SpaceXAI has disabled a feature in its Grok Build AI coding tool after researchers found it was uploading users’ full codebases to Google Cloud. According to The Register, security firm Cereblab published findings Monday showing that the Grok Build command-line interface had been bundling and sending entire code repositories, including files it had been instructed not to access and secrets that had been removed from a project’s history. The researchers said the practice involved far broader data retention than comparable tools such as Claude Code.
Cereblab said its tests on Monday showed SpaceXAI’s servers returning a “disable_codebase_upload: true” flag, indicating that the codebase upload process had stopped running.
Elon Musk addressed the matter in a post on X, saying any data previously uploaded by Grok Build would be “completely and utterly deleted.” In a separate post, Musk said “privacy settings are always respected,” while also encouraging users to permit SpaceXAI to keep their data, arguing that retention is “helpful for debugging issues.”
Dr. Lukasz Olejnik, an independent security researcher at King’s College London, told The Verge that the level of data retention described was “excessive.” He warned that the exposed material could potentially include “proprietary source code, information about security vulnerabilities, personal data, infrastructure details, [and] credentials.”
SpaceXAI first responded by saying in a post that, “If [zero data retention] is disabled, the /privacy command is available in the CLI to disable data retention, which also deletes previously synced data.” Cereblab disputed that explanation, noting that “/privacy is a per-session retention toggle, not the switch that fixed this, so it shouldn’t be pointed to as the control.”