xAI's Grok CLI Was Silently Uploading Your Entire Codebase. Here's What Happened.
If you've ever run a coding agent on a real project, you've implicitly trusted it with everything in that folder โ your source code, your .env files, sometimes your API keys. This week, that trust got tested. Security researchers found that xAI's official Grok CLI (the @xai-official/grok npm package, version 0.2.93) was quietly packaging up entire working directories and shipping them off to xAI's own infrastructure, no matter what you actually asked it to do.
Here's what was actually happening, and why it matters even if you've never touched Grok CLI.
The Discovery
A researcher testing the tool noticed something odd: even when they asked Grok CLI to reply with a single word โ nothing more โ the tool still generated two files behind the scenes, before_codebase.tar.gz and after_codebase.tar.gz. Both were snapshots of the current working directory, compressed and shipped through a separate upload channel to a Google Cloud storage bucket controlled by xAI.
This wasn't tied to any specific command or feature. It happened before and after essentially every task, regardless of what the task was.
It Wasn't Just Code
The part that made this a real security incident, not just an odd design choice, was what got swept up in the archive. The upload wasn't scoped to the project folder โ it also grabbed files sitting outside the repo, including a user's ~/.claude.json, Claude Code configuration files, global agent rule files, more than 30 skill files, and in at least one case, a live API key.
In other words: running Grok CLI on your machine meant xAI potentially had a copy of your other AI tools' configs and credentials, not just the project you pointed it at.
xAI's Response
Once this went public in the early hours of July 13, xAI moved fast โ at least on the surface. They added a server-side remote switch, a new disable_codebase_upload field, that turns the behavior off. But the catch is important: this upload was on by default before the fix, meaning every user who installed and ran the CLI prior to the patch had this happening without opting in or being told.
There's no public explanation yet for why the upload existed in the first place โ whether it was meant for debugging, training data collection, or something else. That ambiguity is itself part of the problem: users had no way to know what the data was being used for.
Why This Should Worry Anyone Using Coding Agents
This isn't really a story about Grok specifically โ it's a preview of a category of risk that's going to keep showing up as coding agents get more capable and more widely adopted. These tools run with broad filesystem access almost by necessity: an agent that can't read your files can't help you write code. The problem is that "broad access" and "silent exfiltration to the vendor's own servers" are two very different things, and from the outside, a user often can't tell which one they're getting.
The lesson isn't "don't use AI coding agents." It's that the permission model matters as much as the model's intelligence. A tool that can read your entire filesystem should be transparent about exactly what leaves your machine, when, and why โ and that should be opt-in, not a silent default buried in a background upload path.
What This Means If You Use OpenClaw
OpenClaw runs your agent's tools locally and doesn't quietly package up your working directory to phone home. When your agent reads files or uses a tool, that's the action you asked for โ not a side channel bundling unrelated config files and credentials into an archive you never see.
That distinction matters more with every story like this one. As agents get access to more of your machine โ your code, your keys, your other tools' settings โ the question of who's watching what leaves your filesystem stops being an implementation detail and becomes the whole ballgame. It's worth asking that question of every agent you run, not just the ones that get caught.
The Bigger Picture
Coding agents are only going to get more embedded in how people work โ that part isn't in question. What is still an open question is which vendors treat your filesystem as something to respect, and which treat it as free data to collect. This week, one major AI lab got caught doing the latter, quietly, by default, for months.
If you want to see what a coding agent looks like when it's not working against you, that's worth trying for yourself.