xai-org/grok-build now open source after directory-upload backlash
xAI open-sourced its grok-build CLI after users reported it silently uploaded an entire working directory, including SSH keys and password manager databases, to xAI's Google Cloud storage.
What it is
xAI's grok CLI coding tool, now open-sourced following public reports of unexpected data exfiltration.
What it does
Uploaded the full contents of whatever directory it was run in, not just project files, to xAI-controlled cloud storage, with at least one user finding SSH keys, password manager data, documents, photos, and videos included.
Why it matters
Compared to Claude Code and other CLI coding agents that scope file access to the project directory, this shows why sandboxing and explicit scoping of what a CLI tool can read matters before granting it filesystem access, especially in a home directory.
How to use it
Before running any CLI coding agent in a directory, check its documented file-access scope and avoid running it from your home directory or any folder containing credentials.