> skills are injected into sessions that have nothing to do with Vercel, Next.js, or this plugin's scope
> every skill's trigger rules get evaluated on every prompt and every tool call in every repo, regardless of whether Vercel is in scope
> For users working across multiple projects (some Vercel, some not), this is a fixed ~19k token cost on every session — even when the session is pure backend work, data science, or non-Vercel frontend.
I know everything is vibeslopped nowadays, but how does one even end up shipping something like this? Checking if your plugin/extension/mod works in the contexts you want, and doesn't impact the contexts you don't, seem like the very first step in even creating such a thing. "Where did the engineering go?" feels like too complicated even, where did even thinking the smallest amount go?
hyperhopper 1 hours ago [-]
Your comment assumes the plugin is not working as they want it to. The way it is designed gets them the maximum amount of data. It does a great job if that is their goal.
embedding-shape 1 hours ago [-]
Yes, I'm assuming good intentions and try to take a charitable perspective of everything, unless there is any specific evidence pointing to something else. Is there any evidence of this being intentional?
Seems to me their engineering practices such, rather than the company suddenly wanting to slurp up as much data as possible, if they truly wanted that, they have about 10 better approaches for it, if they don't care about other things.
mbesto 41 minutes ago [-]
> Is there any evidence of this being intentional?
The evidence is in the code! If you didn't intend for a capability to be there then why is it in the code?
> if they truly wanted that, they have about 10 better approaches for it, if they don't care about other things.
How so? What other approaches do they have that get this much data with little potential for reputational harm? This is a very common way to create plausible deniability ("we use it for improving our service, we don't know what we'll need so we just take everything and figure it out later") and then just revert the capability when people complain.
embedding-shape 38 minutes ago [-]
> The evidence is in the code! If you didn't intend for a capability to be there then why is it in the code?
Bugs happen. I won't claim to know if it was intentional or not, but usually it ends up not being intentional.
> How so? What other approaches do they have that get this much data
Just upload everything you find, as soon as you get invoked. Vercel has a tons of infrastructure and utilities they could execute this from, unless they care for reputational harm. Which I'm guessing they do, which makes it more likely to have been unintentional than intentional.
Kwpolska 56 minutes ago [-]
Why would you assume good intentions of any business in this day and age?
embedding-shape 54 minutes ago [-]
Because I'm a nice person, and want to give other nice people the benefit of the doubt. And most businesses are run by people after all, not hard to imagine at least some of them would be "nice people" too.
And frankly, the alternative would be too mentally taxing. So in the camp of "Good until proven otherwise" is where I remain for now.
robbiewxyz 37 minutes ago [-]
Keep in mind that an organization made of fairly nice people may do terribly not-nice things. "Just doing my job" is a hell of a drug.
Well, unfortunately people always tend to only spend time on verifying that the feature they wanted works, testing the happy path. Even many superficial bosses / code reviewers / QA tester will check this...
Checking if your code also gets executed elsewhere a bazillion times, checking failure cases, etc... That's a luxury that you feel you can't afford when you are in "ship fast, break things" mode.
embedding-shape 1 hours ago [-]
> That's a luxury that you feel you can't afford when you are in "ship fast, break things" mode.
I've been there, countless of times, never have I shipped software I didn't feel at least slightly confident about though. And the only way to get confident about anything, is to try it out. But both of those things must have been lacking here and then I don't understand what the developer was really doing at all during this.
serial_dev 1 hours ago [-]
Devs get tunnel vision when they ship slop.
sandeepkd 1 hours ago [-]
It seems market driven, the consumer space rewards speed and publicity more than the quality of software
chuckadams 1 hours ago [-]
> I know everything is vibeslopped nowadays, but how does one even end up shipping something like this?
The first part of your question answers the second. No one is left who cares. People are going to have to vote with their feet before that changes.
potter098 1 hours ago [-]
The bigger issue here is not telemetry by itself, it's shipping a context-insensitive integration into a tool people use across unrelated repos. If the overhead is real, that turns a convenience plugin into something teams have to actively defend against.
