Grok Build, xAI's coding assistant tied to Elon Musk, was uploading entire private codebases to vendor servers in a recent version range, prompting a public 'purge' promise from Musk.
An AI coding assistant tied to Elon Musk's xAI, Grok Build, was caught shipping users' entire private codebases to vendor servers across a known version range. The operator said data was never retained; Musk publicly promised a "purge." The mechanism underneath is older than the incident: an AI coding agent that needs repo context will, by default, send the repo. "Purge" is a corporate-promise word, not a technical attestation.
The disclosure, documented by CerebLab in a writeup titled "Grok Build CLI v0.2.93 → 0.2.99 data exfiltration — FIXED", ties the behavior to the v0.2.93 through v0.2.99 line of Grok Build's command-line tool. In that range, a configuration that should have scoped the tool's file reads to project working directories instead walked the full repository tree and shipped it off the developer's machine. The fix landed in a later build; the window in which an entire repo could leave the developer's laptop is the unit of exposure.
SpaceXAI, the entity that ships Grok Build, posted a zero-data-retention statement on X: the data was not stored, the post said, and was not used for training. That is a posture claim, not an artifact a customer can examine. An independent developer, @a_green_being, corroborated the full-directory upload behavior on the same platform, giving the mechanism a second witness.
Elon Musk responded on X with a public "purge" promise, framing the response as corrective personnel action rather than a technical remediation announcement. The Register's writeup of the exchange is the trigger that pulled the CerebLab mechanism, the SpaceXAI statement, and Musk's post into a single news cycle.
The mechanism is not Grok Build-specific. Any AI coding agent that ingests a project to suggest edits or answer questions has to read the files. The defaults that govern how much it reads, where the read traffic goes, and what the vendor does with the bytes after the request finishes are the product. A tool that "reads your repo to help" is a tool that has your repo. The exposure question is whether the read scope is bounded, whether the egress is logged, and whether retention is the default or the exception.
For a developer or team using any AI coding tool, three artifacts are worth requesting from the vendor after any disclosure of this kind. First, a version range in which the behavior was live, so local caches and CI logs can be checked against it. Second, a per-request egress log showing what left the developer's machine, ideally with file paths and byte counts. Third, a retention attestation that names the storage system, the retention period, and the deletion mechanism. A "we delete it" promise without those three is a marketing line, not a control.
The current disclosure offers the version range and the user-side corroboration. The retention and egress artifacts have not been published. Until they are, "purge" is what the company said it would do, not what a customer can verify was done. The next test is whether the SpaceXAI statement, Musk's promise, and the fix's release notes together add up to a control, or only to a press cycle.