Elon Musk has pledged to delete all previously uploaded user data after security researchers discovered that xAI’s Grok Build, the company’s AI coding assistant, had been uploading developers’ entire Git repositories to cloud storage instead of sending only the files needed to complete coding tasks. The issue sparked widespread privacy concerns because uploaded repositories could include proprietary source code, API keys, credentials, deleted secrets preserved in Git history, and other sensitive information.

Following public disclosure of the issue, xAI disabled the repository upload feature through a server-side update, preventing further uploads without requiring users to update the software. Musk later stated that all previously uploaded user data would be “completely and utterly deleted”, while encouraging users to continue allowing optional data retention for debugging purposes.

Grok Build Uploaded Entire Code Repositories

Researchers found that the coding assistant transmitted significantly more data than necessary.

Key HighlightsDetails
CompanyxAI (SpaceXAI branding in reports)
ProductGrok Build CLI
IssueUploaded entire Git repositories
Potentially exposed dataSource code, Git history, credentials, API keys
Current statusRepository uploads disabled

Security researchers said the uploaded data included complete repository histories rather than only the files accessed during coding sessions.

What Happened?

The investigation revealed unexpected behavior by the coding tool.

Researchers reported that Grok Build:

  • Uploaded complete Git repositories.
  • Included full commit history.
  • Sent files the AI had not been instructed to read.
  • Potentially transmitted deleted secrets preserved in Git history.
  • Stored uploaded data in a Google Cloud Storage bucket managed by xAI.

In one documented test, approximately 5.1 GB of repository data was uploaded even though the coding task required only about 192 KB of model context.

Musk Promises Complete Data Deletion

Following the disclosure, Elon Musk publicly responded.

According to his statements:

  • Previously uploaded user data will be deleted.
  • Future repository uploads have been disabled.
  • Existing privacy settings will continue to be respected.
  • Users are encouraged—but not required—to allow data retention for debugging.

Researchers subsequently confirmed that the automatic repository uploads had stopped after the server-side configuration change.

Why Developers Are Concerned

Potential RiskImpact
Proprietary source codeIntellectual property exposure
API keysUnauthorized service access
Cloud credentialsInfrastructure compromise
Git historyRecovery of previously deleted secrets
Customer dataPrivacy and compliance risks

Security experts noted that repositories often contain highly sensitive development information extending well beyond the files an AI model actually needs.

Recommended Actions for Users

Developers who previously used Grok Build are advised to:

  • Rotate exposed API keys.
  • Replace cloud credentials.
  • Review Git history for committed secrets.
  • Audit repository access.
  • Monitor infrastructure for suspicious activity.

Deleting uploaded data reduces future retention but does not eliminate the possibility that sensitive information may already have been exposed.

Challenges Ahead

The incident raises broader questions for AI coding tools.

Key issues include:

  • Transparency around data collection.
  • User consent.
  • Enterprise privacy requirements.
  • Secure handling of proprietary code.
  • Independent verification of deletion claims.
  • Stronger default privacy protections.

Organizations adopting AI development tools are expected to place greater emphasis on data governance and security controls.

Outlook

The Grok Build incident highlights the growing privacy challenges associated with AI-powered software development tools. As coding assistants gain deeper access to local development environments, developers and enterprises increasingly expect clear disclosure of what data leaves their machines and why. xAI’s decision to disable repository uploads and Musk’s pledge to delete previously collected data represent immediate responses, but questions remain about how organizations can independently verify deletion and whether similar issues could arise in future AI development tools.

The episode is also likely to accelerate industry-wide scrutiny of AI coding assistants. Enterprise customers are expected to demand stronger privacy controls, more transparent data-handling policies, and default safeguards that minimize the collection of sensitive information while preserving the productivity benefits of AI-assisted software development.

What It Means for AI Coding Tools

The controversy underscores that data governance is becoming as important as model capability in enterprise AI adoption. Organizations increasingly evaluate AI coding assistants not only on coding performance but also on how they collect, process, store, and protect proprietary software assets.

For AI vendors, the incident serves as a reminder that trust depends on transparent privacy practices, granular user controls, and verifiable security measures. As AI coding assistants become mainstream, robust privacy protections are likely to become a key competitive differentiator alongside model accuracy and developer productivity.

Get the day’s top stories in your inbox

One concise email. No spam, unsubscribe anytime.