Security researcher Cereblab discovered that xAI’s Grok Build command-line interface was uploading users’ entire Git repositories, including full history with deleted secrets, to a Google Cloud Storage bucket operated by SpaceXAI. The finding prompted Elon Musk to promise a complete deletion of all previously uploaded user data.
The researcher found that Grok Build packaged entire repositories as Git bundles and transmitted them to xAI servers even when the CLI was instructed only to reply with “OK” and not to open any files. Other users reported that their entire user directories, containing SSH keys and password manager databases, were opened and uploaded without consent.
xAI responded by setting a server-side flag, disable_codebase_upload: true, which stopped the whole-repo uploads. The company advised users to run the /privacy command to disable data retention. However, Cereblab noted that the privacy toggle was not what fixed the underlying issue — the server-side change applied globally regardless of user opt-in status.
Musk stated on X that “all user data that was uploaded to SpaceXAI before now will be completely and utterly deleted.” The Register could not independently verify whether the deletion has occurred. The incident raises questions about data privacy practices in AI-powered developer tools.
