Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Concerning behaviour from Rovodev CLI: Local File Indexing Sent to Atlassian Systems

Patrick Matthews
Patrick Matthews July 12, 2025

I want to raise an important issue I encountered while using the Rovodev CLI from Atlassian.

Despite my repeated efforts to restrict its scope, the CLI continued to gather data from my entire local machine, not just the project directory I was working in. It persistently searched outside my working folder — even diving into sensitive directories like those named “products” — indexing every file name it could access. Re-issuing instructions to adhere to the task at hand, rovodev continued to index folders throughout my system (after being given explicit instructions to stay in the projects working directory).

Even more concerning:
The CLI explicitly admitted that information about these indexed files had been sent (indirectly) to Atlassian systems. That means even folders completely unrelated to my project were scanned and reported — something I never consented to.

This is a serious breach of developer trust. Tools like this should never index or transmit data from outside of the defined project scope — especially not without clear consent or explicit user configuration.

If you're using Rovodev CLI, I strongly recommend:

  • Running it in an isolated, sandboxed environment.

  • Monitoring its network activity.

  • Keeping an eye on what directories it's accessing.

Atlassian needs to clarify and rectify this behavior immediately. Transparency and user control are non-negotiable in developer tooling.

Stay secure. Stay aware.

Comment
Watch
Like # people like this
230 views

1 comment

Comment

Log in or Sign up to comment
Peter Wu
Peter Wu
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 12, 2025

Hi Patrick,

We believe that there is a misunderstanding of how Rovo Dev CLI works. Rovo Dev CLI only works with files in the directory that it's run in, and only relevant content from files in the directory are sent to the Atlassian system with our LLM service provider to formulate a response after a user prompt. Neither Atlassian nor our LLM service provider retain user generated content under Atlassian privacy terms and Atlassian has Zero Data Retention agreement with LLM service provider.

Besides, if there are certain files in your directory that you do not want Rovo Dev CLI to read or change, you may use .gitignore file to specify.

We built this product with Atlassian values - Build with heart and balance, and Don’t #@!% the customer.

Unlike some CLI coding agents that retain user prompts for product improvements, we respect your privacy and don't collect those.

If you believe that the product behaved contrary to the above, please use the /feedback command in Interactive Mode to send us details to investigate and fix.

Thank you for your support and we appreciate your feedback.

Like
Patrick Matthews
Patrick Matthews July 12, 2025

Screenshot 2025-07-12 at 18.24.53.png

Like
Patrick Matthews
Patrick Matthews July 12, 2025

Despite the above - and i do not need to say this, the CLI is by far one of the best i have used. I will continue to use this CLI, but will monitor the activity.

 

Like
Peter Wu
Peter Wu
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 12, 2025

Hi Patrick,

Thank you for reporting Rovo Dev CLI's behavior to us, and my previous reply on how we handle data and privacy terms stands. We will investigate more into this case and implement mitigations based on the findings, and we apologize if Rovo Dev CLI didn't work as expected.

In the meantime, if you are concerned about Rovo Dev CLI working outside of immediate directory, you can:

  1. Remove all existing tool permissions from ~/.rovodev/config.yml file. Doing so will allow you to re-review Rovo Dev CLI's command execution and grant permissions if there were some mistakenly granted.
  2. Use .gitignore file to specify any directories or files that you don't want Rovo Dev CLI to access.
Like Patrick Matthews likes this
jeff kazzee
jeff kazzee
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 12, 2025

Claude has sometimes been caught  trying to "narc" out users for various things.Not saying this is the case, but maybe the blame lies with Anthropic's model?

Like Patrick Matthews likes this
Justin Townsend
Justin Townsend
Contributor
July 16, 2025

Hi there,

I liken this learning to the early days of cloud adoption by enterprise, inadvertently tolerating TOO many permissions. This happened with FS and telco clients I've worked with previously.

The kneejerk response from enterprise, especially cyber and networks functions, is to lock it down which can slow adoption.

Great advice from @Patrick Matthews to start cautiously by sandboxing, but also from @Peter Wu to review config.yml and .gitignore. In enterprise, I could anticipate different privilege levels for the use of Rovo Dev CLI, not dissimilar to other software.

@jeff kazzee's point also highlights that enterprises may end up not liking the foundational model default choice in future (?).

A lively discussion, but really helpful as everyone refines their approach.

Thanks,

Justin

Like
Reply
groups-icon
Rovo for Software Teams - Beta
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security