SpaceXAI’s Grok programming tool was uploading its users’ entire codebase to cloud storage
SpaceXAI’s Grok programming tool was uploading its users’ entire codebase to cloud storage
SpaceXAI 的 Grok 编程工具曾将用户的整个代码库上传至云端存储
SpaceXAI’s Grok Build AI coding tool was spotted uploading users’ entire codebases to Google Cloud before it was reported, and the company turned it off. The Register reports that Cereblab published findings on Monday showing how the Grok Build CLI was packaging and uploading entire code repositories, “including files it was told not to open and secrets deleted from history,” significantly more data retention than similar tools like Claude Code.
SpaceXAI 的 Grok Build AI 编程工具被发现会将用户的整个代码库上传至 Google Cloud。在相关报道发布后,该公司已关闭了此功能。据《The Register》报道,Cereblab 周一发布的研究结果显示,Grok Build CLI 会打包并上传整个代码仓库,甚至包括“被明确禁止打开的文件以及已从历史记录中删除的机密信息”。其数据留存量远超 Claude Code 等同类工具。
The researchers say that as of Monday, their tests show SpaceXAI’s servers returning a “disable_codebase_upload: true” flag, and the codebase upload “no longer fires.”
研究人员表示,截至周一,他们的测试显示 SpaceXAI 的服务器已返回“disable_codebase_upload: true”(禁用代码库上传)的标志,且代码库上传行为“不再触发”。
Elon Musk responded to the incident in a post on X claiming that all data Grok Build previously uploaded will be “completely and utterly deleted.” Musk also said in a separate post that “privacy settings are always respected,” but asked users to allow SpaceXAI to retain their data, saying it’s “helpful for debugging issues.”
埃隆·马斯克(Elon Musk)在 X 上发文回应此事,声称 Grok Build 此前上传的所有数据都将被“彻底且完全地删除”。马斯克在另一篇帖子中还表示,“隐私设置始终受到尊重”,但他同时请求用户允许 SpaceXAI 保留数据,称这对于“调试问题很有帮助”。
Dr. Lukasz Olejnik, an independent security researcher at King’s College London, confirmed to The Verge that this amount of data retention is “excessive,” adding that the data potentially at risk could include “proprietary source code, information about security vulnerabilities, personal data, infrastructure details, [and] credentials.”
伦敦国王学院的独立安全研究员 Lukasz Olejnik 博士向《The Verge》证实,这种规模的数据留存是“过度的”。他补充说,潜在风险数据可能包括“专有源代码、安全漏洞信息、个人数据、基础设施详情以及凭证”。
SpaceXAI initially responded to the issue with a post saying that, “If [zero data retention] is disabled, the /privacy command is available in the CLI to disable data retention, which also deletes previously synced data.” However, Cereblab points out that “/privacy is a per-session retention toggle, not the switch that fixed this, so it shouldn’t be pointed to as the control.”
SpaceXAI 最初回应称:“如果禁用了 [零数据留存],CLI 中可以使用 /privacy 命令来禁用数据留存,这也会删除之前同步的数据。”然而,Cereblab 指出,“/privacy 只是一个针对单次会话的留存开关,并不是解决此问题的那个开关,因此不应将其作为控制手段。”