Threat assessment: high.
SpaceXAI’s Grok Build, the company’s AI coding CLI, was quietly packaging up users’ entire code repositories and shipping them to Google Cloud. The Verge AI reports that security outfit Cereblab published the findings on Monday, and SpaceXAI switched the behavior off only after the report landed. The upload included files the tool was explicitly told not to open, and secrets developers had already scrubbed from their git history.
Read that again. Files it was told not to open. Secrets deleted from history.
What happened
- Cereblab tested the Grok Build CLI and found it bundling whole codebases for upload.
- The scope went well past comparable tools. According to The Verge AI, the retention was “significantly more” than what something like Claude Code does.
- As of Monday, Cereblab’s tests show SpaceXAI’s servers returning a
disable_codebase_upload: trueflag. The upload “no longer fires.” - Elon Musk posted on X that everything Grok Build previously uploaded will be “completely and utterly deleted.”
- Musk also said “privacy settings are always respected,” while asking users to let SpaceXAI retain their data because it’s “helpful for debugging issues.”
Why this matters
Dr. Lukasz Olejnik, an independent security researcher at King’s College London, told The Verge that this level of retention is “excessive.” His list of what could be sitting in that data: “proprietary source code, information about security vulnerabilities, personal data, infrastructure details, and credentials.”
That’s the whole problem in one sentence. A codebase isn’t just code. It’s your architecture, your unpatched bugs, your API keys, your customer data schemas. Send all of it to a third party and you’ve handed over a map of every way into your systems.
What stands out here is the ignored-files part. When you tell a tool to skip a directory, you’re drawing a boundary. Grok Build crossed it. That’s not a retention policy question, that’s a trust question.
The response, and the hole in it
SpaceXAI’s first public answer pointed users at the /privacy command in the CLI. Cereblab pushed back hard: “/privacy is a per-session retention toggle, not the switch that fixed this, so it shouldn’t be pointed to as the control.”
Translation: the company pointed at a lever that wasn’t connected to the thing that broke. The actual fix was a server-side flag flipped after researchers went public.
Tactical response
- Rotate credentials. If you ran Grok Build against a work repo, cycle every key and token that lived in it. Don’t wait for the deletion promise to be verified.
- Audit your CLI tools. Know which AI assistants have shell access on your machines and what each one uploads by default.
- Check defaults, not settings pages. Zero data retention off by default is a completely different product than zero data retention on by default.
- Treat “we deleted it” as a claim. There’s no independent audit attached to it.
The bigger pattern
AI coding assistants need context to be useful. That’s the deal you make. But there’s a wide gap between “read the files I’m working on” and “sync my repository to your servers,” and the industry has been quietly widening it. More context means better output. Better output wins benchmarks and users.
This one got caught because researchers went looking. Most tools don’t get looked at.
Expect pressure on every vendor in this category to publish exactly what leaves your machine, when it leaves, and how long it’s kept. Expect enterprise buyers to start demanding that in writing before signing anything. The vendors that can answer clearly will take the accounts that matter. The ones that point at the wrong toggle won’t.
Full details are in the original report at The Verge AI.