The recent discovery that Grok Build, a command-line interface developed by SpaceXAI, was uploading entire user repositories to cloud storage has raised significant privacy concerns. Following a report by AI safety researcher Cereblab, the company has taken steps to address the issue.
Incident Overview
Cereblab’s investigation revealed that Grok Build was transmitting the complete contents of user files to a Google Cloud Storage bucket without redaction. This included entire repositories packaged as Git bundles, rather than just the files necessary to fulfill user prompts. The researcher demonstrated this behavior by issuing a benign command that should not have triggered any file access, yet Grok Build still uploaded the entire repository along with its Git history, which contained sensitive information.
Company Response
In response to the findings, SpaceXAI executives, including Elon Musk, publicly addressed the situation. Musk confirmed that the company would delete all user data uploaded prior to the implementation of a fix that prevented further uploads of complete repositories. The company stated that a server-side change, specifically setting the disable_codebase_upload flag to true, halted the unauthorized data transfers.
Privacy Measures and User Concerns
SpaceXAI reassured users that it respects privacy, particularly for those who enable zero data retention (ZDR). For users who have not opted for ZDR, the company provided a command to delete previously collected data. However, Cereblab criticized the emphasis on the /privacy command, arguing that the real fix was the server-side change and that users should not have to manage data retention settings after every session.
Uncertain Outcomes
While Grok Build no longer uploads user repositories, the effectiveness of SpaceXAI’s data deletion promises remains unverified. Cereblab expressed dissatisfaction with the company’s handling of the situation, emphasizing that the default setting should prioritize user privacy. As of now, it is unclear whether all previously uploaded data has been successfully deleted as promised.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.








