Grok Build Was Uploading Entire Codebases — What That Means for Any Business Using AI Tools

An Eye-Opening Discovery

Security researchers at Cereblab made an unsettling discovery in July 2026. They found that Grok Build — an AI coding tool from SpaceXAI — was quietly uploading entire code repositories to Google Cloud servers, including files it was told not to open and secrets that had been deleted from the project’s history.

This was not a small leak of metadata or a few log files. The tool was packaging and uploading the complete codebase, every time it was used. That means proprietary code, API keys buried in config files, database credentials, and internal business logic were all being sent to cloud servers without the user’s explicit knowledge.

SpaceXAI responded quickly, disabling the upload feature and returning a “disable_codebase_upload: true” flag from their servers. But the incident raises serious questions that every Irish business should be asking about the AI tools they use.

The Bigger Problem

Grok Build is far from the only AI tool that sends data to cloud servers. Almost every AI coding assistant — GitHub Copilot, Amazon CodeWhisperer, Claude Code, and others — sends at least some of your code to remote servers for processing. The difference is one of degree. Most tools send only the specific code snippet they need to analyse. Grok Build was uploading everything.

For an Irish small business, the risk is not just about code. If you use AI tools for accounting, customer relationship management, document generation, or any other business function that sends data to a cloud AI service, you need to know what data is being sent and where it is going.

Under Irish and EU data protection law, you are responsible for the data you process — even if the processing happens on someone else’s servers. If an AI tool sends your customers’ personal data to a US cloud server without adequate safeguards, you could be in breach of GDPR.

A Real Example

Consider a small Irish accountancy firm that started using an AI tool to help draft financial reports. The tool was convenient, fast, and seemed accurate. What the firm did not realise was that the tool was sending client financial data — including PPS numbers, bank details, and revenue figures — to servers in the United States for processing. Under GDPR, that data transfer may not have been lawful without appropriate safeguards.

The firm was not doing anything unusual. They had simply signed up for a popular AI tool without reading the data processing terms. The Grok Build incident shows that even well-known tools can have data handling practices that users do not expect. The lesson is to check, not assume.

Lessons for Every Business

First, read the fine print. When you sign up for an AI tool, the terms of service will tell you what data the tool collects and how it is used. If the terms are vague or allow the provider to use your data for training their models, that is a red flag.

Second, test before you trust. Before rolling out an AI tool across your business, test it with dummy data first. See what it sends and where. If the tool requires an internet connection to function, assume data is being sent to a server.

Third, have a data inventory. You cannot protect data if you do not know what you have. Make a list of the types of data your business handles, where it lives, and which AI tools have access to it. This is good practice anyway — the AI Act will require it for many businesses.

The Bottom Line

The Grok Build incident is a reminder that AI tools are not neutral. They come with their own data handling practices, security models, and privacy implications. For Irish businesses, where trust and reputation are everything, the cost of a data breach or a privacy violation far outweighs the convenience of an AI tool.

Use AI by all means. But know what it is doing with your data. And if you cannot find out, choose a different tool.