Lihh27 58 minutes ago [-]
a deployment plugin shipping raw bash command strings off your machine. "actively defend against it" is just normal hygiene
p_stuart82 1 hours ago [-]
19k tokens per session and the skill triggers don't even check project scope. you're paying that overhead on every non-vercel repo
acedTrex 1 hours ago [-]
> Checking if your plugin/extension/mod works
What makes you think they do this with any of their products these days?
nothinkjustai 1 hours ago [-]
Honestly, knowing some of the people who work for Vercel and the amount of vibe coding they do, I doubt anyone even checked this before pushing.
throwaway613746 1 hours ago [-]
[dead]
btown 1 hours ago [-]
To be sure, the problem isn't that the plugin injects behavior into the system prompt - that's every plugin and skill, ever.
But this is just such a breach of trust, especially the on-by-default telemetry that includes full bash commands. Per the OOP:
> That middle row. Every bash command - the full command string, not just the tool name - sent to telemetry.vercel.com. File paths, project names, env variable names, infrastructure details. Whatever’s in the command, they get it.
(Needless to say, this is a supply chain attack in every meaningful way, and should be treated as such by security teams.)
IMO Vercel is not a good actor. One could make a good argument that they've embrace-extend-extinguished the entire future of React as an independent and self-contained foundational library, with the complexity of server-side rendering, the undocumented protocols that power it, and the resulting tight coupling to their server environments. Sadly, this behavior doesn't surprise me.
I’ll just say that as someone who was on the React team throughout these years, the drive to expand React to the server and the design iteration around it always came from within the team. Some folks went to Vercel to finish what they started with more solid backing than at Meta (Meta wasn’t investing heavily into JS on the server), but the “Vercel takeover” stories that you and others are telling are lies.
andrewqu 11 minutes ago [-]
Engineer at Vercel here who worked on the plugin!
We have been super heads down to the initial versions of the plugin and constantly improving it. Always super happy to hear feedback and track the changes on GitHub.
I want to address the notes here:
The plugin is always on, once installed on an agent harness. We do not want to limit to only detected Vecel project, because we also want to help with greenfield projects "Help build me an AI chat app".
We collect the native tool calls and bash commands. These are pipped to our plugin. However, `VERCEL_PLUGIN_TELEMETRY=off` kills all telemetry.
All data is anonymous. We assign a random UUID, but this does not connect back to any personal information or Vercel information.
Prompt telemetry is opt-in and off by default. The hook asks once; if you don't answer, session-end cleanup marks it as disabled. We don't collect prompt text unless you explicitly say yes.
On the consent mechanism: the prompt injection approach is a real constraint of how Claude Code's plugin architecture works today. I mentioned this in the previous GitHub issue - if there's a better approach that surfaces this to users we would love to explore this.
The env var `VERCEL_PLUGIN_TELEMETRY=off` kills all telemetry and keeps the plugin fully functional. We'll make that more visible, and overall make our wording around telemetry more visible for the future.
Overall our goal isn't to only collect data, it's to make the Vercel plugin amazing for building and shipping everything.
stephantul 6 minutes ago [-]
The idea that a random uuid == anonymous, and would protect users from having entire bash commands piped through is preposterous, and you know it.
abelsm 29 minutes ago [-]
The breach of trust here, which is hard to imagine isn't intentional, is enough reason alone to stop using Vercel, and uninstall the plugin. That part is easy. Most of these agents can help you migrate if anything.
It's a really tough problem, but Anthropic is the company I'd bet on to approach this thoughtfully.
delichon 25 minutes ago [-]
> Anthropic is the company I'd bet on to approach this thoughtfully.
I read that Anthropic may have gained in good will more than the $200M they lost in Pentagon contracts. It seems plausible.
guessmyname 55 minutes ago [-]
I use Little Snitch and so far I have only seen Claude Code connect to api.anthropic.com and Sentry for telemetry. I have not seen any Vercel connections, but I always turn off telemetry in everything before I run it. If you log in with OAuth2, it also connects to platform.claude.com . For auto updates, it fetches release info from raw.githubusercontent.com and downloads the actual files from storage.googleapis.com. I think it also uses statsig.anthropic.com for stats. One weird thing, I did see it try to connect to app.nucleus.sh once, and I have no idea why.
Here are some environment variables that you’d like to set, if you’re as paranoid as me:
The CEO in particular has turned into a rather pathetic MAGA-chaser. He doesn't seem to actually believe in the politics of the current US administration (or that of Isreal), but he loves finding any way to post about how important he is by hanging out with anyone in that circle, like his selfie with Benjamin Netanyahu.
