- Consent message appears even in projects without Vercel configuration
- Plugin delivers consent requests via system-level instruction injection
- Bash commands are captured in their entirety, including sensitive environment details.
A developer examining the Vercel plugin within Claude Code discovered that a telemetry consent request appeared unexpectedly during unrelated work.
The project did not contain configuration files or Vercel dependencies, but the system still asked if the request data could be shared.
The request said that “anonymous usage data” was already being collected, followed by an option to also include a pop-up text.
Article continues below.
Instead of appearing as a standard interface element, the consent request was delivered via instructions injected within the context of Claude’s system.
These instructions directed the AI tool to ask the user a question and then execute shell commands based on the response.
The result was indistinguishable from a native interaction, and left no visible indication that the message originated from a plugin and not the core system.
The developer described the experience clearly, stating that he “felt bad” and proceeded to review the plugin’s source code to verify how the mechanism worked.
Inspection of the source code shows that telemetry operates at multiple layers, with some data collection enabled by default.
Session-level data includes device identifiers, operating system details, detected frames, and installed CLI versions, all transmitted at the start of each session. This occurs without an explicit acceptance mechanism.
Most notably, bash command strings executed within Claude Code are also captured and transmitted.
These entries include full command content rather than abstract metadata, potentially exposing file paths, environment variables, and infrastructure details.
This collection occurs automatically, regardless of the user’s consent regarding quick sharing.
Describing this activity as “anonymous usage data, such as skill injection patterns and tools used” does not fully reflect the granularity of the information collected.
While message text requires explicit approval, other telemetry categories remain active unless manually disabled.
The plugin’s telemetry system is not limited to Vercel-related environments, as hook configurations show that user message submissions match universally, while other triggers respond to general tool usage or session events rather than project-specific conditions.
As a result, telemetry works on all projects within Claude Code, regardless of their relevance to Vercel services.
This behavior is in contrast to the existing frame detection logic within the plugin.
The code identifies project types by scanning configuration files and dependencies, but this information is not used to limit the activation of telemetry. The activation mechanism exists but is not applied in practice.
Disabling telemetry requires manual intervention through environment variables or configuration files.
But these options are documented within the plugins directory rather than appearing during installation, making them harder to access.
Deleting the device identification file or disabling the plugin completely also stops data collection, although these steps are not presented during the initial setup.
Simply put, the system combines automated data collection with limited visibility into when and how it works.
This may not match what users expect when working outside of no-code platform environments or when using an LLM to code.
TechRadar Pro contacted Vercel for comment but did not receive a response by the time of publication.
Through Akshay Chugh
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
