xAI's Grok Build AI Coding Tool Found Uploading Entire Codebases to Cloud Without User Consent
Security researchers at Cereblab revealed that xAI's Grok Build CLI tool was silently uploading users' complete code repositories to Google Cloud Storage, including explicitly excluded files and secrets deleted from version history. Following the disclosure, xAI quickly disabled the feature; its servers now return a 'disable_codebase_upload: true' flag.

Highlights
- Security firm Cereblab disclosed on Monday that xAI's Grok Build CLI tool uploaded users' entire code repositories to Google Cloud Storage without adequate user notification.
- The uploads included files explicitly excluded by users and secrets already deleted from version history, raising significant data privacy concerns.
- Cereblab found Grok Build collected substantially more data than Anthropic's Claude Code under comparable usage conditions.
- xAI disabled the codebase upload feature following disclosure; servers now return the 'disable_codebase_upload: true' flag confirming the function no longer triggers.
- xAI has not yet issued a full formal statement explaining the original purpose of the uploads or how the collected data was handled.
xAI's AI coding tool Grok Build has been found to upload users' entire code repositories to Google Cloud Storage without adequate disclosure, according to security researchers. xAI moved swiftly to disable the feature after the findings became public.
Research Report Details the Issue
As reported by The Register, security research firm Cereblab published its findings on Monday, detailing how the Grok Build command-line interface (CLI) tool packages and uploads users' complete code repositories. The uploaded data reportedly included:
- Files that were explicitly instructed not to be opened
- Secrets that had already been deleted from version history
Cereblab noted that Grok Build's data retention scope far exceeded that of comparable tools, with significantly greater data collection compared to Anthropic's Claude Code.
xAI Responds Quickly, Feature Disabled
Researchers stated that as of Monday, their tests showed xAI's servers had begun returning the disable_codebase_upload: true flag, indicating the codebase upload function was "no longer triggering."
Elon Musk also responded to the incident; for his full statement, readers are directed to the original The Verge report.
Data Privacy Concerns Highlighted
The incident has reignited serious concern over data privacy in AI coding tools. Developers using such tools often have limited visibility into what data is actually being transmitted and stored in the background — a particularly significant risk when tools access code containing sensitive information such as API keys and passwords.
As of the time of writing, xAI has not issued a full formal statement explaining the original purpose of the data uploads or how the collected data has been handled.
Sources: The Verge, The Register
原文來源: 查看原文
FAQ
Newsletter
Subscribe to our Low-Altitude Industry Newsletter
Daily curated news on low-altitude economy and drone industry, delivered to your inbox.
Reviewed and published by the LAETimes editorial desk ·


