Cereblab researchers published findings showing that SpaceXAI's Grok Build CLI was packaging and uploading entire code repositories to Google Cloud, including files it was told not to open and secrets deleted from history. The data retention significantly exceeded that of similar tools like Claude Code.
As of Monday, tests showed SpaceXAI's servers returning a "disable_codebase_upload: true" flag, and the codebase upload stopped firing. Elon Musk responded claiming all previously uploaded data would be "completely and utterly deleted," and said privacy settings are always respected, though he asked users to allow data retention for debugging purposes.
Dr. Lukasz Olejnik, an independent security researcher at King's College London, confirmed the data retention was "excessive," noting the data potentially at risk included proprietary source code, security vulnerability information, personal data, infrastructure details, and credentials. SpaceXAI initially pointed to a /privacy command for disabling retention, but Cereblab noted that /privacy is a per-session toggle, not the control that fixed the issue.