SpaceXAI’s Grok Build AI coding tool was found uploading users’ entire codebases to Google Cloud storage prior to its discovery, prompting the company to disable the feature. According to The Register, Cereblab released findings on Monday revealing that the Grok Build CLI was packaging and transmitting full code repositories—including files marked as private and previously deleted secrets—to external servers, a practice that exceeded the data retention levels of comparable tools like Claude Code.
Independent security researchers confirmed that tests conducted on Monday demonstrated SpaceXAI’s servers now return a “disable_codebase_upload: true” flag, effectively halting unauthorized data uploads.
Elon Musk addressed the incident on X, pledging that all previously uploaded data will be “completely and utterly deleted.” He also emphasized that privacy settings are “always respected” but requested users permit SpaceXAI to retain their data for diagnostic purposes, citing its utility in “debugging issues.”
Dr. Lukasz Olejnik, a security researcher at King’s College London, confirmed to The Verge that the data retention scope constitutes an “excessive” risk, potentially exposing proprietary source code, vulnerability details, personal information, infrastructure configurations, and stored credentials.
SpaceXAI initially acknowledged the issue in a statement, asserting that users who disabled data retention can invoke the CLI’s “/privacy” command to prevent uploads and erase prior synced data. However, Cereblab clarified that this command functions as a per-session toggle and was not the primary mechanism responsible for disabling the upload process.
Also Read
- Physicists Crack the ‘Feynman Sprinkler’ Mystery After Decades of Debate
- Meta Adds $40 Billion to Louisiana AI Campus, Pushing Total Investment Past $250 Billion Amid Growing Scrutiny
- NASA’s Aircraft Repainted in Patriotic Colors for 250th Anniversary Celebrations
- Spotify Rolls Out AI Chat Feature in Mobile App

