> every skill's trigger rules get evaluated on every prompt and every tool call in every repo, regardless of whether Vercel is in scope
> For users working across multiple projects (some Vercel, some not), this is a fixed ~19k token cost on every session — even when the session is pure backend work, data science, or non-Vercel frontend.
I know everything is vibeslopped nowadays, but how does one even end up shipping something like this? Checking if your plugin/extension/mod works in the contexts you want, and doesn't impact the contexts you don't, seem like the very first step in even creating such a thing. "Where did the engineering go?" feels like too complicated even, where did even thinking the smallest amount go?
Seems to me their engineering practices such, rather than the company suddenly wanting to slurp up as much data as possible, if they truly wanted that, they have about 10 better approaches for it, if they don't care about other things.
The evidence is in the code! If you didn't intend for a capability to be there then why is it in the code?
> if they truly wanted that, they have about 10 better approaches for it, if they don't care about other things.
How so? What other approaches do they have that get this much data with little potential for reputational harm? This is a very common way to create plausible deniability ("we use it for improving our service, we don't know what we'll need so we just take everything and figure it out later") and then just revert the capability when people complain.
A Vercel engineer commented "overall our goal isn't to only collect data, it's to make the Vercel plugin amazing for building and shipping everything."
Checking if your code also gets executed elsewhere a bazillion times, checking failure cases, etc... That's a luxury that you feel you can't afford when you are in "ship fast, break things" mode.
I've been there, countless of times, never have I shipped software I didn't feel at least slightly confident about though. And the only way to get confident about anything, is to try it out. But both of those things must have been lacking here and then I don't understand what the developer was really doing at all during this.
The first part of your question answers the second. No one is left who cares. People are going to have to vote with their feet before that changes.
What makes you think they do this with any of their products these days?
The question is on whether these platforms are going to enforce their policies for plugins. For Claude Code in particular this behavior violates their plugin policy (1D) here explicitly: https://support.claude.com/en/articles/13145358-anthropic-so...
It's a really tough problem, but Anthropic is the company I'd bet on to approach this thoughtfully.
The consent flow literally instructs Claude to run echo 'enabled' on your filesystem. And 1D says plugins "must not collect extraneous conversation data, even for logging purposes." Full bash commands from non-Vercel projects are extraneous :)
I'll bet there's also a good number of developers at Anthropic itself who are now surprised to learn that every api token etc. that may have appeared in a Claude Code bash command is now leaked to a third party. Whoever can gain access to this telemetry server is sure to find a lot of valuable stuff in there.
I read that Anthropic may have gained in good will more than the $200M they lost in Pentagon contracts. It seems plausible.
They present themselves as an org with some ideology
The age of quickly digesting and generating data, and yet the most primitive things like aligning with policies are still ignored
But this is just such a breach of trust, especially the on-by-default telemetry that includes full bash commands. Per the OOP:
> That middle row. Every bash command - the full command string, not just the tool name - sent to telemetry.vercel.com. File paths, project names, env variable names, infrastructure details. Whatever’s in the command, they get it.
(Needless to say, this is a supply chain attack in every meaningful way, and should be treated as such by security teams.)
And the argument that there's no CLI space to allow for opt-in telemetry is absurd - their readme https://github.com/vercel/vercel-plugin?tab=readme-ov-file#i... literally has you install the Vercel plugin by calling `npx` https://www.npmjs.com/package/plugins which is written by a Vercel employee and could add this opt-in at any time.
IMO Vercel is not a good actor. One could make a good argument that they've embrace-extend-extinguished the entire future of React as an independent and self-contained foundational library, with the complexity of server-side rendering, the undocumented protocols that power it, and the resulting tight coupling to their server environments. Sadly, this behavior doesn't surprise me.
EDIT: That `npx plugins` code? It's not on Github, exists only on NPM, and as of v1.2.9 of that package, if you search https://www.npmjs.com/package/plugins?activeTab=code it literally sends telemetry to https://plugins-telemetry.labs.vercel.dev/t already, on an opt-out basis! I mean, you have to almost admire the confidence.
For whatever it's worth on the RSC front: I, and many others used to "if there's a wire protocol and it's meant to be open, the bytes that make up those messages should be documented" were presented with a system, at the release time of RSC, that was incredibly opaque from that perspective. There's still minimal documentation about each bundler's wire protocol. And we're all aware of companies that have done this as an intentional form of obfuscation since the dawn of networked computing - it's our open standards that have made the Internet as beautiful as it is.
But I was wrong to pin that on your team at Vercel, and I see that in the strength of your response. Intention is important, and you wanted to bring something brilliant to the world as rapidly as possible. And it is, truly, brilliant.
I should rethink how I approached all of this, and I hope that my harshness doesn't discourage you from continuing, through your writing, to be the beacon that you've been to me and countless others.
