SpaceXAI's Grok Build CLI was silently transmitting entire code repositories including sensitive data to Google Cloud, a practice that only stopped after independent researchers published their findings on Monday. The disclosure, made by Cereblab, revealed that the Grok Build AI tool was packaging and uploading complete codebases far beyond what similar tools typically send to the cloud.

What You Need to Know

AI coding assistants often send small code snippets to cloud servers for processing. Grok Build AI, however, was transmitting entire repositories including files marked for exclusion and secrets that had been deleted from version history. This raised concerns about data exposure for developers using the tool. SpaceXAI has since disabled the feature by returning a flag that blocks codebase uploads.

A Breach of Developer Trust

Cereblab published its findings on Monday after testing the Grok Build CLI. The researchers observed that the tool packaged and uploaded the full contents of a working directory including files the tool was explicitly told not to open. Deleted secrets stored in Git history were also included in the upload. This behavior went well beyond the scope of what other coding assistants such as Claude Code collect for context.

The researchers confirmed that as of Monday, SpaceXAI's servers now return a response containing the flag "disable_codebase_upload: true" and the codebase upload function no longer fires. This change came directly after the report went public.

  • Entire repositories: Grok Build AI uploaded everything in the directory, not just recently modified files.
  • Ignored files: Files listed in .gitignore or other exclusion rules were still sent to Google Cloud.
  • Deleted secrets: API keys and credentials removed from version history were also packaged and uploaded.

Why This Matters

This incident erodes trust in AI-assisted development tools that process code in the cloud. Developers rely on tools like Grok Build AI to boost productivity but must also protect proprietary code and sensitive credentials. When a tool uploads an entire repository including data the developer deliberately excluded, it creates legal and security risks. Companies may now demand stronger transparency from SpaceXAI and other providers about exactly what data leaves the local machine. Regulatory bodies could also take notice, especially if similar behavior appears in other widely used coding assistants.

The Challenges of Cloud-Based Coding

AI coding tools need some access to code to generate useful suggestions. The question is how much. Most tools send only the relevant context like the current file and a few surrounding lines. Grok Build AI appears to have taken a far more aggressive approach, uploading everything. SpaceXAI has now stopped the behavior, but the incident underscores a broader issue: the AI industry often builds features first and investigates privacy implications later. Developers using cloud-based coding assistants should audit their tools regularly and review exactly what data is being transmitted to third-party servers.