Skip to main content

Grok Build by SpaceXAI Was Uploading Developers' Complete Code to the Cloud

Ilustrační obrázek
The AI programming tool Grok Build by SpaceXAI (formerly xAI) was uploading developers' entire Git repositories to Google Cloud Storage — including files it was supposed to ignore and secret keys long since deleted from history. The issue was flagged by the independent researcher behind the Cereblab project, who captured the CLI tool's traffic on the wire and reconstructed the data retroactively. Elon Musk promises complete deletion of all data, but the incident raises fundamental questions about the trustworthiness of AI tools we let into our code.

What exactly happened: The entire repository on a third-party server

On Monday, July 13, 2026, the independent security project Cereblab published a detailed analysis of the behavior of the Grok Build CLI tool by SpaceXAI. The researcher captured all network communication of the tool using mitmproxy and discovered something shocking: Grok Build was sending a complete git bundle to Google Cloud Storage (gs://grok-code-session-traces) — that is, a packaged copy of the entire repository including the full git history. The most disturbing part of the finding is that the upload occurred even when the researcher gave the tool a completely neutral prompt: "reply OK, do not open any files". Grok Build nonetheless sent the complete code bundle to the server. The data also included files the tool was supposed to explicitly ignore, including .env files with API keys and passwords that had been deleted from history months earlier.

Proof on the wire: 269 blobs, 219 MB

Cereblab reproduced its finding on two different codebases, and other researchers independently confirmed it on their own private repositories — in one case involving 269 blobs totaling 219 MB in size. The captured data could be fully reconstructed to its original form using git clone. The Grok Build CLI binary version 0.2.93 (SHA-256 2a97ba67…d767c) was sending an HTTP POST request to the /v1/storage endpoint with the complete git bundle in the response body.

How much more data Grok collected compared to competitors

Cereblab conducted a comparison with competing AI programming tools, and the difference is enormous:
Tool What it sends to the server
Claude Code Only files it opens (reads)
OpenAI Codex Only files it opens (reads)
Google Gemini CLI Only files it opens (reads)
Grok Build Entire repository + complete git history
While Claude Code by Anthropic, OpenAI Codex, and Google's Gemini send only the files they actually work with to their servers, Grok Build sent everything. And it wasn't just the current version of the code — it sent the entire git history, meaning files and secrets that developers had deleted in the past precisely because they shouldn't have been there.

SpaceXAI and Elon Musk's response: Promises versus reality

SpaceXAI responded to the revelation in two ways. Initially, the company stated on X that users could use the /privacy command to disable data retention. However — as Cereblab pointed out — /privacy is merely a server-side retention toggle, not an off switch for the upload itself. Data from your computer was still being sent even after activating this toggle; the server just didn't store it afterward. Elon Musk wrote in response to the incident that all previously uploaded data will be "completely and utterly deleted". In another post, he added that "privacy settings are always respected", but at the same time asked users to allow SpaceXAI to retain data — claiming it's "useful for debugging".

What actually stopped the upload: a silent global switch

Cereblab's key finding is that the upload was stopped by a server-side flag disable_codebase_upload: true, which SpaceXAI quietly activated on July 13. So it wasn't a client-side fix — users didn't need to update anything. SpaceXAI simply disabled the feature on the server. At the same time, the company released a new CLI version (0.2.99) that adds the /privacy opt-out command and changes the default upload setting to off.

Security expert warns: "Excessive data retention"

Dr. Lukasz Olejnik, an independent security researcher from King's College London, confirmed to The Verge that the scope of data collection by Grok Build was "excessive". According to Olejnik, the data at risk could include "proprietary source code, information about security vulnerabilities, personal data, infrastructure details, and login credentials". This is a critical warning not only for individual developers but especially for companies deploying AI tools into their development workflows. If a developer working on a banking system or healthcare software ran Grok Build, they could have unknowingly sent sensitive data to third-party servers.

What it means for European and Czech developers

For developers in the Czech Republic and across the European Union, this incident carries special significance. GDPR requires organizations to maintain control over where data goes — and that includes source code if it contains personal data (such as names in configurations, email addresses in test data, or API keys linked to specific accounts). SpaceXAI primarily operates its servers in the US, and data sent to Google Cloud Storage could have been stored anywhere in the world. For European companies, this means potential violation of cross-border data transfer rules. Even though Grok Build was likely used by fewer developers in Czechia than Claude Code or GitHub Copilot, the principle is universal: before deploying any AI tool into a corporate workflow, it is essential to verify what data it sends.

Broader context: How far does trust in AI tools go

The Grok Build incident comes at a time when AI programming tools are experiencing rocket growth. According to the latest data, over 70% of professional developers use some form of AI assistant in their work. Companies like Anthropic, OpenAI, Google, and Microsoft are investing billions into developing agentic AI that doesn't just advise but directly writes, tests, and deploys code. But the more permissions we grant these tools, the greater the risk. Grok Build isn't the first case — concerns have previously arisen about GitHub Copilot and training on private repositories, and security firms like Snyk warn about "agentjacking" — attacks where an attacker tricks an AI agent into running malicious code. The Grok Build case, however, is specific in that it wasn't a bug or third-party exploitation — it was intentional design. SpaceXAI simply designed the tool to send complete code to its servers. Until Cereblab's analysis was published, this was never transparently communicated anywhere.

Practical recommendations for developers

If you use (or have used) Grok Build, you should:
  • Check whether your repository contained sensitive data that could have leaked
  • Rotate all API keys and tokens that were in the codebase (including git history)
  • Update Grok Build CLI to version 0.2.99 or newer
  • Consider choosing a tool with a more transparent data handling policy for corporate development (e.g., Claude Code or Codex)

A lesson for the entire industry

The Grok Build case shows that the AI programming tools market needs clearer standards. Developers should never have to retroactively figure out what their tools are sending to the server — this information should be transparent, verifiable, and minimal by default. At the same time, the Cereblab project, run by a single independent researcher, demonstrates the importance of community oversight over AI tools. Without their work, developers around the world would continue unknowingly sending their code to SpaceXAI's servers.

Was Grok Build the only AI tool that did something like this?

According to available information, yes — in such an extreme form. Claude Code, OpenAI Codex, and Google Gemini CLI only send files they actually read or modify. None of these tools blindly send the entire repository including git history. Grok Build was an exception in this regard, which is also confirmed by Cereblab's comparative analysis.

How can I find out if my AI tool is sending sensitive data?

The most reliable method is to capture and analyze the tool's network traffic using a proxy tool such as mitmproxy, Wireshark, or Charles Proxy. Alternatively, you can monitor DNS queries and outgoing connections using firewall logs. For the average developer, however, the most practical approach is to rely on independent audits (like the one from Cereblab) and the manufacturer's official documentation — and always verify that the tool has a clearly defined data retention policy.

Could a similar incident happen with other AI tools?

Yes, the risk always exists. AI tools are complex software, and every update can change what data they send. Manufacturers can also modify their terms of service at any time. We recommend following independent security projects like Cereblab and conducting your own network traffic audits when deploying AI tools in a corporate environment.

X

Don't miss out!

Subscribe for the latest news and updates.