Re: protocol, I see where you’re coming from although I can also see the team perspective and I kind of like it the way it is. The team’s perspective is that this isn’t a “protocol” in the sense that HTTP or such is. It isn’t designed to have many implementations emitting it. It is an implementation detail of React itself for which React provides both the “writer” and the “reader”. Those are completely open source — none of the RSC frameworks need to know the actual wire format. They just use the packages provided by React to read and write. Keeping the protocol an implementation detail of React (rather than an “open format”) lets React evolve it pretty substantially between versions with zero concerns about backwards compat. Which is still quite useful at this stage.
When you’re concerned about wire format not being an open protocol, it’s because you’re imagining it would be useful for others to read and write. But this doesn’t really buy you anything. If you’re making an RSC framework, you should just use the React packages for reading and writing. And if you’re not, there’s no reason to use this format. Eg if you make an RSC-like framework in another (non-JS) language, it’s better for you to use your own wire format that’s more targeted to your use case.
Does this help clarify it?
(Note I do think it would be beneficial to document the current version for educational reasons, which is part of why I made https://rscexplorer.dev, but that’s separate from wanting it to be fixed in stone as protocols must be. I think the desire for it to be fixed is rooted in a misconception that frameworks like Next.js somehow “rely” on the protocol and thus have “secret knowledge”, but that’s false — they just use the React packages for it and stay agnostic of the actual protocol.)
Here are some environment variables that you’d like to set, if you’re as paranoid as me:
ANTHROPIC_LOG="debug"
CLAUDE_CODE_ACCOUNT_UUID="11111111-1111-1111-1111-111111111111"
CLAUDE_CODE_DISABLE_ADAPTIVE_THINKING="1"
CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY="1"
CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC="1"
CLAUDE_CODE_DISABLE_TERMINAL_TITLE="1"
CLAUDE_CODE_ENABLE_PROMPT_SUGGESTION="false"
CLAUDE_CODE_ORGANIZATION_UUID="00000000-0000-0000-0000-000000000000"
CLAUDE_CODE_USER_EMAIL="root@anthropic.com"
DISABLE_AUTOUPDATER="1"
DISABLE_ERROR_REPORTING="1"
DISABLE_FEEDBACK_COMMAND="1"
DISABLE_TELEMETRY="1"
ENABLE_CLAUDEAI_MCP_SERVERS="false"
IS_DEMO="1"I think it’s fairly easy to tell what impact AI is having at Vercel. Knowing the pre-ai quality of the engineering at that company, I’m not surprised in the AI era they’re pushing stuff like this. I doubt anyone even thought to check it on a repo outside of a Vercel one.
If you have it installed, it will silently inject a warning into claude that you should use tailwind, even if your app is not! Then every single request will silently question the decision as to why yr app is using one thing, rather than another, leading to revisions as it starts writing incorrect code.
I couldn't believe it when I discovered it. For so many reasons I am vehemently anti Vercel. Just discovered this two days ago, after installing their frontend skill.
Here's the relevant line as a GitHub permalink: https://github.com/vercel/vercel-plugin/blob/b95178c7d8dfb2d...
Anthropic already has the right policy — 1D says "must not collect extraneous conversation data, even for logging purposes." But there's no enforcement at the architecture level. An empty matcher string still gives a hook access to every prompt on every project. The rules exist on paper but not in code.
The fix is what VS Code solved years ago: hook declarations should include a file glob or dependency gate, and plugin-surfaced questions should have visual attribution so users know it's not Claude asking.
You always had the option to not, ever, touch Vercel.
What’s amazing is that during the last decade, containers and microvms have had huge impact on the ecosystem. Yet a huge amount of devs seem to just YOLO it and run agents in their host with full ambient capabilities.
@dang
https://akshaychugh.xyz/writings/png/vercel-plugin-telemetry...
Holy shit, I cant imagine this to hold for every bash command Claude Code executes. That would be terrible, probably violating GDPR. (The cmd could contain email address etc)
I must be wrong.
Compare this to how we think about OAuth scopes or container sandboxing — you'd never ship a CI integration that gets read access to every repo in your org just because it needs to lint one. But that's essentially what's happening here with the token injection across all sessions.
The real problem isn't Vercel specifically, it's that Claude Code's plugin architecture doesn't have granular activation scopes yet. Plugins should declare which project types they apply to and only activate in matching contexts. Until that exists, every plugin author is going to make this same mistake — or exploit it.
We have been super heads down to the initial versions of the plugin and constantly improving it. Always super happy to hear feedback and track the changes on GitHub. I want to address the notes here:
The plugin is always on, once installed on an agent harness. We do not want to limit to only detected Vecel project, because we also want to help with greenfield projects "Help build me an AI chat app".
We collect the native tool calls and bash commands. These are pipped to our plugin. However, `VERCEL_PLUGIN_TELEMETRY=off` kills all telemetry.
All data is anonymous. We assign a random UUID, but this does not connect back to any personal information or Vercel information.
Prompt telemetry is opt-in and off by default. The hook asks once; if you don't answer, session-end cleanup marks it as disabled. We don't collect prompt text unless you explicitly say yes.
On the consent mechanism: the prompt injection approach is a real constraint of how Claude Code's plugin architecture works today. I mentioned this in the previous GitHub issue - if there's a better approach that surfaces this to users we would love to explore this.
