SpaceXAI Grok Build Uploaded Users’ Codebases to Cloud: What Happened?

SpaceXAI disabled Grok Build's automatic codebase uploads after researchers found it was sending entire repositories to Google Cloud, raising privacy concerns.

SpaceXAI Grok Build Uploaded Users’ Codebases to Cloud: What Happened?

SpaceXAI has disabled a behavior in its Grok Build AI coding tool after researchers discovered it was uploading users’ complete code repositories to Google Cloud. The issue has raised fresh concerns about privacy, data security, and transparency in AI-powered coding assistants, particularly for developers working with sensitive or proprietary code.

According to a report from The Register, security researchers at Cereblab found that the Grok Build CLI was packaging and uploading entire project repositories, including files it had been instructed not to access and secrets that had already been removed from repository history. The researchers noted that the amount of data being retained appeared to be significantly greater than what similar AI coding tools typically collect.


Researchers Found Complete Code Repositories Were Being Uploaded

During their investigation, Cereblab observed that Grok Build automatically synchronized much more than the files necessary to provide coding assistance. Their findings suggested that complete repositories—including ignored files and previously deleted secrets—were being prepared and uploaded to Google’s cloud infrastructure.

This behavior differs from the expectations many developers have when using AI coding assistants, where only relevant project context is generally expected to be shared with cloud services.

As of Monday, the researchers reported that SpaceXAI’s servers began returning a disable_codebase_upload: true flag. After this change was introduced, the automatic codebase upload process no longer appeared to run.


Elon Musk Responds to the Incident

Following public reports about the issue, Elon Musk addressed the situation on X (formerly Twitter). He stated that all data previously uploaded through Grok Build would be “completely and utterly deleted.”

In a separate post, Musk also said that users’ privacy preferences are always respected. At the same time, he encouraged users to allow SpaceXAI to retain certain diagnostic data, explaining that it helps engineers investigate bugs and improve the overall reliability of the platform.


Security Experts Call the Data Collection Excessive

Dr. Lukasz Olejnik, an independent security researcher affiliated with King’s College London, told Wegsa collecting this amount of information is “excessive.”

According to Olejnik, the types of information that could potentially be exposed include:

  • Proprietary source code
  • Security vulnerabilities
  • Infrastructure configurations
  • Personal information
  • API keys and credentials

For companies building commercial software, exposure of this information could introduce unnecessary privacy and security risks.


Why This Matters for Developers

AI-powered coding assistants have become increasingly popular among software developers because they can speed up development, generate code, explain complex functions, and automate repetitive tasks. However, these tools often require access to project files to provide useful suggestions.

Developers generally expect transparency regarding exactly what information leaves their local machine. When complete repositories or sensitive project files are uploaded without clear expectations, organizations may face compliance, confidentiality, and intellectual property concerns.

Businesses working with customer information, financial systems, healthcare applications, or proprietary software should carefully review the privacy policies and data retention practices of any AI coding platform before integrating it into their workflow.


SpaceXAI’s Initial Response

Before the upload behavior was disabled, SpaceXAI stated that users could run the /privacy command within the CLI to disable data retention and delete previously synchronized data.

However, Cereblab later clarified that the /privacy command only functions as a per-session data retention setting. According to the researchers, it was not the mechanism responsible for stopping the automatic codebase uploads and therefore should not be considered the actual fix.


Growing Focus on AI Privacy and Transparency

The incident highlights a broader conversation around AI development tools and data privacy. As more developers rely on cloud-based AI assistants, transparency about what information is collected, stored, and processed becomes increasingly important.

Major AI companies continue to update their privacy practices as adoption grows, and users are encouraged to review documentation before connecting sensitive projects to cloud-powered coding assistants.

For developers looking to understand best practices around secure coding and software supply chain security, resources from the OWASP Foundation and the National Institute of Standards and Technology (NIST) provide valuable guidance.


Final Thoughts

Although SpaceXAI has disabled the automatic codebase upload behavior and stated that previously uploaded information will be deleted, the incident serves as an important reminder that developers should understand exactly how AI coding tools handle their data.

As AI becomes an integral part of modern software development, privacy, transparency, and user control will remain key factors in determining which platforms developers ultimately trust.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *