Elon Musk has pledged to delete all user data previously gathered by Grok Build after researchers revealed the CLI uploaded entire code repositories and sensitive files to cloud storage without proper safeguards.

  • Grok Build uploaded full user repos and Git histories to Google Cloud.
  • SpaceXAI disabled complete repo uploads with a server-side flag.
  • Musk pledged complete deletion of all previously uploaded user data.

What happened

Security researcher Cereblab discovered that Grok Build, SpaceXAI's CLI tool, automatically uploaded entire user code repositories, including full Git history and sensitive information such as deleted secrets and private keys, to a Google Cloud storage bucket. This behavior occurred even when users specified minimal or innocuous prompts, which means sensitive user data was transmitted without proper user consent or redaction.

The findings were confirmed by multiple reports from affected users who observed the tool uploading even entire user directories containing SSH keys and password databases. SpaceXAI's data retention practices were notably more extensive than similar competitor products like Claude Code and Gemini, which upload only specific files rather than entire repositories.

Why it matters

Uploading complete user repositories including private keys and sensitive files to a cloud server presents a major privacy and security risk, especially for enterprise users who depend on confidentiality for their development work. Such broad and undisclosed data collection runs counter to typical zero data retention policies and raises concerns over user trust and regulatory compliance.

Elon Musk and SpaceXAI faced significant backlash following the revelation, prompting Musk to publicly promise the complete deletion of all data collected before the fix was implemented. The incident highlights the critical importance of transparency and control over data in AI-powered developer tools, especially as AI integration into development workflows accelerates.

What to watch next

It will be important to monitor whether SpaceXAI fulfills its commitment to delete all previously uploaded user data thoroughly and transparently. Users and security researchers will likely continue assessing Grok Build’s behavior to ensure no residual data collection vulnerabilities remain.

Additionally, industry observers should watch if other AI coding tools reevaluate and tighten their data retention policies and how regulatory authorities respond to cases involving unexpected or excessive data collection in developer AI tools. The balance between data utility for debugging and privacy protection remains a central issue.

Source assisted: This briefing began from a discovered source item from The Register Headlines. Open the original source.
How SignalDesk reports: feeds and outside sources are used for discovery. Public briefings are edited to add context, buyer relevance and attribution before they are published. Read the standards

Related briefings