A new controversy has started around xAI's Grok Build coding tool after a security researcher claimed it was uploading users' entire code repositories to xAI's cloud without clearly informing them. The issue became widely discussed after software security expert Hari posted about it on X.
The issue became widely discussed after software security expert Hari posted about it on X. Hari claimed, “I reversed xAI's official Grok Build binary. In a controlled session with zero tool-calls, it uploaded the complete codebase to xAI's storage. It ships a malware-like background code collector.”
Hari wrote on X, "SpaceXAI was caught uploading your code to its cloud."
OpenAI CEO Sam Altman reacted to Hari's post by replying with a one-word response: "concerning."
xAI later responded publicly to the allegations on X. The company clarified that it takes user privacy seriously and respects customer choices. xAI said enterprise customers using Zero Data Retention (ZDR) never have their code or trace data stored.
What is the backlash all about?
An in-depth analysis of xAI’s Grok Build CLI has revealed that version 0.2.93 transmitted unredacted file contents, including secrets stored in. env files, along with entire Git repositories and their commit history to cloud storage. During testing, the researchers found unredacted fake API keys and database passwords stored in an. env-style file within the captured request data. The same sensitive information was also present in a session state archive uploaded through the POST /v1?storage endpoint.
Following the disclosure, xAI rolled out a server-side fix that stopped Grok Build from uploading entire Git repositories, according to security researcher Cereblab. The company also said users can disable data retention and delete previously synced data using the /privacy command.
Musk’s response
Responding to the incident on X, Elon Musk said xAI would permanently delete all user data uploaded before the fix was deployed.
“As a precautionary measure, all user data that was uploaded to xAI before now will be completely and utterly deleted. Zero anything whatsoever will remain.”
While Musk also encouraged users to continue sharing diagnostic data to help improve the product, the researcher argued that the real fix was the server-side change that disabled repository uploads, rather than the /privacy command.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.




