Skip to main content
TechnologyJul 13, 2026· 2 min read

Grok Sends .env Files and Plaintext Passwords to Its Servers, Even If You Never Opened Them

An independent and reproducible technical analysis has demonstrated that

Grok Build, the command-line client from xAI for assisted programming, sends content to the company’s servers that goes well beyond what is strictly necessary to respond to prompts. The intercepted network traffic using mitmproxy shows two distinct upload channels: one for the files actually read by the model, and the other for a snapshot of the entire repository, regardless of what the agent actually opened.

The first channel goes through the endpoint POST /v1/responses: here, without any redaction, the content of every file read during the session is sent, including a .env file with dummy credentials used as a marker. The same string then appears in a session archive uploaded via POST /v1/storage, accepted with an HTTP 200 response.

The second channel is more concerning: a test with the explicit prompt "respond OK, do not read any file" still resulted in the upload of the entire repository as a Git bundle, including the history. Cloning the captured archive retrieved a file never opened by the agent, with its unique marker intact, replicating the outcome on a second independent repository.

The test on 12 GB shows the gap between what the model reads and what is uploaded

To measure the scale of the phenomenon, the researcher built a repository of 12 GB of files never read by the model. The result: 5.10 GiB of data were transmitted to the storage endpoint in 73 blocks of about 75 MB each, all with a 200 response, before the capture was manually interrupted. During the same timeframe, the model channel moved only 192 KB: an approximate ratio of 27,800 times favoring the silent upload of code.

The destination of the data is a Google Cloud Storage bucket called grok-code-session-traces, identified both within the binary strings and in a metadata file captured during the upload, with paths in the format gs://grok-code-session-traces/. The mechanism, according to the analysis, is not described in the setup and quick-start documentation of the CLI referenced, and is active by default.

A detail complicates the picture further: disabling the "Improve the model" option in the account settings does not stop the upload. The response from the endpoint /v1/settings continues to return trace_upload_enabled: true and upload_enabled: true, with a declared limit of 1 GiB per single file. In practice, the opt-out concerns model training, not the transmission of code to remote storage.

The author of the investigation clarifies the boundaries of what has been demonstrated: the transmission and acceptance of data on the server side are proven by verifiable network artifacts, including the SHA-256 signatures of the captured files. It is not proven, however, that xAI uses this data to train its models, an issue that depends on internal policies not verifiable from the outside. The tests refer to version 0.2.93 of the client for macOS on Apple Silicon architecture, dating back to July 2026: xAI could modify the behavior of the CLI at any time.