TL;DR / Key Takeaways
- xAI's Grok CLI was caught secretly uploading your entire codebase, including SSH keys and deleted secrets.
- We break down the evidence and explain why their so-called fix still puts your data at risk.
The Smoking Gun: Your Codebase on Their Servers
A social media alert first exposed Grok's alarming behavior. Users discovered a tweet urging them to run a simple `grep` command on their Grok logs. The results were infuriating: logs clearly showed Grok "queuing up a repo upload to Grok servers" without user knowledge, sparking hundreds of confirmations from other users.
This wasn't merely relevant code snippets. Grok was caught uploading entire repositories, packaging complete project directories, including full Git history and even secrets deleted from history, into a bundle. It then shipped this entire bundle to Google Cloud Storage. One user, who ran Grok in their home directory, reported it uploaded their entire home directory, exposing: - SSH keys - password manager database - documents, photos, videos
This scope is shocking and deeply concerning. Other AI coding assistants, like Claude Code, Codex, and Gemini, operate differently. They transmit only the specific code snippets directly relevant to the prompt, sending just the files they need to read. Grok’s approach of silently exfiltrating an entire codebase, regardless of prompt relevance or explicit instructions not to open files, establishes it as a dangerous and unacceptable outlier in user privacy.
Forensic Evidence: How Grok Ignored All Rules
Cereblab, a meticulous researcher, uncovered the definitive technical proof. Employing a MITM proxy, they intercepted Grok CLI's network traffic, definitively capturing the data being sent. The evidence was irrefutable: Grok was indeed uploading entire repositories without user knowledge.
The CLI bundled the complete repository into a single POST request. This payload wasn't just current files; it contained the full Git history and even environment variables. Crucially, this occurred even when Cereblab gave Grok an explicit instruction: "Reply OK, do not open any files." Grok entirely ignored this command, proceeding with the full upload.
Uploading Git history represents a profound security lapse. Developers frequently commit sensitive data—like API keys, database credentials, or secret tokens—and then delete them from the active codebase. However, these "deleted" secrets persist within the repository’s history, making them vulnerable if the entire history is transmitted.
This indiscriminate data collection stands in stark contrast to other AI coding tools. Competitors like Claude Code, Codex, and Gemini only transmit the specific files they need to read for a given prompt. Grok, however, vacuumed up everything, even uploading a 12 GB repository in its entirety, demonstrating a unique and alarming disregard for privacy and security protocols.
Damage Control: xAI's Silent Fixes and Public Promises
xAI's initial move was a silent fix. After the revelation went viral, they remotely activated a `disable_codebase_upload: true` flag on their servers. This server-side kill switch halted the unauthorized uploads for all users without any public announcement.
Subsequently, xAI and Elon Musk released public statements. xAI claimed a deep care for privacy and customer choice, detailing zero data retention (ZDR) policies for teams and API key use. They introduced a `/privacy` CLI command to manage data retention and delete previously synced data.
Elon Musk further pledged, "as a precautionary measure, all user data that was uploaded to Space XAI before now will be completely and utterly deleted. Zero anything whatsoever will remain." He also requested users leave settings on for debugging, while assuring privacy.
These statements, however, sidestepped the core issue. They failed to explain why a "malware-like" background code collector, designed to upload entire repositories, existed and was enabled by default. The Grok CLI update merely added a `/privacy` command, but the underlying upload code remains in the binary, suggesting the server-side flag is the only safeguard. For more insights on their stance, you can check the xAI Blog. Trusting a server-side toggle for such sensitive data remains a significant ask.
Enjoying this? Get one like it in your inbox each morning.
one email a day · unsubscribe in two clicks · no third-party tracking
The Illusion of Privacy: Why You're Still at Risk
xAI's new `/privacy` command offers an illusion of control, not genuine privacy. Researcher Cereblab confirmed this "opt-out" setting doesn't stop your code from leaving your machine, despite its name. Instead, it merely instructs xAI's servers to discard the transmitted data upon receipt, making it a server-side retention switch. Your full session traces still transmit to xAI; you simply have to trust that their servers will actually discard the information instead of storing it.
Worse, this `/privacy` control acts as a per-session retention toggle. Users must remember to enable it every single time they launch a new Grok CLI session. This design creates a massive loophole for accidental data transmission, leaving significant room for error when handling sensitive code. Forget once, and your data might be retained.
Crucially, the original upload code for entire repositories still lurks within the Grok CLI binary. This means xAI could reactivate full repository uploads with a simple server-side flag change, bypassing user consent entirely. For a more robust, client-side defense, harden your Grok config file. Explicitly set `disable_codebase_upload: true` in your configuration to hard stop that upload pipeline, offering a more permanent safeguard against unintended data exfiltration.
Frequently Asked Questions
What data did the Grok CLI upload?
It uploaded entire user repositories as a Git bundle. This included the full Git history (even deleted secrets), environment variables, SSH keys, and password databases located within the repo.
How can I check if my code was uploaded by Grok?
You can check your local Grok logs using a grep command to search for log entries indicating that a 'repo upload' was queued or executed during a session.
Is the Grok CLI safe to use now after the fix?
xAI has enabled a server-side block on uploads, but the code to perform them remains in the client. The new '/privacy' command only toggles server-side retention; your code is still transmitted. Caution is highly advised.
Did xAI delete the uploaded data?
Elon Musk publicly stated that all user data uploaded to xAI before the fix would be 'completely and utterly deleted' as a precautionary measure. However, verification of this is reliant on trusting their statement.
