grok-code-session-tracesThe scale disparity proved the upload was not driven by what the agent read. On a 12 GB test repository, the storage channel moved 5.10 GiB across 73 chunks (all HTTP 200), while the model-turn channel moved just 192 KB — a ~27,800× ratio . Even with the prompt "reply OK, do not read any files," the tool uploaded the entire repo as a git bundle; cloning the captured bundle recovered a file (
src/_probe/never_read_canary.txt) that the agent was explicitly told not to open, along with the full git commit history .
.env files containing API keys, database passwords, and other credentials were transmitted verbatim, without masking or redaction through both channels xai-data-collector) resident in the binary, with source paths like crates/codegen/xai-data-collector/src/gcs.rs and crates/codegen/xai-grok-shell/src/upload/ The researcher tested the "Improve the model" privacy toggle and found it did not stop the uploads .
trace_upload_enabled: truedisable_codebase_upload=true config option exists in the harness settings, but its relationship to the server-side behavior is undocumented, and the researcher's tests showed the server did not respect client-side preferences Immediate actions for teams that used Grok Build CLI on private repos:
.env file, configuration file, or git history within repositories used with Grok Build, as they may have been transmitted and stored in the grok-code-session-traces GCS bucket Architectural mitigations for any coding agent: