WARNING

Musk says SpaceXAI will delete all previously uploaded user data

Signals Inbox·July 13, 2026·AI DevTools

SpaceXAI says it will erase all user data previously uploaded by Grok Build. That sounds reassuring, but the real story is why the purge became necessary: researchers found the coding tool could upload entire repositories, including Git history and old secrets, even when a prompt told it not to open any files.

The Signal, Explained in 3 Minutes

Q1What actually happened?

Elon Musk said on X that SpaceXAI would completely delete all user data uploaded before the company changed Grok Build. The promise followed a researcher’s finding that the coding tool could package entire Git repositories and send them to a SpaceXAI-controlled Google Cloud bucket.

Q2How much data was Grok uploading?

Potentially far more than a coding task needed. In one reported test, Grok Build uploaded 5.1 GB from a 12 GB project during a task involving only about 192 KB of relevant data. That is roughly 26,000 times more data than the task required.

Q3What was inside those uploads?

Researchers say the bundles could contain the complete repository, files the agent never opened, full Git history, environment files, and secrets deleted months earlier. That could expose private source code, API keys, cloud credentials, passwords, security flaws, and internal infrastructure details.

Q4Did privacy mode stop the uploads?

Apparently not by itself. Cereblab found that the privacy command changed whether SpaceXAI retained some data, but it did not necessarily stop information from leaving the computer. The full-repository uploads stopped after SpaceXAI activated a separate server-side switch called disable_codebase_upload.

Q5How does Grok compare with rival coding tools?

Cereblab’s comparison found that Claude Code, Codex, and Gemini normally send files they actually open, while Grok Build was sending the whole repository and its history. That made Grok’s data collection unusually broad, not just another version of normal cloud-based coding assistance.

Q6Does deleting everything solve the problem?

Not completely. A real deletion would reduce future exposure, but developers still need to rotate any API keys, passwords, or credentials that may have been uploaded. SpaceXAI has promised that nothing will remain, but outsiders cannot currently verify that every copy, backup, and log has been erased.

Q7Why does this matter beyond Grok?

Because AI coding tools are gaining access to companies’ most sensitive assets: their source code, credentials, customer systems, and security logic. The next competitive fight will not just be about which agent writes the best code. It will also be about which one can prove it only reads, sends, and stores exactly what the user allowed.