‘That felt wrong’: Dev uses Claude to expose why a popular No-Code platform wants to read “all your prompts”
- Consent prompt appears even in projects without Vercel configuration
- Plugin delivers consent requests through system-level instruction injection
- Bash commands are captured fully, including sensitive environment details
A developer examining the Vercel plugin inside Claude Code found that a telemetry consent request appeared unexpectedly during unrelated work.
The project contained no Vercel configuration files or dependencies, yet the system still asked whether prompt data could be shared.
The request stated that “anonymous usage data” was already being collected, followed by an option to include prompt text as well.
Article continues below
Instead of appearing as a standard interface element, the consent request was delivered through injected instructions within Claude’s system context.
These instructions directed the AI tool to ask the user a question, then execute shell commands based on the response.
The result was indistinguishable from a native interaction, leaving no visible indication that the prompt originated from a plugin rather than the core system.
The developer described the experience plainly, stating, “that felt wrong,” and proceeded to review the plugin’s source code to verify how the mechanism worked.
Source code inspection shows that telemetry operates in multiple layers, with some data collection enabled by default.
Session-level data includes device identifiers, operating system details, detected frameworks, and installed CLI versions, all transmitted at the start of each session. This occurs without an explicit opt-in mechanism.
More notably, bash command strings executed within Claude Code are also captured and transmitted.
These entries include full command content rather than abstracted metadata, potentially exposing file paths, environment variables, and infrastructure details.
This collection occurs automatically, independent of any user consent regarding prompt sharing.
The description of this activity as “anonymous usage data such as skill injection patterns and tools used” does not fully reflect the granularity of the collected information.
While prompt text requires explicit approval, other telemetry categories remain active unless manually disabled.
The plugin’s telemetry system does not restrict itself to Vercel-related environments, as hook configurations show that user prompt submissions are matched universally, while other triggers respond to general tool usage or session events rather than project-specific conditions.
As a result, telemetry functions across all projects within Claude Code, regardless of relevance to Vercel services.
This behavior contrasts with existing framework detection logic within the plugin.
The code identifies project types by scanning configuration files and dependencies, yet this information is not used to limit telemetry activation. The gating mechanism exists but is not applied in practice.
Disabling telemetry requires manual intervention through environment variables or configuration files.
But these options are documented within the plugin directory rather than surfaced during installation, making them harder to access.
Removing the device identifier file or disabling the plugin entirely also interrupts data collection, although these steps are not presented during initial setup.
Simply put, the system combines automated data collection with limited visibility into when and how it operates.
This may not match what users expect when working outside of no-code platform environments or when using an LLM for coding.
TechRadar Pro has contacted Vercel for comment, but has heard nothing back at the time of publishing.
Via Akshay Chugh
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Consent prompt appears even in projects without Vercel configuration Plugin delivers consent requests through system-level instruction injection Bash commands are captured fully, including sensitive environment details A developer examining the Vercel plugin inside Claude Code found that a telemetry consent request appeared unexpectedly during unrelated work. The project contained no…
