如果你用AI编程工具处理私有代码,这条要警惕。Grok Build CLI曾静默上传整个Git仓库包括密钥,修复靠隐藏开关,xAI至今未回应数据去向。
xAI的Grok Build CLI存在安全漏洞,会将所在Git仓库无差别上传至grok-code-session-traces存储桶。测试中一个12GB仓库上传了5.1GB数据,而实际任务只需192KB。修复通过隐藏标志disable_codebase_upload: true在一天后完成,但xAI未公开数据范围、保留或删除情况。用户设置中的“Improve the model”选项并未阻止上传。
Our code
Our code International Cyber Digest @IntCyberDigest ‼️ BREAKING: xAI's Grok Build CLI was uploading entire Git repositories to a Google Cloud bucket, private codebases and unredacted secrets included. The uploads quietly stopped via a hidden server-side flag, and xAI still has not said a word about scope, retention, or deletion. The scale is staggering. On a 12 GB test repo, 5.1 GB flew out the door to xAI's grok-code-session-traces bucket while the actual coding task needed just 192 KB. The tool grabbed whatever repository it ran in, not the files it needed. The fix arrived as a hidden flag, disable_codebase_upload: true, a day after a researcher's wire-level analysis. The "Improve the model" opt-out never stopped the uploads. Still no advisory, no scope, no word on whether already-uploaded code gets deleted. For anyone pointing AI coding agents at proprietary code, what crosses the wire matters more than what the settings page says. 🔗 View Quoted Tweet 💬 12 🔄 4 ❤️ 159 👀 12212 📊 20 ⚡