The coding aid tool Grok Build, developed by SpaceXAI, has ignited considerable debates concerning privacy and security. Through technical scrutiny, security experts found that the tool's command-line interface, by default, automatically transfers entire Git repositories to a Google Cloud Storage bucket, without adequately notifying users. The transferred data encompasses not just complete Git histories and confidential source code, but also sensitive details such as login credentials and API keys stored in .env files. Experiments showed that even when the model interaction channel sends only a minor volume of data (for instance, 192KB), the storage channel still uploads as much as 5.1GiB of codebase data, leading to a data amplification ratio of 27,800 times. Experts verified that deactivating the 'Improve Model' feature does not halt data transfers, as the server-side configuration interface still shows trace_upload_enabled: true, suggesting that the privacy toggle merely governs the client-side UI display without impacting the actual data gathering process. Moreover, Grok Build's installation scripts and quick-start guides do not elucidate this transfer mechanism, and it may lead to significant local disk cache usage. Following the revelation of the incident, SpaceXAI discreetly altered the server-side configuration to halt uploads but refrained from issuing a security alert or informing users, nor did it confirm whether the transferred data had been removed.