Like, bluntly, none of these people need slightly faster websites running on nextjs right now. Guillermo should focus on Vercel rather than his own ego. Just makes it seem gross to use his stuff, which is a shame because it's a good product.
gronky_ 19 minutes ago [-]
Mobile rendering of the post has some issues. Tables are overflowing and not responsive for example
Surac 31 minutes ago [-]
I still use Claude to code in a very stoneage way. I copy c code into the web site/desktop App and type in my prompt. Then i read the output and if i like it i copy paste it into my code. I always felt very old doing that way when things like Claude code exists. Now i fell somehow not so old. All this hacking into my private space using a develpment tool is insane. Also i do not use Git
nothinkjustai 1 hours ago [-]
I’ve often seen people say that AI is a multiplier, where a 2x dev becomes a 4x dev, but a -1x dev becomes a -2x dev, etc.
I think it’s fairly easy to tell what impact AI is having at Vercel. Knowing the pre-ai quality of the engineering at that company, I’m not surprised in the AI era they’re pushing stuff like this. I doubt anyone even thought to check it on a repo outside of a Vercel one.
heliumtera 54 minutes ago [-]
Oh boy, the guy in the middle wants to take advantage of you! Surprising stuff.
You always had the option to not, ever, touch Vercel.
phillipcarter 41 minutes ago [-]
Having recently migrated my websites off of Vercel and onto Railway, I can confirm, it's pretty straightforward to not touch Vercel.
infecto 2 hours ago [-]
Every single scam website I have gotten from spam text messages is being hosted on vercel. Not surprising.
atraac 1 hours ago [-]
What does this even have to do with the thread? They're hosted there cause it's cheap and extremely easy to do so. Not because it's "specially crafted" for scams.
infecto 1 hours ago [-]
Easy to do because there is a lack of engineering quality similar to the attached plugin.
Not surprising.
michiosw 1 hours ago [-]
This is a broader pattern I keep seeing with agent plugins/extensions — the permission model is "all or nothing." Once you install a plugin, it gets full context on every session, every prompt.
Compare this to how we think about OAuth scopes or container sandboxing — you'd never ship a CI integration that gets read access to every repo in your org just because it needs to lint one. But that's essentially what's happening here with the token injection across all sessions.
The real problem isn't Vercel specifically, it's that Claude Code's plugin architecture doesn't have granular activation scopes yet. Plugins should declare which project types they apply to and only activate in matching contexts. Until that exists, every plugin author is going to make this same mistake — or exploit it.
Rendered at 17:27:30 GMT+0000 (Coordinated Universal Time) with Vercel.
> every skill's trigger rules get evaluated on every prompt and every tool call in every repo, regardless of whether Vercel is in scope
> For users working across multiple projects (some Vercel, some not), this is a fixed ~19k token cost on every session — even when the session is pure backend work, data science, or non-Vercel frontend.
I know everything is vibeslopped nowadays, but how does one even end up shipping something like this? Checking if your plugin/extension/mod works in the contexts you want, and doesn't impact the contexts you don't, seem like the very first step in even creating such a thing. "Where did the engineering go?" feels like too complicated even, where did even thinking the smallest amount go?
Seems to me their engineering practices such, rather than the company suddenly wanting to slurp up as much data as possible, if they truly wanted that, they have about 10 better approaches for it, if they don't care about other things.
The evidence is in the code! If you didn't intend for a capability to be there then why is it in the code?
> if they truly wanted that, they have about 10 better approaches for it, if they don't care about other things.
How so? What other approaches do they have that get this much data with little potential for reputational harm? This is a very common way to create plausible deniability ("we use it for improving our service, we don't know what we'll need so we just take everything and figure it out later") and then just revert the capability when people complain.
Bugs happen. I won't claim to know if it was intentional or not, but usually it ends up not being intentional.
> How so? What other approaches do they have that get this much data
Just upload everything you find, as soon as you get invoked. Vercel has a tons of infrastructure and utilities they could execute this from, unless they care for reputational harm. Which I'm guessing they do, which makes it more likely to have been unintentional than intentional.
And frankly, the alternative would be too mentally taxing. So in the camp of "Good until proven otherwise" is where I remain for now.
Checking if your code also gets executed elsewhere a bazillion times, checking failure cases, etc... That's a luxury that you feel you can't afford when you are in "ship fast, break things" mode.
