Anime, manga, and games, with a take · A Yukimedia publication

← all stories other 1 sources · 1h ago ·

Grok Build Sends Unredacted Secrets and Full Git History to xAI

The findings reveal a fundamental trust gap in AI coding assistants: developers cannot safely use them on sensitive codebases without risking exposure of secrets and proprietary code.

Reporting from 1 source: GIGAZINE.

Grok Build Sends Unredacted Secrets and Full Git History to xAI

A security analysis by cereblab found that SpaceXAI's Grok Build coding assistant transmits API keys and passwords without redaction, and uploads entire Git repositories including files the AI never read and commit history. The data is stored in a Google Cloud Storage bucket. Disabling the 'use to improve model' setting did not stop the upload. Users are advised to revoke any exposed credentials.

In a test with an 11.2 GiB repository, Grok Build transmitted at least 5.10 GiB before the recording was stopped, while only 192 KiB was used for inference. The analysis by cereblab, which investigates AI safety, showed that authentication information read by Grok was included unprocessed in the inference communication and also recorded in separate session-saving communications. Even when instructed to only reply without reading files, the tool uploaded a Git bundle containing the entire repository. The transmitted data was stored in a bucket called 'grok-code-session-traces' on Google Cloud Storage. The upload continued even with the setting to not use data for model improvement disabled.

For developers who have used Grok Build, the immediate concern is whether their repositories contained API keys, access tokens, or database passwords. If so, those credentials need to be revoked or reissued. Future use of the tool may require preparing a working repository that excludes confidential information and passing secrets via environment variables from a secret management service.

Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.

Sources