
SpaceXAI has acknowledged that Grok Build retained coding data for some users during its early beta, days after security researchers disclosed that the AI coding tool was uploading entire developer repositories.
Alongside the admission, the company announced it is open-sourcing the Grok Build harness and CLI, deleting previously retained coding data, and disabling data retention by default.
The announcement follows days of criticism after researchers alleged that Grok Build's command-line interface uploaded far more data than was necessary for AI-assisted coding. Although SpaceXAI quietly disabled repository uploads through a server-side configuration after the issue gained attention, it did not publicly address the controversy until now.
In a statement posted on X, SpaceXAI said Grok Build has respected zero data retention (ZDR) since launch, adding that users who explicitly disabled data uploads through the CLI always had that preference honored. However, the company also acknowledged that data retention was enabled by default for non-ZDR users during the early beta period, a practice it says has now ended.
SpaceXAI develops the Grok family of AI models and related developer tools. Grok Build is a command-line coding assistant that interacts with local repositories to provide code generation and software development assistance.
The controversy began after security researchers and the Chinese technology publication BlueDot News reported that Grok Build uploaded complete source code repositories, including Git commit history, to Google Cloud Storage instead of limiting collection to code relevant to user prompts. Researchers warned that the behavior created significant privacy and intellectual property risks, particularly for enterprise users with proprietary code or confidential information.
On July 13, security researcher CereLab reported that SpaceXAI had remotely disabled repository uploads by changing a cloud-delivered configuration flag, disable_codebase_upload: true. Because the change was made server-side, researchers noted it could theoretically be reversed at any time. At the time, SpaceXAI offered no public explanation.
The company's new statement says it disabled default retention for all Grok Build users on July 12 and is deleting all previously retained coding data. It also announced that the Grok Build harness and CLI are now open source, allowing developers to inspect the code, contribute improvements, and run the tool locally using their own inference infrastructure.
Despite the announcement, SpaceXAI has not published an advisory describing exactly what information was uploaded or retained, how many users were affected, how long the data was stored, or whether repository contents, Git history, credentials, or other sensitive files were included. It has also not said whether affected users or organizations will be notified.
While deleting retained data and open-sourcing the client improve transparency going forward, users who ran Grok Build during the affected period should rotate any credentials that may have been present in uploaded code.







Leave a Reply