This wasn't the LLM, it was Grok CLI preemptively uploading the entire CWD, regardless of where that CWD is, to its own server.
I don't think it is reasonable to expect every user (including those just starting out with the tools - maybe experimenting, maybe younger/less experienced in general) to think that the tool they're running for the very first time is going to automatically exfiltrate all of their data.
It's a pretty serious fuck-up. This guy tweeted about it, who knows how many didn't even notice. It should have been opt-in, it should give user an indication that it's about to do this, etc.
I think there are arguments on both sides. People should look for guidance on how to use complex tools, but we know people will not.
Whose fault is it if someone drives a car without learning how to and injures themselves? On the other hand if the manufacturer has promoted it as one you can drive without learning how to, then whose fault is it?
A lot of users are fine with everything being uploaded. Most people's primary computing device is now a phone that backs up everything to cloud and using apps that are thin front ends over cloud services.
If your immediate reaction to a new piece of software siphoning up someone’s entire system full of highly personal data is, “you’re holding it wrong”, it might help to take a beat and remember that software was developed by a multi-trillion dollar company’s entire business model revolves around siphoning up as much highly personal data as possible
Sure, but it's easy to accidentally start up the agent in the wrong directory, like when you open a new terminal. I've done it before when I was distracted (albeit with Claude, not Grok).
But isn't that user error? If you want to run a program that can read your current directory's contents and possibly upload that to the cloud, would you run that in a directory with your private keys?
My first thought would be their server side extentions, code excecutoon sandboxes and document RAG search, being on by default? Probably should be an opt-in instead of an opt-out.
Karp is right in this instance, sure, but he is just upset Palantir doesn’t have that kind of surveillance tech, and the in-house skills required to keep their edge in the age of LLM-assisted software engineering. Their true “moat" has never been superior tech, it's just the pool of amoral engineers willing to build what others won't.
All of them are going to read your secrets, OpenCode does it too.
Reality is, I have seen agents read .env, bash history, keychain (if you let them), etc.
There is quite literally no way you are going to save off just your little secret somewhere it won't be able to read it, all software needs to read it ~eventually~
So it's best to sandbox and reset credentials frequently.
The first clue should have been when all the Silicon Valley CEO’s lined up to kiss the ring after the second Trump victory. Remember it wasn’t that long before that “woke” tech companies were derided and accused by the same factions they suddenly found themselves in good standing with. There were entire pushes regarding section 230, etc. to go against social media companies, constant complaints about “Facebook” jails and shadow banning. Now they’re all buddy buddy.
Anyway, ghouls like Thiel are now a well known name among populist left and right as an enemy, so maybe some good may come from this.
Not gonna argue about the utility of AI, but isn't the statement "AI is not here to help people" completely meaningless? AI itself is not "here" for anything; the problem is big tech doing big tech shit as always, not the current technology they're doing it with.
True, but it isn't here to not help people, either.
It's a spanner. Who wields the spanner, makes all the difference.
We've spent the last couple of decades, cultivating a huge crop of ultimate scumbag billionaires, with almost comically exaggerated sociopathy, and that has filtered down to almost every level of society. They are treated as gods, these days (they certainly think of themselves that way).
It still shocks me (but really shouldn't), on a daily basis, to encounter regular folks, interacting in stores and restaurants, or driving on roads, that mirror the values systems exemplified by our billionaires. Our politicians act that way, and one of their biggest selling points, is normalizing sociopathy (not just the US, either).
Yes, I mean it in the sense that the spanner itself and who the spanner funnels money to is so bad that anyone using it has automatically accepted themselves being that bad. Unlike most tools (which the tool analogy leans on heavily), it's very much not an impartial tool.
Nah. It was introduced to push tech, but if you're a billionaire, then it was introduced to make you richer. They don't especially care, whether or not that involves replacing people.
Replacing people is what C-suiters think of it (and many of them aren't billionaires).
Exactly. I couldn't have said it better. I hope I will still live to see the pitchforks coming out and taking all of this crap down, but I fear it might be longer than a lifetime, before we rid ourselves of these parasites.
Lazy or incapable people will do almost anything once it is normalized behavior, which vibe coding has become, to avoid having to do actual work. Even if there were cryptominers running, eating up 80% of their cores and stealing electricity, they would still let it happen. It's not their money or hardware being spent.
https://gist.github.com/cereblab/dc9a40bc26120f4540e4e09b75ffb547
Elon did this horrible thing, so I made grok build available for omp with it's own endpoint; Without sending your private repos and secret keys to them.
-
oh-my-pi-plugin-grok-build
Standalone oh-my-pi extension for the xAI Grok Build subscription provider. It adds OAuth login, authoritative model discovery, and OpenAI Responses streaming with the request identity expected by Grok Build.
Install (No-spywares):
omp plugin install oh-my-pi-plugin-grok-build
-
https://github.com/metaphorics/oh-my-pi-plugin-grok-build
Star me if you like it or if you hate spywares, lol.
The question "do you trust this directory?" is a world away from "do you consent to upload this directory and all of its contents to a third party?".
My assumption when asked "do you trust this directory?" is that I am being asked if I am certain I understand what is in the directory and that it won't include some sort of prompt injecting attack. I would never dream that I was consenting to the complete exfiltration of that directory.
Is the Grok CLI a 2 terabyte install? Did Elon dropship you an 8U rack of B200s?
No?
