#AI tools
gist.github.com · ⭐️ 9/10 · 2026-07-12
Security researchers discovered that xAI's Grok CLI (version 0.2.93) automatically uploads entire Git repositories and sensitive files like .env to Google Cloud Storage, even when prompts instruct not to read specific files. Disabling the 'improve model' setting does not prevent the upload. This vulnerability exposes users' proprietary code, API keys, and credentials by default, posing a severe privacy and security risk. It undermines trust in AI-assisted coding tools and raises questions about data handling practices. The tool sends file contents via two channels: embedded in model conversation requests and as a git bundle file. In a test with a 12 GB repository, over 5 GiB of data was successfully uploaded without rejection. The opt-out toggle in settings had no effect on the upload behavior.