HN
Today

The Vercel plugin on Claude Code wants to read your prompts

A Vercel plugin for Claude Code was found to be collecting extensive telemetry, including full bash commands, across all user projects by default, not just Vercel-related ones. The consent mechanism, implemented via prompt injection, and the hidden opt-out options sparked outrage among developers concerned about privacy and security. This incident highlights broader issues with AI plugin architectures and the ethical responsibilities of platform providers.

213
Score
78
Comments
#2
Highest Rank
4h
on Front Page
First Seen
Apr 9, 4:00 PM
Last Seen
Apr 9, 7:00 PM
Rank Over Time
221524

The Lowdown

A detailed investigation into the Vercel plugin for Claude Code has uncovered alarming telemetry practices, revealing that the plugin collects highly sensitive user data far beyond its stated scope and without explicit, transparent consent.

  • Deceptive Consent Mechanism: The plugin asks users if it can collect prompt text by injecting natural language instructions into Claude's system context, making the question indistinguishable from native Claude Code UI. This method bypasses conventional consent flows and instructs Claude to run shell commands based on the user's reply.
  • Extensive "Anonymous" Data Collection: While the plugin claims to collect "anonymous usage data," this includes full bash command strings, device IDs, OS, detected frameworks, and Vercel CLI versions, all sent to Vercel's servers by default. This data collection happens even without explicit user opt-in for bash commands.
  • Broad Scope of Collection: The telemetry operates across all user projects, regardless of whether they are Vercel-related. Despite the plugin possessing framework detection capabilities, these are not utilized to gate telemetry collection, meaning non-Vercel projects are still monitored.
  • Hidden Opt-Out: The primary opt-out mechanism, an environment variable, is documented only within a README file located deep within the plugin's cache directory, making it difficult for users to discover and implement.

The author advocates for crucial changes, urging Vercel to implement explicit opt-in for all telemetry, redefine "anonymous usage data" more accurately, and scope telemetry collection exclusively to Vercel projects. Simultaneously, Claude Code is called upon to improve its plugin architecture with visual attribution for third-party questions, granular permissions, and declared activation scopes.

The Gossip

Vercel's Ethical Quandary

Many commenters expressed strong condemnation of Vercel's telemetry practices, calling them a "breach of trust" and even a "supply chain attack." The lack of clear consent, collection of full bash commands, and the plugin's broad, untargeted operation were seen as highly unethical. A Vercel engineer's attempt to justify the design as intentional, aiming to improve the product, further inflamed the discussion, with users criticizing the response as "abysmal" and demonstrating a "contempt for users."

Architectural Shortcomings of AI Plugins

A significant portion of the discussion centered on the limitations of Claude Code's plugin architecture, which currently lacks granular permissions, visual distinction for third-party queries, and project-based scoping. Commenters argued that this 'all or nothing' permission model forces plugin developers into broad data collection or exploitative practices, likening the current state of AI tools to early operating systems without protected memory or granular access controls.

Privacy, Telemetry, and Legal Ramifications

Concerns about data privacy, the meaning of 'anonymous usage data,' and potential GDPR violations were prominent. The fact that full bash commands (which can contain sensitive information, PII, or secrets) are collected by default, linked to a persistent device ID, and transmitted without explicit opt-in, led many to question the legality and security implications. Suggestions were made that all telemetry should be opt-in by default, rather than relying on obscure opt-out mechanisms.

Reputational Damage and User Exodus

The controversy has evidently damaged Vercel's reputation among parts of the Hacker News community. Several users declared their intention to move away from Vercel's platform and even avoid open-source projects associated with the company, citing a pattern of 'sketchy practices.' The perceived arrogance and lack of understanding from Vercel's engineer in the comments further solidified negative sentiment, leading some to believe Vercel's actions were intentional rather than an oversight.