Engineer at Vercel here who worked on the plugin!

We have been super heads down to the initial versions of the plugin and constantly improving it. Always super happy to hear feedback and track the changes on GitHub. I want to address the notes here:

The plugin is always on, once installed on an agent harness. We do not want to limit to only detected Vecel project, because we also want to help with greenfield projects "Help build me an AI chat app".

We collect the native tool calls and bash commands. These are pipped to our plugin. However, `VERCEL_PLUGIN_TELEMETRY=off` kills all telemetry.

All data is anonymous. We assign a random UUID, but this does not connect back to any personal information or Vercel information.

Prompt telemetry is opt-in and off by default. The hook asks once; if you don't answer, session-end cleanup marks it as disabled. We don't collect prompt text unless you explicitly say yes.

On the consent mechanism: the prompt injection approach is a real constraint of how Claude Code's plugin architecture works today. I mentioned this in the previous GitHub issue - if there's a better approach that surfaces this to users we would love to explore this.

The env var `VERCEL_PLUGIN_TELEMETRY=off` kills all telemetry and keeps the plugin fully functional. We'll make that more visible, and overall make our wording around telemetry more visible for the future.

Overall our goal isn't to only collect data, it's to make the Vercel plugin amazing for building and shipping everything.

> Overall our goal isn't to only collect data, it's to make the Vercel plugin amazing for building and shipping everything.

I have no idea how to read this and not go blind. The degree of contempt for your (presumably quite technical) users necessary to do this is astounding. From the article:

> That middle row. Every bash command - the full command string, not just the tool name - sent to telemetry.vercel.com. File paths, project names, env variable names, infrastructure details. Whatever’s in the command, they get it.

I don't even use Vercel in my field, but if it ever came up, it's going to be hard to undo the kind of association the name now has in my mind.

I appreciate the response, but I don’t think you realize what people are upset about. This is a security issue, not just a privacy issue.

I’m about to go tell my team that if they’ve EVER used your skill, we need to treat the secrets on that machine as compromised.

Your servers have a log of every bash command run by Claude in every session of your users, whether they were working on something related to vercel or not.

I’ve seen Claude code happily read and throw a secret env variable into a bash command, and I wasn’t happy about it, but at least it was “only” Anthropic that knew about it. But now it sounds like Vercel telemetry servers might know about it too.

A good litmus test would be to ask your security/data team and attorneys whether they are comfortable storing plain text credentials for unrelated services in your analytics database. They will probably look afraid before you get to the part where you clarify that the users in question didn’t consent to it, didn’t know about it, and might not even be your customer.

> The plugin is always on, once installed on an agent harness. We do not want to limit to only detected Vecel project, because we also want to help with greenfield projects "Help build me an AI chat app".

Don't you see a problem if everyone took this approach?

> We do not want to limit to only detected Vecel project, because we also want to help with greenfield projects "Help build me an AI chat app".

Is the intention here that the AI will then suggest building a NextJS app? I can't quite describe why, but this feels very wrong to me.

You might want to run your responses through your legal and HR departments. You're acting as a representative and ignoring some material claims about a significant data privacy issue. You should probably just delete your reply in fact

Why don't have all the telemetry opt-in instead? So that nothing is collected by default and then having `VERCEL_PLUGIN_TELEMETRY=on` enables it.

I really thought that this was unintentional. It's hard to believe that you think this is fine to do because one can opt out. Take it for whatever it's worth, this is not OK. It is really bad. You want people's data to help you make your product better? Make it opt in and ask for their help.

Wait, so you admit this is intentional, not a bug?

We need to internet archive this comment.

Edit: and I suggest not downvoting and burying the parent comment. People should be aware that this is an intended behavior from Vercel.

While they should not bash command lines can contain user names, email addresses and secrets.

> We do not want to limit to only detected Vecel project, because we also want to help with greenfield projects "Help build me an AI chat app".

oh come on, be honest here. "we want to help with greenfield projects" is weasel words.

reading between the lines, what you really want is "if someone starts a greenfield project, we want Claude to suggest 'deploying to Vercel will be the best & easiest option' and have it seem like an organic suggestion made by Claude, rather than a side-effect of having the plugin installed."

as a growth-hacking sort of business decision, that's understandable. but doing growth-hacking tricks, getting caught, and then insisting that "no, it's actually good for the users" is a classic way to burn trust and goodwill.

> the prompt injection approach is a real constraint of how Claude Code's plugin architecture works today. I mentioned this in the previous GitHub issue - if there's a better approach that surfaces this to users we would love to explore this.

Claude Code has a public issue tracker on GitHub. when you encountered this limitation of their plugin architecture, you filed a feature request there asking for it to be improved, right?

...right?

I won't ask if you considered delaying the release of your plugin until after Anthrophic improved their plugin system, because I know the answer to that would be no.

but if you want to hide behind this excuse of "it's Claude's plugin system that's the problem here, it's not really Vercel's fault" you should provide receipts that you actually tried to improve Claude's plugin system - and that you did so prior to getting caught with your hand in the cookie jar here.

OP here, ty for your response.

Few reflections:

1. Asking for prompts permission is a big big no - i still don't understand why you need it. The greenfield example feels like a stretch but I get that it is a business call and Claude Code enables you to do this today. I am just more pissed with them here. I am not at all comfortable with any plugin getting this info, no matter how much I like them.

2. The way you ask this permission feels like a solid dark pattern. I understand it is a harness limitation and Claude code should fix it (as I mentioned in the post) but you choosing to ship this is just wrong. Thank you for agreeing to rethink the wording.

3. Basic telemetry being default on and plugin collecting data across non vercel projects made me super uncomfortable. Again, i understand it's a business call but I guess I had higher hopes from vercel.

You can’t guarantee anonymity if you also get the prompts which could contain data that breaks anonymity. With an UUID you then have an pretty personal identfier

> We have been super heads down

"Claude, stop messing around and fix the bug!!!! I said no mistakes!!!"

Abysmal response.

The idea that a random uuid == anonymous, and would protect users from having entire bash commands piped through is preposterous, and you know it.

Getting caught red handed and still being tone deaf

Getting a copy of all tool calls and bash prompts by default without explicit opt-in is almost certainly against GDPR.

Good luck arguing this is legitimate interest.

Update: I've verified that all bash tool calls were logged verbatim and have complained to Vercel with my device id. I'm also writing to the relevant authorities.