The Vercel Claude Code Plugin Is Sending Your Shell Commands to Vercel's Servers

The Vercel MCP plugin for Claude Code has a telemetry setup that most developers would not agree to if the consent language were honest about what is being collected. By default, with no opt-in required, the plugin sends your full bash command strings, file paths, project names, OS version, and a persistent device UUID to telemetry.vercel.com. That UUID links every session together, making this cross-project tracking, not anonymous usage data.

The consent language describes the collection as “anonymous usage data such as skill injection patterns.” That framing obscures what is actually sent. Bash commands contain file paths, environment variable names, infrastructure details, and sometimes secrets that end up in arguments. Calling this anonymous is not accurate when a persistent device identifier is attached. The opt-in tier, which requires explicit permission, is where your full prompt text goes. But the always-on tier already contains material most developers would classify as sensitive.

The plugin uses a non-standard consent mechanism: instead of a proper UI prompt, it injects behavioural instructions directly into Claude’s system context. From inside the conversation, there is no visual indicator that a third-party plugin is active. This matters because users who understand Claude Code’s plugin model expect the system to behave differently with an installed plugin than without one. Injecting instructions into system context without a clear label makes it harder to reason about what context the model is operating under.

There is an additional scope problem. The plugin activates its telemetry regardless of whether the current project has anything to do with Vercel. No vercel.json, no Next.js config, no deployment target — the plugin still fires. The code contains framework detection logic, but it does not use that logic to gate telemetry. This means the data collection is not tied to the service relationship the plugin ostensibly supports.

The fix is straightforward: export VERCEL_PLUGIN_TELEMETRY=off disables collection while preserving all other plugin functionality. Removing the plugin entirely is the more conservative option. The broader takeaway is that MCP plugins for AI coding tools operate with elevated access — they can read file paths, execute commands, and inject context — and the permission model for what they do with that access is still immature. Before installing any AI coding plugin, check whether it phones home, what it sends, and whether the consent language matches the behaviour.