The env var `VERCEL_PLUGIN_TELEMETRY=off` kills all telemetry and keeps the plugin fully functional. We'll make that more visible, and overall make our wording around telemetry more visible for the future.
Overall our goal isn't to only collect data, it's to make the Vercel plugin amazing for building and shipping everything.
I have no idea how to read this and not go blind. The degree of contempt for your (presumably quite technical) users necessary to do this is astounding. From the article:
> That middle row. Every bash command - the full command string, not just the tool name - sent to telemetry.vercel.com. File paths, project names, env variable names, infrastructure details. Whatever’s in the command, they get it.
I don't even use Vercel in my field, but if it ever came up, it's going to be hard to undo the kind of association the name now has in my mind.
Today it was the Vercel plugin but if you’re letting an LLM agent with access to bash and the internet read truly sensitive information then you’re already compromised
But otherwise yes, I have to trust Antrophic.
I’m about to go tell my team that if they’ve EVER used your skill, we need to treat the secrets on that machine as compromised.
Your servers have a log of every bash command run by Claude in every session of your users, whether they were working on something related to vercel or not.
I’ve seen Claude code happily read and throw a secret env variable into a bash command, and I wasn’t happy about it, but at least it was “only” Anthropic that knew about it. But now it sounds like Vercel telemetry servers might know about it too.
A good litmus test would be to ask your security/data team and attorneys whether they are comfortable storing plain text credentials for unrelated services in your analytics database. They will probably look afraid before you get to the part where you clarify that the users in question didn’t consent to it, didn’t know about it, and might not even be your customer.
Is the intention here that the AI will then suggest building a NextJS app? I can't quite describe why, but this feels very wrong to me.
Don't you see a problem if everyone took this approach?
oh come on, be honest here. "we want to help with greenfield projects" is weasel words.
reading between the lines, what you really want is "if someone starts a greenfield project, we want Claude to suggest 'deploying to Vercel will be the best & easiest option' and have it seem like an organic suggestion made by Claude, rather than a side-effect of having the plugin installed."
as a growth-hacking sort of business decision, that's understandable. but doing growth-hacking tricks, getting caught, and then insisting that "no, it's actually good for the users" is a classic way to burn trust and goodwill.
> the prompt injection approach is a real constraint of how Claude Code's plugin architecture works today. I mentioned this in the previous GitHub issue - if there's a better approach that surfaces this to users we would love to explore this.
Claude Code has a public issue tracker on GitHub. when you encountered this limitation of their plugin architecture, you filed a feature request there asking for it to be improved, right?
...right?
I won't ask if you considered delaying the release of your plugin until after Anthrophic improved their plugin system, because I know the answer to that would be no.
but if you want to hide behind this excuse of "it's Claude's plugin system that's the problem here, it's not really Vercel's fault" you should provide receipts that you actually tried to improve Claude's plugin system - and that you did so prior to getting caught with your hand in the cookie jar here.
We need to internet archive this comment.
Edit: and I suggest not downvoting and burying the parent comment. People should be aware that this is an intended behavior from Vercel.
"Claude, stop messing around and fix the bug!!!! I said no mistakes!!!"
Few reflections:
1. Asking for prompts permission is a big big no - i still don't understand why you need it. The greenfield example feels like a stretch but I get that it is a business call and Claude Code enables you to do this today. I am just more pissed with them here. I am not at all comfortable with any plugin getting this info, no matter how much I like them.
2. The way you ask this permission feels like a solid dark pattern. I understand it is a harness limitation and Claude code should fix it (as I mentioned in the post) but you choosing to ship this is just wrong. Thank you for agreeing to rethink the wording.
3. Basic telemetry being default on and plugin collecting data across non vercel projects made me super uncomfortable. Again, i understand it's a business call but I guess I had higher hopes from vercel.
I promise you we've had user's data privacy in mind since day 1 of building the plugin.
Everything we collect is only used to improve the Vercel plugin, eg: seeing when skills are being triggered too often, when certain skills are not useful, when certain context is taking up too much room.
The complete flip side of this where we ship with no instrumentation and the plugin is useless - then we have no way to iterate and make it amazing.
The ask is: make base telemetry opt-in, disclose what you're collecting in plain language, and scope it to Vercel projects.
You keep the data you need to improve the plugin - from users who chose to share it. Everything else is what's making people uncomfortable in this thread.
> Prompt telemetry is opt-in and off by default. The hook asks once; if you don't answer, session-end cleanup marks it as disabled. We don't collect prompt text unless you explicitly say yes.
The UUID part is just one accessory layer, and something plenty of other players in the ecosystem don’t bother to stick to.
Feels like actually bothering to ask users for consent is what got them burned here, when I’d say it’s at least an improvement that they’re asking at all. Many products don’t, and users never bother to turn it off because they don’t know and don’t care.
I think this whole UX is deeply misguided but at least has plausibly benevolent intent.
Good luck arguing this is legitimate interest.
Update: I've verified that all bash tool calls were logged verbatim and have complained to Vercel with my device id. I'm also writing to the relevant authorities.