What your AI coding CLI actually sends: the Grok case and the paradox in reverse

A wire-level analysis of xAI's coding CLI (grok) documents the upload of the entire repository and .env files to an xAI cloud bucket, even with 'improve the model' turned off. Together with the footprint of desktop agents and the 'reverse information paradox', it is a reminder that the code you give a cloud AI leaves your perimeter. The answer: sovereignty and governance.

AICybersecurityGovernanceAI CodingGrokxAIData ExfiltrationTelemetryAI GovernanceAI SovereigntyOn-PremiseAdminaPrivacy

The code you give an AI leaves your perimeter

When you connect a cloud coding agent to your repository, you are giving it access to your code. The operational question, which almost no one asks, is: what actually leaves your machine, and where does it end up? Two documents from mid-July 2026 try to answer concretely, and the answer deserves attention.

Note. This article reports third-party analyses and reports (independent researchers and news outlets), not technical verification carried out by noze. The situations described are evolving: where known, we note the vendors’ responses. Figures, endpoints and behaviours refer to the versions and dates indicated and may already have changed.

The Grok case: whole repository and secrets uploaded

The first is a wire-level analysis of xAI’s coding CLI (grok), published by independent researcher @cereblab. Intercepting traffic with mitmproxy and canary markers, the analysis documents that, on a normal consumer login, the CLI does three things worth knowing precisely.

First, it transmits the contents of the files it reads, including a .env file with keys and secrets, to xAI verbatim and unredacted, over two channels: the model turn (POST /v1/responses) and an uploaded archive (POST /v1/storage, which returns HTTP 200).

Second, and this is the point, it uploads the whole repository (every tracked file plus git history) as a git bundle, independent of what the agent reads. In the cited test, on a 12 GB repo of random files with an explicit instruction to read nothing, the model channel (/v1/responses) moved about 192 KB, while the storage channel moved 5.10 GiB: a ratio of roughly 27,800×. A placeholder file (src/_probe/never_read_canary.txt), which the agent had been told not to open, was recovered verbatim from the captured git bundle.

Third, the destination is a Google Cloud Storage bucket named grok-code-session-traces. And the detail that closes the loop: turning off the “improve the model” setting does not stop the upload, because the settings endpoint keeps reporting trace_upload_enabled: true.

The analysis (of version grok 0.2.93) has a stated methodology (TLS interception with mitmproxy, canary markers, SHA-256-verified git bundles) and was picked up by numerous industry outlets. After publication, xAI disabled the upload server-side and introduced a disable_codebase_upload option in the CLI, but so far there is no formal public statement about the incident. Either way, the direction is unambiguous: your code, and potentially your secrets, leave the machine even when you think you said no.

The hidden footprint of desktop agents

There is a second axis, different in kind but revealing: the footprint of these tools. In OpenAI Codex’s case, several outlets (among them The Register) documented a logging bug that wrote enormous amounts to the SSD: a TRACE-level SQLite log (~/.codex/logs_2.sqlite) that, in one measurement, produced about 37 TB in 21 days, on the order of 640 TB per year, enough to erode the write endurance (TBW) of a consumer SSD in under a year. OpenAI has since fixed the behaviour, with fixes in the 0.142.x line cutting writes by around 85%. Some reports also mention high network usage (on the order of 150 GB per month) tied to persistent WebSockets and cloud sandboxes, with lighter CLIs at comparable token counts: figures to take with more caution, but consistent with a simple principle. A desktop agent can have far more network and disk activity than the interface suggests. Here the issue is a fixed defect, not exfiltration, but the lesson is the same: what the agent does under the hood is rarely visible.

The information paradox, in reverse

There is an elegant way to frame all this: the reverse information paradox, a phrase coined by Satya Nadella (Microsoft’s CEO) in July 2026 and picked up in various commentary, including an essay on sn scratchpad. Arrow’s classic paradox is about the seller of information, who risks giving it away in order to sell it. In the AI era the problem flips onto the buyer: to really use these systems you have to reveal your proprietary knowledge. As the essay puts it, “you pay for intelligence twice, once with money, and again with something even more valuable, the proprietary knowledge you must reveal”. Prompts, code, corrections and workflows become exhaust that flows in one direction only, toward whoever owns the infrastructure.

What we think

The Grok case makes concrete what usually stays invisible, but the theme is not about one vendor: any cloud coding agent ships your code to infrastructure you do not control, under rules that can change and with options that, as we have seen, do not always do what they promise. For anyone building critical software, or simply caring about their secrets, that is a risk to weigh.

Our answer is architectural, and it has two legs. The first is to own the operational floor: open-weight models running locally, where the code never leaves the perimeter. This is no longer science fiction, as we have covered in DwarfStar 4, colibri, GLM 5.2 and, on agentic coding specifically, Ornith 1.0: an open model that matches the closed frontier and runs on your hardware removes the exfiltration problem at the root.

The second is to govern the stack when a remote model is genuinely needed. That is exactly what Admina does: a control plane that brings an audit trail of every AI interaction, redaction of PII and secrets, and bidirectional ALLOW/BLOCK/REDACT policies on any model, local or remote. It is the layer that intercepts a .env about to leave, rather than discovering it in someone else’s bucket months later. The lesson of “toggle off but upload still on” is precisely this: you cannot delegate control to a vendor switch, you need your own.

It is the sense of Open Intelligence, Secure Governance, and the same logic by which we treat the closed frontier as technology someone else can filter or switch off (the Fable 5 case, GPT-5.6 Sol). AI coding tools are by now too useful to give up and too indiscreet to use blindly. The way out is not to switch them off: it is to own and govern them.

Sources

Need support?Under attack?Service Status
Need support?Under attack?Service Status