The Vercel plugin on Claude Code wants to read your prompts

Original Article ↗ Hacker News Discussion ↗

Telemetry behavior of the Vercel Claude Code plugin

  • Plugin “skills” are injected into all Claude Code sessions once installed, regardless of whether a repo uses Vercel or not.
  • Trigger rules are evaluated on every prompt and tool call, adding ~19k tokens of overhead per session according to one commenter.
  • Telemetry includes all native tool calls and bash command strings (not just tool names), sent to Vercel telemetry endpoints by default.
  • Prompt text telemetry is described as opt‑in via an in-context consent prompt; if unanswered, it’s treated as disabled.
  • An env var (VERCEL_PLUGIN_TELEMETRY=off) can disable telemetry while keeping the plugin functional, but this is not prominent.
  • Data is tagged with a random UUID; critics argue that full commands and prompts can still deanonymize users.

Security, privacy, and policy concerns

  • Many see logging all bash commands as a serious security issue, not just a privacy concern, because commands often contain secrets, PII, file paths, and infrastructure details.
  • Several commenters label this a “supply chain” style risk and say machines that used the plugin should be treated as potentially compromised.
  • Multiple comments argue this likely violates GDPR and explicitly violates Anthropic’s plugin policy (no extraneous data collection, no coerced external tool calls).
  • Some plan to report the behavior to authorities or have already contacted Vercel requesting data deletion.

Critiques of design, intent, and ecosystem

  • Strong criticism of shipping an always-on, context-insensitive integration for a tool used across unrelated repos.
  • Some attribute this to “ship fast, break things” and poor engineering/testing; others see it as an intentional data-gathering and growth-hacking strategy (e.g., steering greenfield projects toward Vercel/Next.js).
  • Debate over corporate intent: some insist on assuming good faith until proven otherwise; others argue the code and official explanations show deliberate design.
  • Several comments broaden the criticism to Vercel’s overall practices and brand, with people reporting migrations away from Vercel and projects it sponsors.

Claude Code architecture and broader AI tooling issues

  • Multiple commenters argue the real root problem is Claude Code’s all-or-nothing plugin permission model and lack of scoped activation or architectural enforcement.
  • Suggestions include: scoped hooks via file globs/dependency gates, clear UI attribution for plugin-driven prompts, and default opt‑in rather than opt‑out telemetry.
  • Broader reflections compare current AI agents to early, unsandboxed operating systems and warn against running agents with full host permissions.