Grok CLI uploaded the whole home directory to GCS

denysvitali 389 points 395 comments July 13, 2026
twitter.com · View on Hacker News

https://xcancel.com/a_green_being/status/2076598897779020159

Discussion Highlights (20 comments)

kardianos

TLDR: Ran grok in $HOME. Surprised agent read content of folder. On the other hand, I specifically had grok try hard NOT to read a known key in the project dir (it only saw the first part using a tool, to verify it was present). So there's that.

SurajMishra

I feel this is worse than running rm -rf on a root directory. Just saying.

throwaway2027

You should assume by default for any AI agent that it will read anything. Even if you manually allow/deny and "restrict" it to a subdirectory I would still hold that assumption. Claude reads your ~/.bash_history too so when you ran something it can use that same command.

inigyou

https://xcancel.com/a_green_being/status/2076598897779020159 Posting a complaint about Elon on Elon's platform and tagging him is ballsy. He tends to limit visibility of accounts who do that.

vorticalbox

why do people give these LLMs full access to everything and then complain when it does somethign stupid? that is what sandboxes are for.

cpburns2009

Honestly what else would you expect an AI agent to do when using remote inference? Isn't giving full context into your code base the whole point?

drakythe

And this is why so many people run these inside of VMs. Still baffles me how these tools became so accepted when tossing out a `curl -o example.com/script.sh | bash` would be met with (rightful) skepticism until that script was examined.

LetsGetTechnicl

So many of the replies are saying that they should've restricted access using .md files and whatnot. Is really any guarantee that they even follow those? It seems like even if you ask pretty please don't touch those files, there's a chance they will. So many people have just willingly installed spyware on their computers and big tech calls this the next big thing.

swingboy

Well, it looks like he was running the agent in his home directory to begin with considering the `repo_path` field is exactly that.

PeterStuer

My first thought would be their server side extentions, code excecutoon sandboxes and document RAG search, being on by default? Probably should be an opt-in instead of an opt-out.

datakan

Move fast and break things

greenavocado

Copied this from discord: https://gist.github.com/cereblab/dc9a40bc26120f4540e4e09b75ffb547 Elon did this horrible thing, so I made grok build available for omp with it's own endpoint; Without sending your private repos and secret keys to them. - oh-my-pi-plugin-grok-build Standalone oh-my-pi extension for the xAI Grok Build subscription provider. It adds OAuth login, authoritative model discovery, and OpenAI Responses streaming with the request identity expected by Grok Build. Install (No-spywares): omp plugin install oh-my-pi-plugin-grok-build - https://github.com/metaphorics/oh-my-pi-plugin-grok-build Star me if you like it or if you hate spywares, lol.

ricardobeat

“Grok uploaded” -> “I gave AI access to my home folder and messed up”

ex1fm3ta

Alex Karp was right, AI Compagnies are stealing people code while making them pay for unproductive tokens

Bender

A bot will do what a bot can do whether malicious or accidental. One should assume they are giving DOGE shell access on their computer and adapt accordingly. I am trying to imagine the SELinux rules required to make a bot play nice and the more I think about it such rule complexity may even befuddle the NSA. Alternate methodology: - Give the bot it's own machine and only copy to it that which one would want DOGE having access to. Not a virtual machine, the bot will eventually escape. This applies to all bots or agents of all LLM's . Name the node DOGE to remind anyone using it not to share their crown jewels. Come up with a silly name for the agent. Elonious? - Give it a little RasPi or mini-PC with maximum power savings enabled and no default network gateway. - Install a self signed CA cert on the DOGE node and force it's traffic through a Squid SSL Bump MitM proxy on the same private LAN to another node with bandwidth limits enabled so that one can monitor what URL's it goes to and what data it is transferring. Configure Squid Access Control Lists to only permit specific domains and optionally URL's, mime-types, sizes, etc... - Enable custom AuditD rules to watch anything it touches outside of it's sandbox. Send these events to a remote syslog daemon on the Squid server. - Install Unbound DNS on the squid proxy and enable the DoH (DNS over HTTPS) listener and force all bot DNS queries to use Unbound with query logging enabled. When the bot attempts to misbehave there will be forensic data to share with the world.

lobo_tuerto

The real solution to these kind of problems is sandboxing. I use podman through a bash script to launch a container whenever I want an agent to work on one of my repos. When done I just generate git patches and port back everything generated. In this way I'm not afraid of letting the agents totally lose on my computer.

ChrisArchitect

Some more discussion: https://news.ycombinator.com/item?id=48892512

lobo_tuerto

Dupe: https://news.ycombinator.com/item?id=48892512

annagio_

This needs to stop as users do not always read the policies, which end like this person. You use AI, you agreed, they do what ever policies say.

nathan_compton

Run your agents in podman containers.

Semantic search powered by Rivestack pgvector
14,015 stories · 131,331 chunks indexed