By the time the engineer at CTOL Digital Solutions noticed something was wrong, the damage was already done.
During what was meant to be an ordinary performance evaluation of Grok Build, xAI's command-line coding assistant, engineers at CTOL Digital Solutions detected a pattern that transformed a product review into an emergency security response: massive, unexplained outbound network traffic bleeding out of machines running version 0.2.93 of the tool in July 2026.
What followed — wire listening sessions, payload reconstruction, and the subsequent discovery that independent security researchers had reached identical conclusions in parallel evaluations — has produced one of the most significant software privacy disclosures of the year. The convergence of CTOL Digital Solutions' internal findings with external research conducted separately and contemporaneously removes any doubt about reproducibility.
The Mechanics of Exfiltration
The findings are unambiguous. When Grok Build is run against a local repository, it silently constructs and transmits a complete Git bundle — a portable archive format containing every Git-tracked file along with the repository's entire commit history — to xAI's servers. The transmission is unsolicited, undisclosed, and comprehensive.
For developers, that bundle is not merely a copy of their current code. It is the full forensic record of a project: every version, every comment, every half-finished feature branch, every secret accidentally committed and later deleted. Deleted in the working directory, that is. Not from the bundle.
The exposure extends further. When Grok Build reads .env files for contextual assistance — a routine action for any coding agent — the contents of those files are transmitted via separate API requests. This means that database connection strings, API keys, private service credentials, and infrastructure secrets flow to xAI's infrastructure as a matter of course, regardless of whether those files were ever committed to version control.
The Opt-Out That Opts Nothing Out
What makes this finding structurally significant rather than merely technical is this: the data transmission occurs even when users have explicitly navigated to their account preferences and disabled the "Improve the model" setting. The toggle that users reasonably interpret as a data-sharing boundary is, based on the captured evidence, not functioning as one.
Independent testing across account tiers — free-tier and SuperGrok paid consumer accounts alike — confirmed the behavior persists regardless of subscription level. Only Enterprise-tier accounts carry Zero Data Retention guarantees. For the vast majority of Grok Build users who are not Enterprise customers, no such contractual protection exists.
Context: An Underwhelming Tool With Outsized Risk
The security disclosure arrives alongside a performance evaluation that was itself unflattering. Across nine client projects — four on established codebases, five built from scratch — CTOL Digital Solutions' engineering team assessed Grok Build's output quality and reasoning as roughly equivalent to GPT-4o-mini, a model positioned well below current flagship offerings. In a competitive market, the performance finding alone would be a commercial liability. Paired with the privacy disclosure, it reframes the calculus entirely: engineers are being asked to accept significant data exposure for sub-premium performance.
The Threat Model, Precisely Stated
Intellectual honesty demands that the caveats be stated plainly. These findings rest on network analysis and independent security research, not an official admission or technical disclosure from xAI. The behavior is confirmed specifically in version 0.2.93; prior and future versions have not been independently re-evaluated. And while untracked, gitignored .env files were not conclusively found inside the Git bundle itself, their contents were observed in separate network transmissions during active file reads — a distinction that offers little practical comfort.
xAI's Silence and the Documentation Gap
xAI has not issued a public statement addressing the findings. What it has issued speaks volumes by omission. The latest official Grok Build release — v0.2.98, published July 12 — carries a changelog that makes no mention of repository snapshots, secret exposure, or any security fix. The disclosure has been public; the silence in the release notes is a choice.
The company's enterprise documentation compounds the concern. xAI states that prompts and file contents are transmitted for inference, and that its Zero Data Retention policy prevents persistence "at the inference layer." That framing, however, does not address the separate whole-repository storage mechanism identified by researchers — the Git bundle upload that precedes any inference call. The enterprise documentation page carrying this language was last updated June 16, weeks before the public disclosure, and has not been revised since.
The Directive
CTOL Digital Solutions' internal conclusion is straightforward: no engineer is to run Grok Build inside any sensitive, proprietary, or client-related repository until xAI publicly documents a transparent remediation and that remediation has been independently verified. The tool is to be considered suspended for all serious use.
For the broader development community, the episode is a structural warning about an emerging category of risk: AI coding assistants operate with deep filesystem access, broad network permissions, and minimal mandatory disclosure. In that environment, the difference between a helpful tool and a data pipeline is, apparently, a single packet capture away.
Reporting is based on internal engineering documentation from CTOL Digital Solutions and parallel independent security research. All discoveries reported herein remain preliminary; CTOL Digital Solutions engineers intend to conduct a full, rigorous investigation when time permits.
