#013 · Supply-Chain Verification

Verifying the Grok Build CLI Repository-Upload Claim

Security researcher cereblab reported that Grok Build CLI v0.2.93 uploads an entire code repository, together with its full git history, to xAI cloud storage. Analysts used AVL Code to statically analyze the offline installer for that version, checking the claim against the code inside the client binary item by item.

Built with AVL Code + the Landi model

Grok Build CLISupply-Chain VerificationData ExfiltrationTaint AnalysisStatic Analysis

Overview

The claim came from cereblab: Grok Build CLI v0.2.93 bundles up the whole repository and ships it to xAI. All we had was a 42.8 MB offline installer — no source code. Analysts ran the verification on AVL Code with two agents in parallel: one pulled the cereblab reproduction repository and its public packet-capture evidence, the other unpacked the sample and ran entropy analysis, string/IOC extraction and ELF parsing. Cross-checking the two sides took about 20 minutes, from sample fingerprint to taint path. The verdict: every part of the upload chain is present in the client binary — the grok-code-session-traces bucket, the POST /v1/storage endpoint, upload switches independent of the model channel, the devstorage.full_control credential scope and git bundle packaging all line up. The boundary is stated just as plainly: static analysis proves the capability exists; proving it actually ran still rests on the cereblab live captures.

Key results

  • Checked 8 public claims one by one — 6 matched the code in the sample, while 2 were labeled honestly as "partly inferable" and "dependent on external dynamic evidence"
  • Located the full upload chain inside the client binary: the grok-code-session-traces bucket, the POST /v1/storage endpoint, the GROK_TRACE_UPLOAD_* switches and the devstorage.full_control credential scope
  • Reconstructed the workspace → git bundle → GCS taint path, exposing the mismatch where a read denial (--deny) fails to keep a file out of the bundle
  • Two agents in parallel finished the verification in about 20 minutes from a single 42.8 MB offline installer, with the sample analyzed inside a read-only sandbox throughout

Technical highlights

Two agents in parallel (external evidence gathering + static sample analysis)Entropy check confirming correct decompression (7.999 → 6.24)String and IOC extraction to locate the upload chainTaint source / propagation path / sink modelingRead-only sample sandbox that refused command execution in the sample directoryClear separation of static and dynamic evidence

Practical value

Gives enterprises a reviewable method for assessing the data boundary of closed-source AI coding tools: with only an installer and no source code, it can still answer whether the upload mechanism is present in the binary. The workflow is reusable for supply-chain verification of any closed-source client — pulling a claim back to the sample and the evidence, and leaving a traceable comparison between allegation and proof rather than stopping at hearsay.

Artifacts

Session replays & reports are original records in Simplified Chinese · Built with AVL Code + the Landi model