Wednesday, July 15, 2026

News

Grok Build CLI Sent Entire Code Repositories to xAI's Servers Without Consent

CodingPatryk Raba
Fot. Gage Skidmore, Wikimedia Commons (CC BY-SA 4.0)

An independent researcher's analysis found that xAI's Grok Build tool (now SpaceXAI) was uploading entire Git repositories, including unredacted secrets and commit history, to Google Cloud without developers' knowledge. Elon Musk promised to delete all the collected data.

Contents
  1. What was discovered
  2. An unreliable privacy toggle
  3. xAI's response and Musk's promise
  4. What this means for developers

An AI coding tool from Elon Musk's company was supposed to guarantee that user code stayed on the developer's own machine. In reality, Grok Build CLI packaged entire Git repositories, including previously deleted secrets and .env files, and sent them without warning to Google Cloud servers controlled by xAI, now operating under the SpaceXAI brand.

What was discovered

Cereblab examined the network traffic generated by the CLI during a normal coding session. Instead of transmitting only the code fragments the model needed to produce a response, the tool packaged the entire working directory as a Git bundle and sent it in full, including files untracked by version control and the complete commit history.

It sends the entire repo, the content of every tracked file plus git history, regardless of what the agent actually reads - cereblab, author of the analysis

In practice, this meant secrets removed from a repository months earlier but still present in the commit history reached xAI unredacted. In one documented case, an entire user's directory, containing SSH keys and a password manager database, was uploaded to the company's servers.

An unreliable privacy toggle

The most troubling part of the discovery was that developers who had deliberately turned off the 'Improve the model' option, believing they were thereby protecting their code from being uploaded, did not actually stop the data transfer. That toggle controlled only consent to use the data for training future versions of the model, not whether files left the user's machine at all.

The 'Improve the model' toggle makes no difference, on or off, the entire repo goes out the same way - cereblab, author of the analysis

The upload mechanism was not documented in the tool's configuration materials and was enabled by default. xAI had previously marketed Grok Build with language suggesting that nothing from a user's code reached the company's servers during a session, a claim cereblab's analysis directly contradicted.

xAI's response and Musk's promise

After the post hit the front page of Hacker News on July 14, Elon Musk spoke out publicly, promising to delete all previously collected user data. The day after cereblab's analysis was published, he retested the same binary version of the tool and found that the repository uploads had stopped, the server began returning the disable_codebase_upload flag set to true.

As a precaution, all user data uploaded to SpaceXAI before now will be completely and irrevocably deleted. Absolutely nothing will remain - Elon Musk

Cereblab criticized how the fix was communicated, noting that the company implied the solution was an existing, manually invoked privacy command, when the actual fix was a quiet change to a global flag on the server side. The researcher stressed that developers shouldn't have to run an opt-out procedure themselves after every session just to keep their own code off someone else's servers. The company has not yet published a formal security advisory.

What this means for developers

For companies and independent developers using AI-based coding tools, the episode is a reminder that marketing claims about local processing are worth verifying independently rather than taking a vendor's word for it. Anyone who ran Grok Build on repositories containing real API keys, database passwords, or cloud access tokens should rotate them as soon as possible, regardless of what privacy settings were enabled at the time.

The case also feeds into a broader trend of growing distrust toward coding agents built on large language models, following earlier reports of hidden user tracking in other tools of this kind. Unlike those cases, this one was not about telemetry or location data but about the transfer of entire repository contents, including data developers believed had been safely purged from their project's history.

Share: