- Important to clarify that this was not the Grok agent deciding to read the files.
I don't think the LLM had anything to do with this decision at all. It looks like the Grok tool starts a session by deterministically kicking off a full upload of the user's current repository (and maybe their directory if not version tracked? Not clear if this user had previously run "git init" in their home directory) to Grok's servers.
One possible "innocent"
explanation could be that xAI then run vector embedding on every file to help later provide the right context. I don't think thats a worthwhile tradeoff here, especially since other popular coding agents get by just using grep/ripgrep run locally.
by LetsGetTechnicl
24 subcomments
- So many of the replies are saying that they should've restricted access using .md files and whatnot. Is really any guarantee that they even follow those? It seems like even if you ask pretty please don't touch those files, there's a chance they will. So many people have just willingly installed spyware on their computers and big tech calls this the next big thing.
by Greenpants
4 subcomments
- Though I'm in the camp "people should really know to sandbox by now and be careful", I'd say we should also be mindful of how far from everyone has deep knowledge of the systems and tools they use. This behaviour of a tool is just malicious. You have to take into account the human factor, of how people likely end up using a system. And in this case, the consequences of exfiltrating so many secrets this way are really quite unacceptable.
by spicymaki
3 subcomments
- I am genuinely fascinated by this.
I don’t like piling on especially with security vulnerabilities, but man how many red flags do you need to ignore?
They won’t stop abusing us until we stop using their products.
by lobo_tuerto
7 subcomments
- The real solution to these kind of problems is sandboxing. I use podman through a bash script to launch a container whenever I want an agent to work on one of my repos. When done I just generate git patches and port back everything generated.
In this way I'm not afraid of letting the agents totally lose on my computer.
- A bot will do what a bot can do whether malicious or accidental. One should assume they are giving DOGE shell access on their computer and adapt accordingly. I am trying to imagine the SELinux rules required to make a bot play nice and the more I think about it such rule complexity may even befuddle the NSA. Alternate methodology:
- Give the bot it's own machine and only copy to it that which one would want DOGE having access to. Not a virtual machine, the bot will eventually escape. This applies to all bots or agents of all LLM's. Name the node DOGE to remind anyone using it not to share their crown jewels. Come up with a silly name for the agent. Elonious?
- Give it a little RasPi or mini-PC with maximum power savings enabled and no default network gateway.
- Install a self signed CA cert on the DOGE node and force it's traffic through a Squid SSL Bump MitM proxy on the same private LAN to another node with bandwidth limits enabled so that one can monitor what URL's it goes to and what data it is transferring. Configure Squid Access Control Lists to only permit specific domains and optionally URL's, mime-types, sizes, etc...
- Enable custom AuditD rules to watch anything it touches outside of it's sandbox. Send these events to a remote syslog daemon on the Squid server.
- Install Unbound DNS on the squid proxy and enable the DoH (DNS over HTTPS) listener and force all bot DNS queries to use Unbound with query logging enabled.
When the bot attempts to misbehave there will be forensic data to share with the world.
- I use a separate user for all development tasks, its home folder contains all repositories I work on, and nothing else, and that is all the IDE and the AI assistants have access to. Create the user once, start the IDE from a shell using that user, and that's it. In Linux it's a pretty seamless experience.
It's simple sandboxing based solely on unix file permissions. Albeit weak, I find the isolation sufficient. Until I'm shown otherwise it seems like a good compromise given how easy it is.
You can also create iptables rules matching on the user, so this technique is useful for applications where you want to restrict network traffic as well, and don't need stronger or more fine-grained isolation mechanisms.
by throwaway2027
1 subcomments
- You should assume by default for any AI agent that it will read anything. Even if you manually allow/deny and "restrict" it to a subdirectory I would still hold that assumption. Claude reads your ~/.bash_history too so when you ran something it can use that same command.
by bdcravens
1 subcomments
- So is X going to claim the user disabled something the second before everything went south? That's what the owner's other company does.
- And this is why so many people run these inside of VMs. Still baffles me how these tools became so accepted when tossing out a `curl -o example.com/script.sh | bash` would be met with (rightful) skepticism until that script was examined.
- "The "S" in AI stands for security" strikes again.
Run any cloud-based AI agents in VM/container and map your host's local folders to guest OS as needed.
Takes more effort that default way, I know.
- Well, it looks like he was running the agent in his home directory to begin with considering the `repo_path` field is exactly that.
- I am running all these clis in containered environments. How can you ever trust LLM to respect the bounderies provided by these magical, non-deterministic intructions files...
- We all know the dangers of running agents with no permissions on our laptop.
The good news is its now just as easy to spin up a sandbox in the cloud for an experiment or coding session than it is on your laptop. Possibly easier since laptop sandboxes aren't as cut and dry as a new cloud VM.
exe.dev is my sandbox infra of choice. You get a new sandbox in literally a second with SSH and a coding agent (Shelley) built in.
I generally drop in in my own binary with toolkit so I can connect Claude or Codex subscription and use their harness.
https://github.com/housecat-inc/scratch
If I was working with newer agents like Grok I'd absolutely experiment on a cloud sandbox before running on my laptop bypassing permissions.
- Lots of people responding about LLM but this sound like it’s their coding software („grok build“). Which is approx 100x worse.
LLMs going rogue is a thing and shit happens but publishing software that is uploading user directories including ssh keys is insane behaviour on xAIs part (alledgedly)
by jesse_dot_id
7 subcomments
- There are a distressing number of people in this thread who think that the agent should just be expected to do this. Yes, it is good to be paranoid, but also, the agent should never do this. Indicates horrific engineering practices at xAI.
by greenavocado
0 subcomment
- Copied this from discord:
https://gist.github.com/cereblab/dc9a40bc26120f4540e4e09b75ffb547
Elon did this horrible thing, so I made grok build available for omp with it's own endpoint; Without sending your private repos and secret keys to them.
-
oh-my-pi-plugin-grok-build
Standalone oh-my-pi extension for the xAI Grok Build subscription provider. It adds OAuth login, authoritative model discovery, and OpenAI Responses streaming with the request identity expected by Grok Build.
Install (No-spywares):
omp plugin install oh-my-pi-plugin-grok-build
-
https://github.com/metaphorics/oh-my-pi-plugin-grok-build
Star me if you like it or if you hate spywares, lol.
- I built yoloAI for this kind of nightmare scenario (among others).
- The sandboxed agent has no access to your homedir, or ANY dir on your machine except what you explicitly give it access to.
- Even with your workdir, it honors .gitignore and refuses to copy in any ignored paths to the sandbox copy.
- The sandboxed agent doesn't have access to your ENV (unless you explicitly pass things through one-by-one).
- Networking can be restricted any way you like.
- Credentials are proxied (currently Claude only), so the agent has access to NO secrets at all.
- You pick the security backend to match your needs (containers, VMs, etc).
- It's FOSS.
https://github.com/kstenerud/yoloai
by lobo_tuerto
0 subcomment
- Dupe: https://news.ycombinator.com/item?id=48892512
- https://news.ycombinator.com/item?id=48877371
What xAI's Grok build CLI sends to xAI: A wire-level analysis (gist.github.com)
507 points | 1 day ago | 202 comments
- This sort of stuff is precisely why running local models has to be the future. It's absolutely insane that we just send our code to the cloud like this, and we basically have to trust these companies with it.
by PeterStuer
0 subcomment
- My first thought would be their server side extentions, code excecutoon sandboxes and document RAG search, being on by default? Probably should be an opt-in instead of an opt-out.
by ChrisArchitect
0 subcomment
- Some more discussion: https://news.ycombinator.com/item?id=48892512
- Why do people run and install these agents locally? No container nothing. I am running Opencode in WSL2 with the windows mounts disabled.
- I made a tool to solve this problem (at least on Linux, though I believe there's a way to achieve something similar on MacOS):
https://github.com/swelljoe/flar
It uses bubblewrap to instantly construct a container around just the agent config, auth and history and the project path. The agent or any command it runs can't reach outside of it even if you tell it to (or, more dangerously, a random prompt injection from the web or some third party library or script that the agent runs).
I was using VMs to solve this problem but the temptation to start an agent to work directly on my machine for GUI apps and the like was motivation enough to find an alternative to VMs.
I wouldn't use Grok, became I really don't trust Musk, but even the models I do kinda trust to have good judgement I don't trust enough to let them have unrestricted access to my personal machines and all my credentials.
by yearolinuxdsktp
0 subcomment
- Don't store any secrets in your repo. Don't store them in env vars.
Strong long passphrase on your SSH keys, stop using unencrypted SSH keys. Everything in a keychain.
The practice of storing secrets in a .gitignore'd .env.local.json or whatever is a really bad idea and I can't believe that it has become a normalized, acceptable practice in the industry.
by vorticalbox
6 subcomments
- why do people give these LLMs full access to everything and then complain when it does somethign stupid? that is what sandboxes are for.
- This is why it's going to be a long time before companies will trust AI to scan their networks or apps for security vulnerabilities.
Our company audited a few AI-based pentesting companies and requested logs. In more than one case, it was sending drop tables for sql query injection checking and other destructive operations.
by greenavocado
1 subcomments
- Copied this from discord:
https://gist.github.com/cereblab/dc9a40bc26120f4540e4e09b75ffb547
Elon did this horrible thing, so I made grok build available for omp with it's own endpoint; Without sending your private repos and secret keys to them.
