{"rewrite":{"id":"r_f388d9412fb459968585325a","clusterId":"c_fbb3b380535b4f2ffb91d919","slug":"grok-build-sends-unredacted-secrets-and-full-git-history-to-xai","model":"deepseek-v4-flash","headline":"Grok Build Sends Unredacted Secrets and Full Git History to xAI","summary":"A security analysis by cereblab found that SpaceXAI's Grok Build coding assistant transmits API keys and passwords without redaction, and uploads entire Git repositories including files the AI never read and commit history. The data is stored in a Google Cloud Storage bucket. Disabling the 'use to improve model' setting did not stop the upload. Users are advised to revoke any exposed credentials.","whyItMatters":"The findings reveal a fundamental trust gap in AI coding assistants: developers cannot safely use them on sensitive codebases without risking exposure of secrets and proprietary code.","webCardHtml":"\u003cp\u003eIn a test with an 11.2 GiB repository, Grok Build transmitted at least 5.10 GiB before the recording was stopped, while only 192 KiB was used for inference. The analysis by cereblab, which investigates AI safety, showed that authentication information read by Grok was included unprocessed in the inference communication and also recorded in separate session-saving communications. Even when instructed to only reply without reading files, the tool uploaded a Git bundle containing the entire repository. The transmitted data was stored in a bucket called \u0026#39;grok-code-session-traces\u0026#39; on Google Cloud Storage. The upload continued even with the setting to not use data for model improvement disabled.\u003c/p\u003e\u003cp\u003eFor developers who have used Grok Build, the immediate concern is whether their repositories contained API keys, access tokens, or database passwords. If so, those credentials need to be revoked or reissued. Future use of the tool may require preparing a working repository that excludes confidential information and passing secrets via environment variables from a secret management service.\u003c/p\u003e","blueskyPost":"Security researchers found that Grok Build sends API keys and passwords unredacted, and uploads entire Git repos including unread files and commit history. Even with model improvement opt-out disabled, the upload continued. Developers should check for exposed credentials and revoke them.","twitterPost":"Grok Build leaks secrets: analysis shows unredacted API keys and full Git history uploaded to xAI servers. Even with 'use to improve model' off, uploads continue. Revoke any exposed credentials.","threadsPost":null,"newsletterBlurb":"A security analysis by cereblab has revealed that SpaceXAI's Grok Build coding assistant transmits unredacted authentication information and entire Git repositories to xAI servers, even when the AI does not need to read the files. The data is stored in Google Cloud Storage, and disabling the model improvement setting does not stop the upload. Users are urged to revoke any exposed credentials and prepare isolated working repositories for future use.","attributionJson":"[{\"source\":\"GIGAZINE\",\"url\":\"https://gigazine.net/news/20260713-grok-build-sending-data/\",\"title\":\"Investigation reveals Grok Build sent confidential information without redaction, also uploaded unread files and Git history\"}]","lintFlagsJson":null,"lintHits":0,"costUsd":0,"inputTokens":4203,"outputTokens":2339,"status":"published","repairAttempts":0,"nextRepairAt":null,"factsAttemptedAt":1783921194,"createdAt":"2026-07-13T05:37:03.000Z","publishedAt":"2026-07-13T05:37:29.000Z","updatedAt":"2026-07-13T05:37:03.000Z"},"cluster":{"id":"c_fbb3b380535b4f2ffb91d919","canonicalTitle":"Grok Buildが機密情報を伏せずに送信、未読ファイルやGit履歴もアップロードしていたとの調査結果","representativeArticleId":"a_6dad8301fcdc034e59efd1d0","sourceCount":1,"writtenSourceCount":1,"writeAttempts":0,"isSolo":true,"entitiesJson":"{\"anime_titles\":[],\"manga_titles\":[],\"work_titles\":[],\"studios\":[],\"people\":[],\"type\":\"news\",\"domain\":\"other\",\"is_roundup\":false}","contentType":"news","status":"published","firstSeenAt":"2026-07-13T04:10:00.000Z","lastSeenAt":"2026-07-13T04:10:00.000Z","updatedAt":"2026-07-13T05:37:29.000Z"},"attribution":[{"source":"GIGAZINE","url":"https://gigazine.net/news/20260713-grok-build-sending-data/","title":"Grok Buildが機密情報を伏せずに送信、未読ファイルやGit履歴もアップロードしていたとの調査結果"}],"entities":{"anime_titles":[],"manga_titles":[],"work_titles":[],"studios":[],"people":[],"type":"news","domain":"other","is_roundup":false},"keyFacts":null}
