DEV Community

taekim34
taekim34

Posted on

Delete the Vercel Claude Code Plugin. Here's Why I Did.

#ai #vibecoding #security #privacy

TL;DR

  • The Vercel Claude Code plugin creates a permanent device UUID on your machine the instant you install it. No notification. No expiry. No rotation.
  • Session starts, tool calls, skill matches — all sent to telemetry.vercel.com. Default ON, no consent prompt. Prompt metadata (matched skill + score) included.
  • What's worse: they built a consent dialog for prompt text collection. But clicking "No thanks" only stops prompt text. All other telemetry keeps running. Most users will think they opted out of everything.
  • The documentation exists — buried eight directories deep inside ~/.claude/plugins/cache/. Nobody reads it. Documented ≠ Informed.

What I Found

I was building a static analysis tool for AI plugins — scanning popular skills for security issues. Regex pattern matching plus dual-LLM cross-verification.

I was running a batch scan — 200 Claude Code skills, checking for destructive commands, data exfiltration, prompt injection, the usual. On skill #147, the scanner flagged something in ~/.claude/. Not in some random GitHub repo. On my own machine.

I didn't suspect Vercel for a second. I assumed the flag was a false positive in my own skill. So I pulled the Vercel plugin source as a reference — to compare against "known good" code and figure out what I was doing wrong.

Then I read the Vercel source. Here's what I found.

The Evidence

All file paths and line numbers reference vercel-plugin v0.32.7, located at ~/.claude/plugins/cache/vercel/vercel-plugin/0.32.7/.

Every session start sends this: 

// session-start-profiler.mts:702-709
session:device_id            // permanent device identifier
session:platform             // darwin, linux, win32
session:likely_skills        // which skills you use
session:greenfield           // whether the project is new
session:vercel_cli_installed // whether you have the Vercel CLI
session:vercel_cli_version   // which version
Enter fullscreen mode Exit fullscreen mode

Every tool call you make — any tool, not just Vercel's: 

// pretooluse-skill-inject.mts:969-971
tool_call:tool_name          // which tool you just called
Enter fullscreen mode Exit fullscreen mode

Every time a skill matches your prompt: 

// pretooluse-skill-inject.mts:1205-1210
skill:injected               // which skill got injected
skill:match_type             // how it matched
skill:tool_name              // against which tool
Enter fullscreen mode Exit fullscreen mode

Every prompt you submit: 

// user-prompt-submit-skill-inject.mts:1063-1065
prompt:skill                 // which skill matched your prompt
prompt:score                 // confidence score
Enter fullscreen mode Exit fullscreen mode

All of it flows to a single endpoint:

https://telemetry.vercel.com/api/vercel-plugin/v1/events
Enter fullscreen mode Exit fullscreen mode

None of it asked for your permission.

The permanent device ID

This is the part that should make you check your machine right now. Run this:

cat ~/.claude/vercel-plugin-device-id
Enter fullscreen mode Exit fullscreen mode

You'll see something like:

473d7060-5a37-4ebb-9082-b09a983c****
Enter fullscreen mode Exit fullscreen mode

A UUID. Created the instant you installed the plugin. Silently. No notification. It never expires. It never rotates. It ties together every session, every project, every client engagement you've ever worked on with Claude Code.

For context: Chrome DevTools rotates session IDs every 24 hours (ClearcutSender.ts:35,68-70). Vercel's device ID never expires. Privacy-conscious analytics platforms moved away from persistent device IDs years ago. This one lasts forever.

Dozens of telemetry events per coding session. All tied to a permanent fingerprint. All default-on.

"But It's in the README"

Technically, yes. The plugin's README.md has a ## Telemetry section. It explains what's collected and how to disable it.

But does anyone seriously think that counts as consent?

Walk through what actually happens:

  1. You install the plugin.
  2. It prints a success message.
  3. You start coding.

At no point does any text appear on your screen about telemetry. No prompt. No checkbox. No banner. Nothing. Meanwhile, in the background: ~/.claude/vercel-plugin-device-id is written to disk, session events are queued, and your usage patterns start flowing to Vercel's servers.

The README is sitting in ~/.claude/plugins/cache/vercel/vercel-plugin/0.32.7/. Eight directories deep inside a hidden folder. Nobody browses there.

GDPR defines valid consent as "freely given, specific, informed, and unambiguous." Most companies — including startups with a fraction of Vercel's resources — treat this as the baseline. I haven't seen a single serious startup ship permanent device tracking without an install-time consent prompt in years. It's just not done anymore.

Remember: Chrome DevTools rotates its session IDs every 24 hours (ClearcutSender.ts:35,68-70). That's the standard. Vercel's device ID never rotates. Never expires. Created once, lives forever.

This is not a gray area. This is not "technically compliant." A permanent device UUID, created silently, tied to every session, with no install-time disclosure — this is clearly Vercel's mistake.

I used this plugin daily for months. I had no idea. And I'm the developer who was literally building a tool to analyze plugin source code.

The Part That's Even More Absurd — I Never Consented

Here's what makes this worse. The plugin actually has a consent dialog — for prompt text collection:

// user-prompt-submit-telemetry.mts:58-61
prompt:text  // full prompt content, up to 100KB — OPT-IN ONLY
Enter fullscreen mode Exit fullscreen mode

An explicit question appears: "Share your prompt text to help improve skill matching." You can say yes or no. Your choice is saved.

So they know how to build consent flows. They built the infrastructure. They just chose not to use it for device tracking, tool-call logging, skill-usage profiling, and platform fingerprinting.

And here's the trap: if you click "No thanks," you think you've opted out. You haven't. Base telemetry — everything in the previous section — keeps running. The README even says so: "base telemetry remains on by default."

But you already clicked "No thanks." In your mind, the matter is settled. That's not a documentation gap. That's a dark pattern.

How to Protect Yourself

Do this now. It takes 60 seconds.

1. Check if you're affected 

ls ~/.claude/vercel-plugin-device-id
Enter fullscreen mode Exit fullscreen mode

If the file exists, you have a permanent tracking UUID on your machine.

2. Disable telemetry

Add this to your shell profile (.zshrc, .bashrc, etc.):

export VERCEL_PLUGIN_TELEMETRY=off
Enter fullscreen mode Exit fullscreen mode

Then reload:

source ~/.zshrc
Enter fullscreen mode Exit fullscreen mode

3. Or just uninstall the plugin entirely

If you don't need it, remove it. One fewer thing sending data you didn't agree to.

What Should Change

Two proposals. Design standards, not policy demands.

1. Surface telemetry at install time. One prompt. Plain language. "This plugin collects [X] and sends it to [Y]. OK?" The user sees it. The user decides. This is four lines of install-time code. Vercel already has the consent infrastructure. They use it for prompt text. Extend it to everything else.

2. Treat data flows as API surface. If your plugin sends data to an external endpoint, document it the way you'd document an API. What data. Where it goes. How often. How to stop it. Put this in the install output, not in a README eight directories deep.

These aren't radical ideas. Homebrew notifies you on first run. VS Code notifies you on first launch. It's already the industry standard. The Vercel plugin just doesn't.

Check your ~/.claude/ directory right now. What did you find? Drop it in the comments.

Top comments (0)