Home Content News xAI Open Sources Grok Build After Repository Upload Controversy

xAI Open Sources Grok Build After Repository Upload Controversy

0
2
Elon Musk
Elon Musk

xAI has released its Grok Build coding agent as open source under the Apache 2.0 licence, allowing developers to inspect its code after a security controversy exposed covert repository uploads and raised concerns over data handling.

xAI has open-sourced its Grok Build terminal AI coding agent under the Apache 2.0 licence, publishing approximately 844,530 lines of Rust code on GitHub. The release enables developers to independently inspect the agent’s architecture and data-handling behaviour following controversy over undisclosed repository uploads.

The move comes after security researchers revealed that Grok Build uploaded developers’ complete Git repositories, including commit histories and potentially sensitive credentials such as API keys, SSH keys, cloud tokens and database passwords. Researchers also confirmed the upload infrastructure remains in the published source code, although it is currently disabled through a server-side configuration flag rather than being removed entirely.

The open-source release exposes the agent’s context assembly, tool-call dispatch, shell execution, plugin framework, MCP server support and subagent architecture, making its operation transparent for independent auditing.

Researchers found the upload mechanism transmitted Git bundles containing complete repository histories, contradicting xAI’s earlier claim that “nothing from your codebase” was sent to its servers. They also reported that disabling the “Improve the model” option or using the /privacy command did not stop uploads, which ceased only after xAI enabled a global server-side flag.

“Publishing the code is the most direct way to build toward a robust and reliable harness,” xAI said. “You can read the source to see exactly how it works, from context assembly to tool-call dispatch.”

While developers can now compile Grok Build and run it against self-hosted inference servers, xAI has yet to disclose the number of affected users, provide a deletion audit or publish a formal incident report.

LEAVE A REPLY

Please enter your comment!
Please enter your name here