SpaceXAI’s Grok programming tool was uploading its users’ entire codebase to cloud storage SpaceXAI's Grok Build AI coding tool was found uploading users' entire codebases to Google Cloud, including files it was instructed not to open and deleted secrets, before the company disabled the feature after researchers reported it. Elon Musk claimed all previously uploaded data will be deleted, but security experts called the data retention excessive, warning it could expose proprietary code, vulnerabilities, and credentials. SpaceXAI’s Grok Build AI coding tool was spotted uploading users’ entire codebases to Google Cloud before it was reported, and the company turned it off. The Register reports that Cereblab https://cereblab.com/ published findings on Monday showing how the Grok Build CLI was packaging and uploading entire code repositories, “including files it was told not to open and secrets deleted from history,” significantly more data retention than similar tools like Claude Code. The researchers say that as of Monday, their tests show SpaceXAI’s servers returning a “disable codebase upload: true” flag, and the codebase upload “no longer fires.” Elon Musk responded to the incident in a post on X claiming https://x.com/elonmusk/status/2076739687658496209?s=20 that all data Grok Build previously uploaded will be “completely and utterly deleted.” Musk also said in a separate post https://x.com/elonmusk/status/2076737992689914215?s=20 that “privacy settings are always respected,” but asked users to allow SpaceXAI to retain their data, saying it’s “helpful for debugging issues.” Dr. Lukasz Olejnik, an independent security researcher at King’s College London, confirmed to The Verge that this amount of data retention is “excessive,” adding that the data potentially at risk could include “proprietary source code, information about security vulnerabilities, personal data, infrastructure details, and credentials.” SpaceXAI initially responded to the issue with a post https://x.com/SpaceXAI/status/2076692402442846289?s=20 saying that, “If zero data retention is disabled, the /privacy command is available in the CLI to disable data retention, which also deletes previously synced data.” However, Cereblab points out that “/privacy is a per-session retention toggle, not the switch that fixed this, so it shouldn’t be pointed to as the control.”