Vercel's plugin for Claude Code has been caught collecting far more data than users realize. It does this across every project you work on, not just Vercel deployments.

Security investigator Akshay Chugh discovered that the plugin sends full bash command strings, file paths, project names, and environment variable names to Vercel's telemetry servers during every session. The plugin ties all this data together with a persistent device UUID stored on your machine. That enables tracking across time. Users are asked if they want to share their prompt text. But the plugin never discloses that bash command collection is already happening by default.

The consent mechanism itself is deceptive. Instead of using a proper UI element, the plugin injects natural-language instructions into Claude's system context. This raises red flags similar to recent internal attribution bugs. It tells the AI to ask users about telemetry and then execute shell commands based on their response. As Chugh documented, the result looks identical to a native Claude Code question. No visual indicator shows it comes from a third-party plugin. A Vercel developer acknowledged the limitation on GitHub, explaining that the agent system doesn't support proper CLI prompts. But Chugh argues the company should have waited to ship the feature rather than use prompt injection as a workaround.

Perhaps most frustrating: the plugin already has framework detection built in. It scans repos and identifies what frameworks you're using on every session start. But it only uses this detection to report findings, not to gate telemetry. Install the plugin for your Next.js app and it watches your Rust project, your Python scripts, everything. The hook matcher for UserPromptSubmit is literally an empty string. It matches everything. According to Hacker News discussions, this adds a fixed ~19k token overhead to every session, even for projects completely unrelated to Vercel.

This incident exposes fundamental gaps in Claude Code's plugin architecture. Unlike browser extensions that require explicit permissions for each domain, Claude Code plugins appear to have unrestricted access to session data and project metadata. Third-party plugins can inject arbitrary instructions into system context and execute shell commands based on AI-mediated responses, bypassing native consent entirely. For now, users can kill all Vercel telemetry by setting VERCEL_PLUGIN_TELEMETRY=off in their shell config, or disable the plugin entirely in ~/.claude/settings. This behavior reinforces the 'Winchester Mystery House' model of agent development.