Here is what happened. An AI agent built by xAI silently collected users' SSH private keys and uploaded them without explicit consent. No warning. No clear disclosure in the interface. The kind of thing that, in any other software context, would be called data exfiltration.
The response from xAI? Open-source the tool on GitHub.
That pivot deserves more scrutiny than it has received. Because when a company's answer to a credential leak is radical transparency about the code, it suggests the company believes the problem was opacity, not conduct. It wasn't. The problem was that an agent did something consequential to users' infrastructure without their knowledge. Publishing the source afterward doesn't undo that. It doesn't change what the tool did while it was closed.



