SpaceXAI's AI coding tool Grok Build has sparked data security controversy after it was revealed that it defaults to uploading users' entire codebase to Google Cloud. The company has now disabled the relevant feature. According to a report published by Cereblab on Monday, the Grok Build CLI packaged and uploaded the entire codebase, including files explicitly marked as inaccessible and sensitive information that had been removed from the history, with a data retention scope far exceeding similar AI programming tools like Claude Code.

Researchers stated that as of Monday's test, the SpaceXAI server had returned the "disable_codebase_upload: true" flag, and the codebase upload behavior no longer triggered, indicating that the relevant feature had been disabled.

Grok, Musk, xAI

In response to the incident, Elon Musk stated on the X platform that previously uploaded data would be "completely and thoroughly deleted," and emphasized that SpaceXAI "always respects privacy settings." However, he also said that he hopes users allow the platform to retain data to help identify and debug issues.

Lukasz Olejnik, an independent security researcher at King's College London, pointed out that such large-scale data retention poses obvious risks, potentially involving sensitive content such as proprietary source code, security vulnerability information, personal data, infrastructure details, and access credentials.