door if that data is ever exposed.
This is exactly the kind of incident Bold was built for.
Bold runs AI locally on every endpoint, the layer that network and cloud tools structurally cannot see. That vantage point shows which AI tools are in use, including desktop CLIs like Grok Build, and what is going into them: source code, credentials, customer data. And because Bold reads the device's process tree, it can tell whether a human or an AI agent moved the data, and step in before something sensitive leaves the device rather than logging it after the fact.
What to do right now
While there is no evidence that the code was used for training or read by anyone, there are questions regarding why this happened, how long the data was retained, and how many users were affected. xAI responded quickly, disabling the behavior server-side, and Elon Musk asserted that uploaded data would be "completely and utterly deleted."
But be very clear: the upload code is still present in the current binary, held off by a server-side flag rather than removed.
Our advice: Assume that someone in your organization was running Grok Build. Even if you don’t know or suspect it was in use. Then, treat every credential the tool could have reached as exposed and rotate it. That includes:
- Any secret in a file the agent read during a task
- Any secret in a tracked file, whether or not the agent opened it
- Any secret that ever lived in commit history, including one you committed and later deleted. Removing a file from the working tree does not remove it from history, and history was part of the upload.
Files that were gitignored and never committed stayed out but may have been read by the agent and exposed anyway, so assume everything was shared.
Once you’ve rotated your creds, assess your broader impact to understand what data may have been sent to xAI’s cloud. The first step is knowing where Grok Build was running and who was running it.
If you don’t know whether your developers are using Grok Build, or what other AI tools are running across your fleet, we can help you find out. Bold deploys in minutes through your existing device management tool, with zero configuration, and shows you where AI tools are in use and what data is flowing into them. Get in touch here or shoot us a note atinfo@bold.security.
Beyond that, be prepared. Something at this scale may or may not happen again, but your data is probably leaving through shadow AI tools on your endpoints every single day and your existing tools are blind to it.

