Technology

Grok Build code uploads were shut off after researcher report

Researchers said SpaceXAI’s Grok Build CLI sent full code repositories to Google Cloud before the company disabled the behavior.

Maya Lindqvist

By Maya Lindqvist · Senior Technology Correspondent

2 min read

SpaceXAI disabled a code-upload behavior in its Grok Build AI coding tool after researchers said the command-line program had been sending users’ full software repositories to Google Cloud. The finding matters because the transfer allegedly included material users had directed the tool not to read, according to Cereblab and reporting by The Register.

Cereblab published its findings Monday on Grok Build, SpaceXAI’s AI programming tool. The researchers said the Grok Build CLI packaged entire code repositories and uploaded them to cloud storage, rather than limiting collection to a narrower set of files.

According to Cereblab, the uploaded material included files the tool had been instructed not to open. The researchers also said the data could include secrets that had been deleted from history, a category that can be sensitive in software projects because old credentials or tokens may still pose security risks if exposed.

The Register reported that Cereblab described Grok Build’s data retention as significantly broader than comparable AI coding tools, including Claude Code. The available reporting did not include a detailed response from SpaceXAI explaining why the broader upload behavior existed.

Cereblab said its tests showed a change on Monday after the issue was reported. According to the researchers, SpaceXAI’s servers began returning a disable_codebase_upload: true flag, and the codebase upload behavior stopped firing.

The change indicates the company turned off the repository upload mechanism at the server level, based on Cereblab’s testing as reported by The Register. The reporting did not state whether any previously uploaded repositories were deleted or retained.

AI coding tools often need access to project files to generate useful code suggestions, but Cereblab’s findings centered on the scope of what Grok Build collected. The researchers said the tool sent whole repositories to Google Cloud, including files outside the set it had been told to inspect.

The episode adds another privacy and security concern around AI development tools that operate inside software projects. In this case, the key reported change is that Grok Build’s full-codebase upload no longer runs after Cereblab’s findings became public.

This story draws on original reporting from The Verge.