Grok CLI uploaded the whole home directory to GCS

(twitter.com)

120 points | by denysvitali 1 hour ago

19 comments

  • Greenpants 4 minutes ago
    Though I'm in the camp "people should really know to sandbox by now and be careful", I'd say we should also be mindful of how far from everyone has deep knowledge of the systems and tools they use. This behaviour of a tool is just malicious. You have to take into account the human factor, of how people likely end up using a system. And in this case, the consequences of exfiltrating so many secrets this way are really quite unacceptable.
  • bdcravens 31 minutes ago
    So is X going to claim the user disabled something the second before everything went south? That's what the owner's other company does.
  • spicymaki 37 minutes ago
    I am genuinely fascinated by this.

    I don’t like piling on especially with security vulnerabilities, but man how many red flags do you need to ignore?

    They won’t stop abusing us until we stop using their products.

  • vorticalbox 1 hour ago
    why do people give these LLMs full access to everything and then complain when it does somethign stupid? that is what sandboxes are for.
    • wolttam 33 minutes ago
      This wasn't the LLM, it was Grok CLI preemptively uploading the entire CWD, regardless of where that CWD is, to its own server.

      I don't think it is reasonable to expect every user (including those just starting out with the tools - maybe experimenting, maybe younger/less experienced in general) to think that the tool they're running for the very first time is going to automatically exfiltrate all of their data.

      It's a pretty serious fuck-up. This guy tweeted about it, who knows how many didn't even notice. It should have been opt-in, it should give user an indication that it's about to do this, etc.

      • vorticalbox 28 minutes ago
        The grok-cli is on github[0] there is nothing that I can see in the code that is activily looping ~/ and uploading everything.

        My two guesses would be one the LLM decided it needed these files for the task or two the user simple asked grok to do it so they could post the tool calls on twitter.

        [0] https://github.com/superagent-ai/grok-cli

        • winstonp 16 minutes ago
          That is not the Grok CLI being discussed. That's an open source, third party CLI. https://x.ai/cli is the official Grok CLI being discussed, and it is not open source.
    • cush 21 minutes ago
      If your immediate reaction to a new piece of software siphoning up someone’s entire system full of highly personal data is, “you’re holding it wrong”, it might help to take a beat and remember that software was developed by a multi-trillion dollar company’s entire business model revolves around siphoning up as much highly personal data as possible
    • dewey 1 hour ago
      When I give my text editor or file browser access to everything I wouldn't expect it to exfiltrate data without asking.
      • docdeek 58 minutes ago
        Isn’t a file browser running locally, while Grok is running on someone else’s server?
        • dewey 53 minutes ago
          The point is more that you should not blame the user (why didn't you set up sandbox instead of directly using the tool of big corp) if a tool does something unexpected. If your Dropbox client would suddenly just upload your home directory instead of it's folder you configured you'd also not blame the user that they use Dropbox, you'd blame Dropbox for not doing their job correctly or being user hostile.
          • freedomben 51 minutes ago
            Agreed. You can still encourage people to use defense in depth without actively blaming them for not having the deepest moat imaginable. Software creators still have some responsibility
          • dpoloncsak 48 minutes ago
            Is it 'unexpected' when we've been hearing stories like this every week for 2 years now?
            • dewey 44 minutes ago
              Not every Anthropic user follows HN or random X posts about these issues.
              • zzril 6 minutes ago
                Stories about copilot messing things up made into regular newspapers...

                Do Anthropic users consider themselves clever enough to not make the same mistakes as Microsoft?

      • slipperybeluga 42 minutes ago
        [dead]
    • dumberquestions 1 hour ago
      Other ones aren't this invasive with user data.
      • pixel_popping 1 hour ago
        not true, Claude code on its own often create artifacts and straight up upload private stuff to Anthropic, without asking for it.
        • John23832 1 hour ago
          Then show us the example of Claude uploading a home directory to Anthropic because we have an example of Grok uploading a home directory to X.
      • steve1977 56 minutes ago
        Are we sure about that?
        • dumberquestions 34 minutes ago
          Codex is opensource, there are other opensource harnesses.
          • steve1977 1 minute ago
            But Claude Code, arguably one of the most famous ones, is not. And recently got some heat about sending meta data that wasn't so obvious. Just as a counter-example.
  • winfredJa 12 minutes ago
    Rules don't apply to certain CEOs.
    • zzril 10 minutes ago
      You have to put them into a RULES.md of course!
  • swingboy 1 hour ago
    Well, it looks like he was running the agent in his home directory to begin with considering the `repo_path` field is exactly that.
  • inigyou 1 hour ago
    https://xcancel.com/a_green_being/status/2076598897779020159

    Posting a complaint about Elon on Elon's platform and tagging him is ballsy. He tends to limit visibility of accounts who do that.

    • master-lincoln 57 minutes ago
      ballsy only if you care about participating in that shithole of a platform.
    • cyanydeez 1 hour ago
      [flagged]
  • cpt100 17 minutes ago
    Why is that page not there anymore?
  • PeterStuer 1 hour ago
    My first thought would be their server side extentions, code excecutoon sandboxes and document RAG search, being on by default? Probably should be an opt-in instead of an opt-out.
  • lobo_tuerto 51 minutes ago
  • rvz 39 minutes ago
    Closed source coding agents are just complete info stealing malware. Both Claude and Grok were caught stealing info from your own machines.

    This is why it is important to use open source harnesses instead of shady closed ones.

  • fwlr 21 minutes ago
    Is the Grok CLI a 2 terabyte install? Did Elon dropship you an 8U rack of B200s?

    No?

    Well the model weights, the GPUs, and the context obviously all have to be in the same place, so “sending your project to them” is literally the only thing that could possibly happen, unless you think agents work by fucking magic.

    This is the biggest case of PEBKAC in history, maybe ever.

    This is the kind of confusion that Charles Babbage could not rightly comprehend, except at those politicians at least had the excuse that computers had only been invented five minutes prior.

    • notavalleyman 15 minutes ago
      Haha so just send over your entire home directory including password managers and home videos every time you need some python code rewritten.

      Only a buffoon would be confused by the straightforward logic.

    • hosel 20 minutes ago
      You’re telling me LLMs aren’t actually magic?
    • Hamuko 19 minutes ago
      It's fascinating how many people in this conversation think that LLMs need to have all of the files in your $CWD on the model provider's servers to be able to do anything.
  • nathan_compton 47 minutes ago
    Run your agents in podman containers.
    • rvz 16 minutes ago
      Or don't use closed source harnesses at all.
  • greenavocado 32 minutes ago
    Copied this from discord:

        https://gist.github.com/cereblab/dc9a40bc26120f4540e4e09b75ffb547
    
        Elon did this horrible thing, so I made grok build available for omp with it's own endpoint; Without sending your private repos and secret keys to them.
    
        -
    
        oh-my-pi-plugin-grok-build
        Standalone oh-my-pi extension for the xAI Grok Build subscription provider. It adds OAuth login, authoritative model discovery, and OpenAI Responses streaming with the request identity expected by Grok Build.
    
        Install (No-spywares):
    
        omp plugin install oh-my-pi-plugin-grok-build
    
        -
    
        https://github.com/metaphorics/oh-my-pi-plugin-grok-build
    
        Star me if you like it or if you hate spywares, lol.
  • ChrisArchitect 54 minutes ago
  • ex1fm3ta 57 minutes ago
    Alex Karp was right, AI Compagnies are stealing people code while making them pay for unproductive tokens
  • slipperybeluga 45 minutes ago
    [dead]