Why Grok Build Uploaded My Entire Repository to the Cloud—and How Musk Plans to Fix It

A Cereblab investigation reveals that SpaceXAI's Grok Build CLI silently uploads whole codebases—including API keys and deleted files—to Google Cloud Storage, far exceeding the data needed for coding tasks, prompting Musk to promise a full data purge and new privacy controls.

21CTO
21CTO
21CTO
Why Grok Build Uploaded My Entire Repository to the Cloud—and How Musk Plans to Fix It

AI security research group Cereblab published a report on SpaceXAI's Grok Build command‑line interface (CLI), showing that the tool reads or processes files and transmits their unedited contents directly to a Google Cloud Storage bucket used by SpaceXAI.

The report states that Grok Build packages the entire repository as a Git bundle and uploads it, unlike other AI coding assistants such as Claude Code, Gemini or Codex, which open only the specific file requested.

This behavior exposes proprietary source code, API keys, SSH keys, password‑manager databases and other sensitive data, often without the user’s awareness.

Researchers tested the CLI with a harmless prompt that instructed it to reply “OK” and explicitly not to open any files. Despite this, Grok Build still uploaded the full repository, including its complete Git history and previously deleted keys. Developer Peter Dedene reproduced the issue using Grok Build CLI v0.2.93 and a mitmproxy network capture; the upload switch was controlled server‑side, not via a client update.

Additional reports from developers such as Vietnamese programmer Tinh Dang described rapid disk‑space consumption and confirmed that even when told not to read files, Grok Build sent the entire codebase. Compared with Claude Code, which edits files before transmission, Grok Build showed no such safeguards.

One test measured 5.1 GB of uploaded data for a coding task that required only 192 KB—approximately 26,000 times more data than necessary.

In response, SpaceXAI executives and Elon Musk publicly acknowledged the findings and announced remediation. The CLI now includes a disable_codebase_upload flag (set to “true”) that stops full‑repo transmission, and a /privacy command that disables zero‑data‑retention (ZDR) and deletes previously synced data.

Musk pledged that all user data uploaded before the fix will be permanently deleted, assuring that no traces remain.

The incident places SpaceXAI among AI companies facing scrutiny over data collection and retention practices, with open questions about the number of affected users, affected versions, retention periods, and verification of data deletion.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

CLIsecuritydata privacySpaceXAIGrok Buildcodebase uploadzero data retention
21CTO
Written by

21CTO

21CTO (21CTO.com) offers developers community, training, and services, making it your go‑to learning and service platform.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.