If you tried SpaceXAI’s Grok Build CLI in the last few weeks and pointed it at a real project, there is a non-trivial chance your source code - including .env files, credentials you thought you had scrubbed, and the full commit history of the repository - sat in a Google Cloud Storage bucket that you did not set up and that SpaceXAI controlled. The upload was the default, and the most visible opt-out did not actually stop it.
That is the finding Cereblab published on Monday and reported by The Verge on July 14. Within hours, SpaceXAI flipped a server-side flag that stopped the uploads, and Elon Musk posted that all previously uploaded user data would be “completely and utterly deleted.” A reproducible capture-the-uploads setup is already public, so the technical claims can be checked rather than taken on faith.
What Cereblab actually found
Cereblab’s site describes what it built: a packet interceptor that records what the Grok Build CLI transmits to SpaceXAI’s backend. The Cereblab write-up focuses on Grok Build CLI version 0.2.93 and the rapid patch lineage through 0.2.99. The two findings that any developer should care about are these.
First, the CLI does not just send the files the model needs to answer your prompt. Cereblab’s analysis, summarized by The Verge, is that the CLI “packages and uploads entire code repositories, including files it was told not to open and secrets deleted from history.” That means a .env containing an API key, a file flagged in .gitignore, or a credential purged from a previous commit was still inside the bundle that left the machine.
Second, the CLI compared badly against the coding tools a developer might already be running. Per Cereblab’s own page, when the researchers tested Grok Build, “Claude Code, Codex, and Gemini, which stayed local” - that is, those other agents did not package the whole repository for upload. The Register’s coverage is more specific about the failure mode: Grok Build packages whole repos as Git bundles “instead of just uploading the files required to answer a user’s prompt,” and a file’s contents are sent to a Google Cloud Storage bucket “without redaction.” That is a wider blast radius than telemetry.
What SpaceXAI did and did not do
The disclosure chain was unusually fast for a lab caught in the act. As reported by The Verge and confirmed by The Register, after Cereblab published its write-up, SpaceXAI changed a server flag so that disable_codebase_upload: true was being returned, and the codebase upload no longer fires. Musk posted on X that all previously uploaded user data would be purged. A separate @SpaceXAI statement, quoted by The Register, said: “We care deeply about your privacy and respect customer choice. For teams using zero data retention, no trace and code data is ever retained.” Musk separately asked users to keep sharing data with SpaceXAI because retaining some of it helps with debugging.
The early explanation from SpaceXAI was less convincing. As quoted in The Register, the company initially pointed users at a /privacy command that “disables data retention, which also deletes previously synced data.” Cereblab pushed back on the same call, per The Register: /privacy “is a per-session retention toggle, not the switch that fixed this.” The distinction matters: a per-session toggle does not retroactively remove the bundled uploads that already left the machine.
Independent voices have also weighed in on the scope. Dr. Lukasz Olejnik, an independent security researcher at King’s College London, told The Verge that the level of data retention involved was “excessive” and that the data potentially at risk includes “proprietary source code, information about security vulnerabilities, personal data, infrastructure details, [and] credentials.” Coverage from The Hacker News repeats the same finding.
What This Means
For a developer or a small team who tried Grok Build in the past few weeks, the practical action list is short and worth doing once, not three times. First, treat any repository you ran Grok Build against as compromised and rotate anything that lived in it: API keys, cloud credentials, signing keys, webhooks, and any .env you have not already rotated since the date you first ran the CLI. Second, check your git history for secrets that may now have a copy outside your control - they were in the bundle even if you deleted them in a later commit. Third, if you want to keep using Grok Build, the working flag, per Cereblab and The Verge, is the server-side disable_codebase_upload setting rather than the local /privacy toggle.
For the broader coding-agent market, this is the first public case of an agent vendor caught running a default behavior that silently exfiltrates a project. Anthropic’s Claude Code, OpenAI’s Codex CLI, and Google’s Gemini CLI are not immune to data-handling questions of their own - Claude Code has had its own API-key exfiltration flaws - but Cereblab found they stayed local to the developer’s machine for the specific repository-bundling behavior that mattered here. That is a useful baseline, not an excuse.
For the privacy beat, this is also why “does AI steal my data” remains a live question in autocomplete. The pattern is repeatable across labs: an agent defaults to broad data collection to make its own job easier, opt-outs are buried, and disclosure happens only after a researcher audits the wire. The same shape showed up a week ago when GitHub’s own coding agent leaked private repos through a single public issue. The Grok Build episode puts that pattern, with an open reproduction repo, on the timeline.
The Bottom Line
SpaceXAI’s Grok Build CLI was packaging whole Git repositories - .gitignored files and deleted secrets included - and uploading them to a Google Cloud Storage bucket by default. A per-session /privacy toggle did not stop the upload; a server-side flag, set only after Cereblab disclosed the bug, did. The previous uploads are promised to be deleted but were out of the user’s control while the default stood. If you ran Grok Build recently, rotate the credentials in any repository it saw, and assume the rest of that repository was once outside your perimeter.