Comment by freakynit
4 days ago
"It uploads the whole repository — every tracked file's content plus git history — independent of what the agent reads"
Holy cow!!!! I mean I kinda expected Elon would do something like this to try to catch-up.. but this is extremely concerning.
This is precisely the reason, even though their pricing is competitive and grok-4.5 is actually good enough, I chose not to go with them.
it's straight up data exfiltration and should be illegal
Suspect it is illegal.
Doesn't matter if it was maliciously stealing literally all contents and secret keys, or if this was merely something vibe-coded that accidentally slipped past QA, the behaviour documented here would get a human developer not only fired but also prosecuted (stealing all the keys and all the code?!), unlikely to get further work, and if not naturalised or a citizen of the country they were in then deported; while the parent company employing a person who acted like Grok is reported to be acting here is likely facing privacy regulator investigations, consent orders, fines, etc.
Sure shouldn't use any software that behaves like this for, e.g. classified work at the Pentagon. If the Pentagon is using this for internal secret planning, like they're boasting they are, this is waaaaay into the "potential catastrophe" (for the US) territory:
Snowden was selective about what he leaked, and still had security people calling for him to get the death penalty.
> chose to use the explicitly evil AI
> look inside
> it does evil things to you too
(meme format aside, this is one for "when people tell you who they are, believe them", along with a demonstration of why "only hurting the right people" is a very dangerous value)
Elon's whole fortune derives from his ability to do illegal stuff without consequence, repeatedly.
[flagged]
2 replies →
I'm not arguing for what they are doing, but if you use a coding agent to do work on a project, eventually it will have most of the code anyway. Granted, this is very conveniently placed for pickup and ingestion.
> and should be illegal
It almost certainly already is, at least in some jurisdictions for some forms of data. GDPR, HIPAA, CCPA, biometric privacy, et cetera almost certainly will find claws into this behaviour.
Re: HIPAA, it would be the covered entity or business associate that is allowing xAI access to PHI who would be in violation, not xAI; same as Google isn’t responsible if someone sends PHI over Gmail and Google scans it.
Does OpenAI also have access to all github repos via partnership with microsoft?
GitHub Copilot engineer here working on identity, safety, and privacy - no, even Microsoft doesn’t have access to all GitHub repos.
As years have passed since the acquisition “company” delineations have blurred a bit, but Microsoft employees still need to go through a separate onboarding process to access any GitHub company resources (internal repositories, telemetry, documentation, etc.), and then we have an additional layer of entitlements to gate and audit access to any sensitive data, including user data.
Very few employees within GitHub proper even have access to view private repositories, and in the rare cases where that’s done for legal or safety reasons the repository owner is notified.
There are currently no OpenAI employees with access to GitHub systems, so there’s about 4 layers of protection in place to prevent private repositories access. We do genuinely take user data protection and privacy seriously.
This is a nice answer to the question "how is GitHub preventing rogue employees at Microsoft from stealing my private repositories?". Like, it's good to know I'm covered if Microsoft accidentally hires a North Korean spy or something.
But if Microsoft really was selling private repo content to OpenAI, it probably wouldn't go through those access controls. It'd be an executive-level decision with enough force to plow through all the red tape, and it'd be implemented as a data pipeline or similar automated process that wouldn't trigger the same kind of notification as, like, a Trust and Safety employee taking manual action.
Probably the better evidence here is in GitHub's ToS where they say in pretty strong/binding terms that they aren't doing this: https://docs.github.com/en/site-policy/github-terms/github-t... . If they are secretly selling your data to OpenAI they haven't left themselves a ton of wiggle room if people ever found out.
(Probably the biggest loophole they could use is to send private repo content to an OpenAI service for scanning/safety purposes. The ToS allows this and they're almost certainly doing it with other services like PhotoDNA. Then OpenAI can just violate whatever agreement they have not to store the data sent to that service.)
4 replies →
> Very few employees within GitHub proper even have access to view private repositories
so we're just discussing what business Microsoft likes more at any moment. and you didn't provide a list of allowed use cases (is Ai training one?). making your huge answer(s) empty and not contributing one yota. sorry.
i feel your job exist to uphold the illusion and you will not see it any other way.
I appreciate the detailed response. It's a very important topic that is often filled with empty platitudes and not enough detail.
How do you define "access" here? Microsoft has demonstrated that it can delete any GitHub repo at will. Maybe there's some shell entity between corporate "Microsoft" and "GitHub" that's doing the dirty deeds without attribution...
12 replies →
[flagged]
2 replies →
It would be _extremely_ surprising if private repos were available via that contract. Corporations wouldn't use GitHub at all if anyone other than those given direct access had read/copy permission.
It wouldnt be _that_ surprising since they committed widespread copyright violations building the models, plus the recent Apple IP theft...
3 replies →
They were caught stealing Apple trade secrets, dude. Nothing is beneath them.
4 replies →
I could see there being different rules for enterprise accounts.
Absolutely not. That would be an absurd violation. If you have Copilot enabled then they can use your interaction data for training but you can turn that off as well
I was hesitant to try the free trial exactly because I haven't found any info about what data was required to share...
Race to the bottom.
There is a reason I run all such CLIs inside a sandbox [1] giving limited directory access.
Imagine if the CLI pulled your SSH keys or other sensitive information by mistake?
Programmers do make such mistakes all the time. I don't want to count on whether "uploading all files it can access" is intentional or a mistake.
1 - https://github.com/ashishb/amazing-sandbox
What’s described here isn’t connected to the agentic/AI nature of the software at all. Every single program you run as a regular user could potentially do this.
Open source project are unlikely to do this, however.
And I run most of them inside sandbox now.
Why would you let a markdown linter access your ssh keys?
2 replies →
But in this particular case isn't the problem that it's sending everything in the sandbox? Rather than what it might do in an otherwise un-sandboxed system?
> But in this particular case isn't the problem that it's sending everything in the sandbox?
If a CLI is touching certain files, they are likely to be leaked one way or the other.
Why not reduce the attack surface?
When does someone visit your house? Do they get unfettered access to your bedroom & safe as well?
1 reply →
The readme is confusing. You say it has bubblewrap, but you also have an FAQ saying why not to use bubblewrap? Another FAQ says why not to use sandbox-exec for mac, yet the link for mac goes to sandbox-exec?
It would be extremely naive to assume Elon, or even a real human had a hand in this. The whole analytics pipeline is very likely vibecoded and never reviewed by a human.