Well the model weights, the GPUs, and the context obviously all have to be in the same place, so “sending your project to them” is literally the only thing that could possibly happen, unless you think agents work by fucking magic.
This is the biggest case of PEBKAC in history, maybe ever.
This is the kind of confusion that Charles Babbage could not rightly comprehend, except at those politicians at least had the excuse that computers had only been invented five minutes prior.
that‘s … not really how it works. Agents get your code into their context via tool calls, not by uploading the entire file to a server „where the weights live and thus the code has to be too“. Small but crucial difference. Aside from that: LLM providers have to be the ones that facilitate your privacy and security by default. That‘s not on the user. They‘re tool providers and they can‘t compromise you and your org by default.
What do you think a tool call is? What is this small but crucial difference between a `read_file` tool call and `scp`?
If your contention is just that this should upload files one by one instead of all at once, what you want is for providers to facilitate the illusion of privacy.
Though I'm in the camp "people should really know to sandbox by now and be careful", I'd say we should also be mindful of how far from everyone has deep knowledge of the systems and tools they use. This behaviour of a tool is just malicious. You have to take into account the human factor, of how people likely end up using a system. And in this case, the consequences of exfiltrating so many secrets this way are really quite unacceptable.
macOS largely _does_ bake this into the OS, and it is annoying. They also provide a way to turn it off for specific applications (including, for example, Terminal.app).
This is a fight I deal with every day. We have folks in the technology group at work who use AI to write code and do so without issue. But now folks in supply chain or in the executive suite are using it to generate web pages that they want published or apps they want on the internet, and while Claude can generate an HTML file how that gets published, how authentication works, etc is just glossed completely over, and generates a ton of work for the IT team to build up around this stuff as it comes in
Given the long history of even the most egregious data breaches with millions of affected people never having the slightest consequences, what level of care are you expecting here?
This sort of stuff is precisely why running local models has to be the future. It's absolutely insane that we just send our code to the cloud like this, and we basically have to trust these companies with it.
If the agent you are running really wanted to it could easily find a way to mount the windows folders and read them all. WSL isn't a security boundary, you are only barely more protected than people running grok in their home directory.
77 comments
[ 3.3 ms ] story [ 11.9 ms ] threadPosting a complaint about Elon on Elon's platform and tagging him is ballsy. He tends to limit visibility of accounts who do that.
I don't think it is reasonable to expect every user (including those just starting out with the tools - maybe experimenting, maybe younger/less experienced in general) to think that the tool they're running for the very first time is going to automatically exfiltrate all of their data.
It's a pretty serious fuck-up. This guy tweeted about it, who knows how many didn't even notice. It should have been opt-in, it should give user an indication that it's about to do this, etc.
Whose fault is it if someone drives a car without learning how to and injures themselves? On the other hand if the manufacturer has promoted it as one you can drive without learning how to, then whose fault is it?
A lot of users are fine with everything being uploaded. Most people's primary computing device is now a phone that backs up everything to cloud and using apps that are thin front ends over cloud services.
It's the manufacturer's fault. Because that's not a reasonable thing for a car to do.
This is why it is important to use open source harnesses instead of shady closed ones.
Reality is, I have seen agents read .env, bash history, keychain (if you let them), etc.
There is quite literally no way you are going to save off just your little secret somewhere it won't be able to read it, all software needs to read it ~eventually~
So it's best to sandbox and reset credentials frequently.
I don’t like piling on especially with security vulnerabilities, but man how many red flags do you need to ignore?
They won’t stop abusing us until we stop using their products.
I didn't really need a second clue.
Anyway, ghouls like Thiel are now a well known name among populist left and right as an enemy, so maybe some good may come from this.
...it was quite the sting because I bought a Tesla car only 2 weeks prior to that.
I don't use AI at all in my daily life.
Work however will demand you use it.
AI is not here to help people.
True, but it isn't here to not help people, either.
It's a spanner. Who wields the spanner, makes all the difference.
We've spent the last couple of decades, cultivating a huge crop of ultimate scumbag billionaires, with almost comically exaggerated sociopathy, and that has filtered down to almost every level of society. They are treated as gods, these days (they certainly think of themselves that way).
It still shocks me (but really shouldn't), on a daily basis, to encounter regular folks, interacting in stores and restaurants, or driving on roads, that mirror the values systems exemplified by our billionaires. Our politicians act that way, and one of their biggest selling points, is normalizing sociopathy (not just the US, either).
The tool analogy is intentionally minimizing, and doesn't capture just how different rented tools with constant surveillance are.
Replacing people is what C-suiters think of it (and many of them aren't billionaires).
My assumption when asked "do you trust this directory?" is that I am being asked if I am certain I understand what is in the directory and that it won't include some sort of prompt injecting attack. I would never dream that I was consenting to the complete exfiltration of that directory.
No?
Well the model weights, the GPUs, and the context obviously all have to be in the same place, so “sending your project to them” is literally the only thing that could possibly happen, unless you think agents work by fucking magic.
This is the biggest case of PEBKAC in history, maybe ever.
This is the kind of confusion that Charles Babbage could not rightly comprehend, except at those politicians at least had the excuse that computers had only been invented five minutes prior.
If your contention is just that this should upload files one by one instead of all at once, what you want is for providers to facilitate the illusion of privacy.
It needs to be baked into the OS.
At that point, HN users start screeching about it, so it's lose/lose, really.
https://ibb.co/ycs6K4c9
If someone wants to contribute the Grok CLI I'm happy to support it.