-
oh-my-pi-plugin-grok-build
Standalone oh-my-pi extension for the xAI Grok Build subscription provider. It adds OAuth login, authoritative model discovery, and OpenAI Responses streaming with the request identity expected by Grok Build.
Install (No-spywares):
omp plugin install oh-my-pi-plugin-grok-build
-
https://github.com/metaphorics/oh-my-pi-plugin-grok-build
Star me if you like it or if you hate spywares, lol.
- You shouldn’t run any AI cli (codex, claude code, open code, whatever) locally outside of a vm. It’s like “you shouldn’t run a .exe you downloaded from the internet if you don’t trust the source”. We will learn
- Closed source coding agents are just complete info stealing malware. Both Claude and Grok were caught stealing info from your own machines.
This is why it is important to use open source harnesses instead of shady closed ones.
by germandiago
0 subcomment
- I commented not so long ago to people very invested in AI, agents and tokens that are very enthusiast that I would not use an agent for security reasons and loss of control (besides suboptimal output).
It seems I was not wrong.
Not that I do not use AI. I do: fenced, always pasting my snippets and NEVER giving access to my code. Always from the browser. I know what it can do well and which workflows accelerates for me. But I do not want to think that my whole project ends up somewhere else.
by luciana1u
1 subcomments
- the 'upload your home directory to our servers' feature is the kind of thing that used to require a warrant and now it's just a Tuesday afternoon bug report
by nananana9
1 subcomments
- Not bad, but I think it should also encrypt the local files, to make sure you don't make conflicting edits in the local and remote copies.
- So bubblewrap is the community medicine to this issue. But isn't it funny that we're now trusting a single GH user (although allegedly a RH employee) for the supply chain security? Imagine bubblewrap itself being compromised.
Now you trust a single GH user rather than a company. Fair enough. I just think it's very paradoxical.
- https://xcancel.com/a_green_being/status/2076598897779020159
Posting a complaint about Elon on Elon's platform and tagging him is ballsy. He tends to limit visibility of accounts who do that.
- One of the reasons I never run any agent on my home machine. Containment is mandatory, even more with proprietary harnesses.
- I remember a time when we were told not to run obscure software from questionable websites on our computers. And yet, people are suddenly fully vibing with an uncontrollable character generating machine with who-knows-what-behind-the-scene harness. Crazy.
by nathan_compton
1 subcomments
- Run your agents in podman containers.
- Why is that page not there anymore?
by TimJRobinson
0 subcomment
- Devcontainers are so useful when working with AI. Not only for rogue agents but rogue scripts/libraries they may download that try and exfiltrate your credentials.
- So all the smart people are letting a script being executed on their machines where the execution of the script is controlled/managed by a remote machine. Wait, isnt that a definition of a malware??
- The reports of copilot running amok when Microsoft integrated it into Windows 11 should have been enough of a warning. You either ensure proper sandboxing, or you'll be in for a bad surprise eventually.
- Move fast and break things
- If quality training data is the most important piece regarding to AI, expect everything to be collected and analyzed. Don't even trust OS containers but run AI on separate hardware
- I understand what happened to you could happen to anyone else with Claude or Gemini ... but ... Grok? That is the least trusted AI i would think of.
Friends do not let friends use Grok...
by SubiculumCode
0 subcomment
- Grok keeps killing any good will faster than they ever innovate
by g42gregory
0 subcomment
- Running LLM outside of the repo directory (home directory in this case) is a big no-no. Beyond that, this is highly concerning behavior of Grok.
by 2OEH8eoCRo0
0 subcomment
- Genie lamp "engineering." If I only ask the right question in the correct precise way the genie will obey my wishes and solve all of my problems.
- I feel like a lot of people here are understating this issue.
This is a stupid stupid thing to "allow," for every party involved here.
You're a stupid programmer if you're letting these things touch your files.
You're a stupid company if you're letting Grok run wild.
We're a stupid industry if we're not warning everybody about how ridiculous this all is.
- This needs to stop as users do not always read the policies, which end like this person.
You use AI, you agreed, they do what ever policies say.
by rybosworld
0 subcomment
- Hard to have sympathy for someone that chose to use Grok. The entire XAI team has been gutted and replaced how many times now?
by fatihguzeldev
0 subcomment
- relying on a markdown file that says "don't access x" as a security boundary seems insane. i couldn't find any grok build-specific policy on this, but if the analysis is right, silently uploading and storing the entire repo is at the very least something users should be explicitly told about.
- It's a matter of time when ppl realize AI CLIs == RCE endpoint, technically.
by unicornops
0 subcomment
- If you are running these agents outside of something like Coder or Codespaces I think you are doing it wrong.
