SpaceXAI’s Grok Build AI coding tool was discovered uploading users’ entire codebases to Google Cloud before the company disabled the function following reports. Findings published by Cereblab on Monday revealed that the Grok Build CLI was packaging and uploading entire code repositories, including files it was explicitly told not to access and secrets that had been deleted from history.

Excessive Data Retention Concerns

The scale of this data collection significantly exceeds that of similar tools like Claude Code. Dr. Lukasz Olejnik, an independent security researcher at King’s College London, described the level of data retention as "excessive." He noted that the potentially exposed data could include proprietary source code, security vulnerabilities, personal information, infrastructure details, and login credentials.

Response from SpaceXAI and Elon Musk

Following the discovery, SpaceXAI’s servers began returning a "disable_codebase_upload: true" flag, effectively halting the automatic uploads. Elon Musk addressed the incident on X, claiming that all previously uploaded data would be "completely and utterly deleted." While Musk insisted that "privacy settings are always respected," he simultaneously encouraged users to allow data retention, citing its usefulness for debugging issues.

A point of contention remains regarding the tool's privacy controls. SpaceXAI initially suggested that users could use the "/privacy" command to disable retention. However, Cereblab countered that this command is merely a per-session toggle and does not represent the actual fix that stopped the mass codebase uploads.