What xAI's Grok Build CLI Actually Sends to xAI

jhoho 192 points 100 comments July 12, 2026
gist.github.com · View on Hacker News

Discussion Highlights (20 comments)

5701652400

haha so they just stealing entire codebases?

freakynit

"It uploads the whole repository — every tracked file's content plus git history — independent of what the agent reads" Holy cow!!!! I mean I kinda expected Elon would do something like this to try to catch-up.. but this is extremely concerning. This is precisely the reason, even though their pricing is competitive and grok-4.5 is actually good enough, I chose not to go with them.

jstanley

One reason to want to upload the entire codebase is that it allows them to have the model inspect the codebase during "thinking" without going back to the client to do real tool calls. It's not a really great reason, because what's the downside of going back to the client? But that's the best reason I can think of.

5701652400

will this endup in their "macrohard" (automate any business) project? will this endup in their "everything app"? guess you do not need to build "everything" yourself, when you can steal it.

looksjjhg

Do people really trust that guy or any service he owns?! Actually never mind I forgot there’s always fools in this world

rescbr

Now, where are the people afraid of the Chinese AI companies, who claim they are going to copy their very precious code...?

charcircuit

The simplest way to disable uploading your repo is disabling it in the config. [harness] disable_codebase_upload=true

gitgud

This is one of the reasons why native proprietary coding agent runners like claude-code, codex, grok-build etc are so dangerous for privacy… you just don’t know what “secret sauce” they’ll add in the next update… It’s much safer to use something like opencode and use models via their API… however, the tradeoff is that it will never perform as well as it does in their native agent runners…

jacobgold

With all the coding agent options, you're choosing to trust your computer, code, and business to whichever harness, model, and provider you pick. It's not a great state of affairs, but that's where we are. Choose wisely my friend.

j_bum

I wish a human would’ve written the overview. Nonetheless, this is disturbing.

rvz

Both Grok and Claude Code are malware. This is another reason to use open source harnesses and open weight local models.

culi

> It transmits the contents of files it reads — including a .env secrets file — to xAI, verbatim and unredacted. This has to be the most successful mass surveillance campaign of all time

dimgl

Grok Build has had impressive performance in a couple of my projects. And fast. So this revelation has been very disappointing... I will say, a majority of the code I'm writing now is fully through an online LLM. If a company wanted to reconstruct a project I'm working on, they could just replay all of the tool calls from their logs, if they decide to retain the data (I did this locally once to recover a project that I mistakenly clobbered in Git). Still, this is a big overstep IMO. At the very least, they should make it clear in their terms of service and privacy policy, and not hidden through legalese. Not all usage of Grok Build will be through their enterprise plan which offers ZDR.

phaseleza

I always separate the coding tools from LLM providers, and use bubblewrap to sandbox the coding tools so they: 1. Can only read the working project directory, with .git read-only and sensitive directories hidden (mounted as empty directories). 2. Have an isolated network namespace; they can only access the internet through an HTTP proxy hosted on a Unix socket, can only access specific LLM provider hostnames, and exclude the tool's own hostname. For example, with Crush, I will let it access *.openrouter.ai (LLM providers) but not *.charm.land (Crush's domain for auto-updating the LLM list). This makes me feel much more comfortable enabling "yolo" mode and letting the tools do everything.

higginsniggins

Friendly reminder: since Musk now owns Cursor, there are a bunch of really good open-source alternatives you can use.

JumpCrisscross

It still somewhat blows my mind that xAI is allowed to operate in Europe given e.g. GDPR et al . Closest I can come to is Musk is above the law even in the EU given his relationship to Trump.

treexs

To be fair, most coding agent cli's by the labs do this and are opt in by default, it's just this does too

drnick1

Claude gets its own UNIX account on my dev machine. I would never trust it not to read .ssh or other sensitive private information in my home directory or elsewhere. In view of this, I should probably go further and bubblewrap it to restrict /etc, /proc and other things it legitimately does not need to do its job. I already do that for programs such as Steam (and games therein) to mitigate the possibility that they may spy on me.

thejazzman

So xAI now has a "legal" copy of all of Tesla's code? Convenient. https://electrek.co/2026/07/10/musk-tells-tesla-staff-switch...

Geee

Isn't it assumed that the AI agent is allowed to read your files in the directory you launch the harness? Most agents read your code on the first prompt, including any secrets you have there, which you shouldn't have. Also the .env file is for local environment, and shouldn't contain any actual secrets. AI agents should be isolated from any actual secrets, because they can't be trusted to follow instructions. If you adjust your expectations, I think it's be better to upload the code to their servers instead of sending it through context over and over again.

Semantic search powered by Rivestack pgvector
14,015 stories · 131,331 chunks indexed