I've been there, countless of times, never have I shipped software I didn't feel at least slightly confident about though. And the only way to get confident about anything, is to try it out. But both of those things must have been lacking here and then I don't understand what the developer was really doing at all during this.
The first part of your question answers the second. No one is left who cares. People are going to have to vote with their feet before that changes.
What makes you think they do this with any of their products these days?
But this is just such a breach of trust, especially the on-by-default telemetry that includes full bash commands. Per the OOP:
> That middle row. Every bash command - the full command string, not just the tool name - sent to telemetry.vercel.com. File paths, project names, env variable names, infrastructure details. Whatever’s in the command, they get it.
(Needless to say, this is a supply chain attack in every meaningful way, and should be treated as such by security teams.)
And the argument that there's no CLI space to allow for opt-in telemetry is absurd - their readme https://github.com/vercel/vercel-plugin?tab=readme-ov-file#i... literally has you install the Vercel plugin by calling `npx` https://www.npmjs.com/package/plugins which is written by a Vercel employee and could add this opt-in at any time.
IMO Vercel is not a good actor. One could make a good argument that they've embrace-extend-extinguished the entire future of React as an independent and self-contained foundational library, with the complexity of server-side rendering, the undocumented protocols that power it, and the resulting tight coupling to their server environments. Sadly, this behavior doesn't surprise me.
EDIT: That `npx plugins` code? It's not on Github, exists only on NPM, and as of v1.2.9 of that package, if you search https://www.npmjs.com/package/plugins?activeTab=code it literally sends telemetry to https://plugins-telemetry.labs.vercel.dev/t already, on an opt-out basis! I mean, you have to almost admire the confidence.
We have been super heads down to the initial versions of the plugin and constantly improving it. Always super happy to hear feedback and track the changes on GitHub. I want to address the notes here:
The plugin is always on, once installed on an agent harness. We do not want to limit to only detected Vecel project, because we also want to help with greenfield projects "Help build me an AI chat app".
We collect the native tool calls and bash commands. These are pipped to our plugin. However, `VERCEL_PLUGIN_TELEMETRY=off` kills all telemetry.
All data is anonymous. We assign a random UUID, but this does not connect back to any personal information or Vercel information.
Prompt telemetry is opt-in and off by default. The hook asks once; if you don't answer, session-end cleanup marks it as disabled. We don't collect prompt text unless you explicitly say yes.
On the consent mechanism: the prompt injection approach is a real constraint of how Claude Code's plugin architecture works today. I mentioned this in the previous GitHub issue - if there's a better approach that surfaces this to users we would love to explore this.
The env var `VERCEL_PLUGIN_TELEMETRY=off` kills all telemetry and keeps the plugin fully functional. We'll make that more visible, and overall make our wording around telemetry more visible for the future.
Overall our goal isn't to only collect data, it's to make the Vercel plugin amazing for building and shipping everything.
The question is on whether these platforms are going to enforce their policies for plugins. For Claude Code in particular this behavior violates their plugin policy (1D) here explicitly: https://support.claude.com/en/articles/13145358-anthropic-so...
It's a really tough problem, but Anthropic is the company I'd bet on to approach this thoughtfully.
I read that Anthropic may have gained in good will more than the $200M they lost in Pentagon contracts. It seems plausible.
Here are some environment variables that you’d like to set, if you’re as paranoid as me:
Like, bluntly, none of these people need slightly faster websites running on nextjs right now. Guillermo should focus on Vercel rather than his own ego. Just makes it seem gross to use his stuff, which is a shame because it's a good product.
I think it’s fairly easy to tell what impact AI is having at Vercel. Knowing the pre-ai quality of the engineering at that company, I’m not surprised in the AI era they’re pushing stuff like this. I doubt anyone even thought to check it on a repo outside of a Vercel one.
You always had the option to not, ever, touch Vercel.
Not surprising.
Compare this to how we think about OAuth scopes or container sandboxing — you'd never ship a CI integration that gets read access to every repo in your org just because it needs to lint one. But that's essentially what's happening here with the token injection across all sessions.
The real problem isn't Vercel specifically, it's that Claude Code's plugin architecture doesn't have granular activation scopes yet. Plugins should declare which project types they apply to and only activate in matching contexts. Until that exists, every plugin author is going to make this same mistake — or exploit it.