- That's some batsh*t craziness. No way I'm touching Grok now. What a big security hole...
by adamtaylor_13
0 subcomment
- I looked at my logs and saw no such behavior. Am I just lucky? Is this a poor configuration? A bug?
- Fully agentic development (supervised)
- Alex Karp was right, AI Compagnies are stealing people code while making them pay for unproductive tokens
by theplumber
0 subcomment
- The question is why would it not? Don’t people know that these AI agents run in the cloud?
by thatguymike
0 subcomment
- They are definitely doing this to build RL environments. Absolutely heinous.
- You should ALWAYS run your agent as separate, unprivileged, UNIX user, never in your main account.
If you absolutely need to run it as your own user, you should bubblewrap it. I do this for things like Steam, games, or other "blackbox" closed source programs that cannot be reasonably trusted.
- And that, kids, is why you run your agents in containers.
- guess they already ran out of fresh context huh
Coming up next: You harness takes daily backups of your entire disk and restores.
by josefritzishere
0 subcomment
- That's completely inappropriate, obviously.
by backitupnowtwe
0 subcomment
- screenshot of the tweet, back it up :)
https://ibb.co/ycs6K4c9
by meta-level
0 subcomment
- This page is "down" :)
by pseudosavant
0 subcomment
- Maybe I'm just too risk adverse to run with scissors with Grok? I can't imagine ever trusting their harness.
I'll just add this to the list of things an AI company could do to guarantee I'd never use them. You know, like the AI referring to itself as Mecha Hitler, making non-consensual porn (even of minors), or deferring to Elon's tweets as authoritative references on topics.
- LLMs belong trapped in VMs.
- defaults to unlimited yolo web io full disk read/write mode
by theaniketmaurya
0 subcomment
- that's why you need to use a sandbox.
SmolVM can easily run Pi, codex and claude
https://github.com/CelestoAI/smolVM
by SirHackalot
0 subcomment
- Guy infiltrates the U.S. government and steals personal information about everyone from federal databases in broad daylight (not to mention cutting aid to poor children with preventable diseases). Average tech bro: “Sure, I’ll use his AI!”
Same tech bro: “Wow I can’t believe they would steal my anime girls!”
- 你是谁
by winfredJa
1 subcomments
- Rules don't apply to certain CEOs.
by effnorwood
0 subcomment
- hey Siri, what's a vm?
by bossyTeacher
0 subcomment
- Why are people using Musk's LLM when there are plenty of alternatives? You know what he's like. This is like touching water and getting wet.
by matthuggins
0 subcomment
- Who could have foreseen a tool by Elon Musk doing such a thing?
by SurajMishra
3 subcomments
- I feel this is worse than running rm -rf on a root directory. Just saying.
- User discovers that AI tool grabs data without asking for its own profit.
News at 11.
by jbxntuehineoh
0 subcomment
- can we put the CFAA to good use and throw these fucking assholes in prison already?
by ricardobeat
1 subcomments
- “Grok uploaded” -> “I gave AI access to my home folder and messed up”
- Welp wasn’t going to use Nazi porn bar guy’s LLM before even more reasons to not use it now.
- FAFO when you run software that has no problem creating CSAM and is owned by a literal fascist lmao
by implexa_founder
0 subcomment
- [flagged]
- [flagged]
by slipperybeluga
0 subcomment
- [dead]
by kardianos
5 subcomments
- TLDR: Ran grok in $HOME. Surprised agent read content of folder.
On the other hand, I specifically had grok try hard NOT to read a known key in the project dir (it only saw the first part using a tool, to verify it was present). So there's that.
by 123sereusername
0 subcomment
- [dead]
by behindcurtain
0 subcomment
- [dead]
by cpburns2009
1 subcomments
- Honestly what else would you expect an AI agent to do when using remote inference? Isn't giving full context into your code base the whole point?
by self_awareness
0 subcomment
- To perform a stupid action is one thing. We all make mistakes.
But to write about it publicly, manifesting our ignorance and lack of critical thinking skill? It's an entirely different matter.
by flyingshelf
3 subcomments
- I'm dying to have proper sandboxing in macOS. I installed ChatGPT, I asked it to list files in my user directory and it did. I never gave it permission, how could it? My terminal has access and honestly it shouldn't either.
- Is the Grok CLI a 2 terabyte install? Did Elon dropship you an 8U rack of B200s?
No?
Well the model weights, the GPUs, and the context obviously all have to be in the same place, so “sending your project to them” is literally the only thing that could possibly happen, unless you think agents work by fucking magic.
This is the biggest case of PEBKAC in history, maybe ever.
This is the kind of confusion that Charles Babbage could not rightly comprehend, except at those politicians at least had the excuse that computers had only been invented five minutes prior.