xAI open-sources Grok Build after file-upload controversy
The terminal coding agent is now on GitHub under Apache 2.0 after users said it sent sensitive local files to xAI’s cloud servers.
By Colin Brandt · Enterprise Reporter
· 3 min read
xAI has released the full source code for Grok Build, its terminal-based AI coding agent, after users found that the tool was uploading directory contents to xAI’s Google Cloud servers. Elon Musk said uploaded user data would be fully deleted, while xAI disabled the upload capability and moved the project to GitHub under the Apache 2.0 license.
The episode is a trust problem for a developer tool category that asks for unusually broad access to local machines. Coding agents routinely request permission to inspect repositories, execute commands and modify files. In this case, one user on X said the transfers included SSH keys, password databases, documents and photos, a list that would be highly sensitive for any developer environment. xAI has not disclosed how many users were affected or how much data was uploaded.
What xAI released
Grok Build is invoked from the command line with the grok command, according to xAI. The agent can read and change codebases, run shell commands, search the web and handle long-running tasks. It can be used interactively, run without a user interface for scripting and continuous integration workflows, or embedded in editors through the Agent Client Protocol.
xAI said the open-source release is meant to provide transparency. The company also said Grok Build can now run entirely on a local machine. The GitHub repository contains about 844,530 lines of Rust covering the agent loop, tools, terminal interface and an extension system for plugins and subagents. Code related to the upload function remains in the project but is disabled.
In a post on X, xAI said data storage has been off by default since July 12. That statement leaves open several questions that matter to technical buyers, including what the prior default behavior was, what retention policy applied before the change and whether enterprise users had different settings. Musk separately said all uploaded user data would be fully deleted.
Why the open-source move matters
Open-sourcing Grok Build gives developers and security teams a way to audit the agent’s behavior rather than relying only on xAI’s claims. The Apache 2.0 license also permits broad reuse, modification and distribution, which could make the tool more attractive to teams that want to inspect or adapt their coding agents.
The move does not by itself answer the operational questions created by the upload behavior. xAI has said the feature is disabled and that the tool can run locally, but it has not provided public figures on affected users, uploaded file volume or the exact timing of deletion. For founders and engineering leaders evaluating AI coding tools, the incident is a reminder that local file access and cloud processing are product design choices, not implementation details.
This story draws on original reporting from The Decoder.