Vercel–Claude Telemetry Row

A Vercel plugin for Claude Code set off alarms this week because its telemetry consent prompt was not shown as a normal app dialog. A GitHub issue filed on April 7 says the plugin injected natural-language instructions into Claude’s own context and told the model to ask the user about telemetry after any prompt. (github.com) The complaint was not that telemetry exists at all. The complaint was that the consent flow looked too much like the same kind of prompt injection attack that developers are trained to distrust, because the model was instructed to ask the question and then run shell commands to save the answer. (github.com) Claude Code plugins work by giving the assistant extra tools and instructions, a bit like handing a contractor a new key ring and a checklist. Anthropic’s documentation says the Model Context Protocol lets Claude connect to external tools and data sources over standard interfaces. (docs.anthropic.com) Vercel has been pushing hard into that layer. On March 17, 2026, Vercel said its coding-agent plugin for Claude Code and Cursor could observe real-time activity like file edits and terminal commands so it could inject Vercel knowledge into the agent’s context. (vercel.com) Vercel also runs a separate remote Model Context Protocol server at mcp.vercel.com that can search docs, manage projects, inspect deployments, and analyze logs after OAuth sign-in. Its docs say the server was in beta as of February 12, 2026, and supported clients including Claude Code, ChatGPT, Cursor, and Gemini Code Assist. (vercel.com) That is why this fight landed so hard with frontend teams. The same plumbing that lets an assistant deploy your app or read your logs also sits close to prompts, commands, and project metadata, so a messy consent flow feels less like a pop-up bug and more like a boundary problem. (vercel.com 1) (vercel.com 2) The April 7 issue points to one especially sensitive detail in version 0.32.0. It says the hook attempted telemetry logic before reading the saved preference file, and although the current code path still returned false when no file existed, the reporter argued the ordering was fragile enough that a future regression could send prompt text before consent. (github.com) A separate repository shows Vercel also ships a narrower Claude Code deploy plugin that installs with `/plugin install vercel@claude-plugins-official` and exposes commands like `/deploy` and `/vercel-logs`. That smaller plugin is not the same thing as the broader Vercel coding-agent plugin, but the overlap in names is part of why developers are now reading plugin scopes more carefully. (github.com) At the same time, Vercel’s ecosystem is moving in the opposite direction on security visibility. On April 9, 2026, Wiz announced a Vercel integration that ingests projects, domains, teams, members, and firewall configurations into its security graph so security teams can see exposed deployments and misconfigurations. (wiz.io) Put those two stories together and you get the real argument. Teams want more powerful deployment and security tooling inside assistants, but they also want consent, attribution, and data boundaries to be obvious enough that a telemetry prompt cannot be mistaken for an attack. (github.com) (wiz.io)