Verifying the Grok Build CLI Repository-Upload Claim
Security researcher cereblab reported that Grok Build CLI v0.2.93 uploads an entire code repository, together with its full git history, to xAI cloud storage. Analysts used AVL Code to statically analyze the offline installer for that version, checking the claim against the code inside the client binary item by item.
Built with AVL Code + the Landi model
Overview
The claim came from cereblab: Grok Build CLI v0.2.93 bundles up the whole repository and ships it to xAI. All we had was a 42.8 MB offline installer — no source code. Analysts ran the verification on AVL Code with two agents in parallel: one pulled the cereblab reproduction repository and its public packet-capture evidence, the other unpacked the sample and ran entropy analysis, string/IOC extraction and ELF parsing. Cross-checking the two sides took about 20 minutes, from sample fingerprint to taint path. The verdict: every part of the upload chain is present in the client binary — the grok-code-session-traces bucket, the POST /v1/storage endpoint, upload switches independent of the model channel, the devstorage.full_control credential scope and git bundle packaging all line up. The boundary is stated just as plainly: static analysis proves the capability exists; proving it actually ran still rests on the cereblab live captures.
Key results
- Checked 8 public claims one by one — 6 matched the code in the sample, while 2 were labeled honestly as "partly inferable" and "dependent on external dynamic evidence"
- Located the full upload chain inside the client binary: the grok-code-session-traces bucket, the POST /v1/storage endpoint, the GROK_TRACE_UPLOAD_* switches and the devstorage.full_control credential scope
- Reconstructed the workspace → git bundle → GCS taint path, exposing the mismatch where a read denial (--deny) fails to keep a file out of the bundle
- Two agents in parallel finished the verification in about 20 minutes from a single 42.8 MB offline installer, with the sample analyzed inside a read-only sandbox throughout
Technical highlights
Practical value
Gives enterprises a reviewable method for assessing the data boundary of closed-source AI coding tools: with only an installer and no source code, it can still answer whether the upload mechanism is present in the binary. The workflow is reusable for supply-chain verification of any closed-source client — pulling a claim back to the sample and the evidence, and leaving a traceable comparison between allegation and proof rather than stopping at hearsay.
Artifacts
Session replays & reports are original records in Simplified Chinese · Built with AVL Code + the Landi model
