xAI has open-sourced Grok Build, its terminal coding agent, releasing about 844,530 lines of Rust to GitHub under the Apache 2.0 license, a move made to rebuild trust after the same tool was caught quietly uploading users' entire code repositories to xAI's servers. The twist is what open-sourcing revealed rather than removed. Security researchers say the code that performed those uploads is still in the released software, switched off by a server-side flag rather than taken out.

The behavior came to light when a researcher traced what Grok Build sent home during a normal session. Alongside the expected model traffic of roughly 192 kilobytes, the tool opened a second channel that uploaded about 5.10 gigabytes of data in 73 chunks of roughly 75 megabytes each, close to 27,800 times more than the coding task required. It was not sending only the files it needed to read, it was shipping whole Git repositories, full commit history included, to a Google Cloud Storage bucket run by xAI. In one test a tracked .env file went up unredacted, canary API keys and database passwords and all, and users reported SSH keys, password databases, documents, and photos being swept along with the code.

xAI moved fast once the finding spread. Elon Musk said all uploaded user data would be deleted, the company disabled the upload feature, which it says has been off by default since July 12, and then it published the full source code, presenting the open release as a way to let anyone audit the tool and run it entirely locally. On its face it is the textbook response to a trust breach, show the code, kill the feature, delete the data.

The catch is in the details researchers flagged after reading that code. The upload machinery has not been removed, it is still present in the binary and held back only by a server-side configuration flag, which means xAI could turn it back on without shipping a single update or asking anyone. Open-sourcing made the mechanism visible, it did not make it gone, and a switch the vendor controls is a different kind of assurance than code that is not there at all.

The episode is a sharp lesson about the new class of coding agents that live in your terminal with deep access to your filesystem, your keys, and your secrets. The convenience of a tool that can read your whole project is inseparable from the risk of a tool that can send your whole project somewhere else, and the line between the two can be a configuration value you never see. Open-sourcing helps, because thousands of eyes on 844,530 lines is how the flag got found in the first place. But the real takeaway is that trusting an agent with your codebase now means trusting whoever can flip its switches, and this time the switch is still there.