SpaceX's Grok Build AI coding tool was uploading users' entire codebases to Google Cloud storage without explicit consent or clear disclosure. Cereblab researchers discovered the tool packaged and transmitted complete code repositories, including files marked as off-limits by developers. The company disabled the feature after the vulnerability was publicly reported.
Grok Build functions as a command-line interface designed to assist programmers by analyzing code and offering suggestions. The tool should have respected developer instructions to exclude certain files from processing. Instead, it sent everything upstream to cloud infrastructure, exposing proprietary code, credentials, and sensitive project files to potential exposure.
The incident highlights a recurring problem in AI development tools. Vendors rush to integrate cloud-based AI features without implementing robust controls over what data leaves a user's machine. Developers often assume local tools remain local. When that assumption breaks, intellectual property and security credentials leak into third-party servers.
SpaceX responded by disabling the upload functionality after Cereblab's report. The company has not disclosed how many users were affected, how long the feature operated, or what data was actually transmitted. It remains unclear whether any unauthorized access occurred or if logs exist documenting the uploads.
This breach of trust matters because developers increasingly rely on AI-assisted coding tools. GitHub Copilot, JetBrains' AI Assistant, and similar products all send code snippets to remote servers for processing. Users need clear communication about what data travels where, explicit opt-in for cloud uploads, and controls to exclude sensitive files.
SpaceX's handling reflects a broader industry pattern. Companies launch features, assume users will read documentation, and disable capabilities only after public pressure. Developers deserve better. Coding tools should default to local processing where possible, require affirmative consent for cloud uploads, and clearly label what data leaves the user's machine.
The Grok Build incident reinforces that AI
