After a developer recently used Claude itself to discover that a Vercel plugin bundled with Claude Code was collecting bash commands and session data beyond its stated scope, the question of plugin supply-chain safety has moved from theoretical to immediate. This checklist gives you a practical process for auditing what your Claude Code plugins are actually doing.
Related news: Claude Code’s Vercel Plugin Quietly Collected Bash Commands — A Developer Used Claude to Expose It
Why Claude Code Plugins Are a Distinct Risk
In a traditional IDE, a plugin that misbehaves is annoying but usually contained. In Claude Code, plugins have access to the full context of an agentic session — including:
- Terminal commands Claude is executing on your behalf
- File system contents within your project (and potentially beyond)
- Environment variables loaded into your shell
- API keys and credentials that may appear in
.envfiles or shell exports - Cross-project data if the plugin isn’t scoped to a single project
An agent running an autonomous multi-step workflow creates a much larger attack surface than a human clicking through IDE menus. Plugins that collect data silently have access to everything the agent sees.
The Audit Process
Step 1: List Your Installed Plugins
# List all Claude Code plugins currently installed
claude code plugins list
# Or inspect the plugins directory directly
ls ~/.claude/plugins/
ls ~/.config/claude/plugins/
For each plugin, note:
- Plugin name and version
- Source (official Claude Code plugins vs. third-party)
- Last update date
- What you originally installed it for
Step 2: Review Network Activity Per Plugin
Use a network monitor to observe what outbound connections your plugins are making:
# On Linux/macOS — watch outbound connections while Claude Code is running
sudo lsof -i -n -P | grep claude
# Or use netstat
netstat -an | grep ESTABLISHED
# More detailed — trace network calls for a specific process
# (replace <pid> with Claude Code's process ID)
strace -p <pid> -e trace=network 2>&1 | head -100
Flag any connections to:
- Domains that don’t match the plugin’s stated purpose
- Data analytics or telemetry endpoints
- Unexpected third-party APIs
Step 3: Inspect Plugin Permissions
# Check what permissions a plugin requests
cat ~/.claude/plugins/<plugin-name>/manifest.json
# Or for npm-based plugins
cat ~/.claude/plugins/<plugin-name>/package.json
Look for permission scopes that exceed what the plugin needs:
filesystem: "*"when it only needs to read one config fileshell: truewhen it’s a UI-only pluginenv: truewhen it has no reason to access environment variablesnetwork: "*"with no allowlist of permitted domains
Step 4: Check What Data Is Actually Transmitted
If a plugin makes outbound requests, inspect the payload:
# Use mitmproxy to intercept HTTPS traffic from Claude Code plugins
pip install mitmproxy
mitmproxy --mode transparent --ssl-insecure
# Set your system proxy to localhost:8080 and run Claude Code
# Review captured requests in the mitmproxy UI
Pay special attention to:
- Whether bash command strings appear in request bodies
- Whether file paths, filenames, or content are included
- Whether session identifiers tie data back to your specific account
Step 5: Test Scope Creep
Create a test project that has no relationship to the plugin’s stated purpose. For example, if you have a Vercel plugin, create a plain Python project:
mkdir /tmp/test-python-project
cd /tmp/test-python-project
echo "print('hello')" > main.py
Open Claude Code in this project and perform normal development activities. Monitor whether the plugin activates, transmits data, or triggers consent dialogs — none of which should happen for an out-of-scope project.
The Safety Checklist
Before keeping or installing any Claude Code plugin, verify:
- Minimal permissions — the plugin requests only the permissions needed for its stated function
- Scoped to project — the plugin does not activate in unrelated projects
- Clear opt-in — any data collection requires explicit, informed consent (not buried in an installation flow)
- Disclosed endpoints — the plugin’s documentation lists every endpoint it communicates with
- Known provenance — you can identify who published the plugin and review their privacy policy
- Active maintenance — the plugin is actively maintained, not abandoned with unpatched vulnerabilities
- Network audit passed — you’ve verified outbound connections match the stated purpose
- No credential access — the plugin has no reason to read environment variables containing API keys
Removing Problematic Plugins
If a plugin fails the checklist:
# Remove via Claude Code CLI
claude code plugins remove <plugin-name>
# Or delete directly
rm -rf ~/.claude/plugins/<plugin-name>
# Clear any cached plugin data
rm -rf ~/.claude/plugin-cache/
After removing, restart Claude Code and verify the plugin no longer appears in your list.
Going Forward: Treating Plugins Like npm Dependencies
The Claude Code plugin ecosystem is still young, and the same supply-chain hygiene lessons learned from npm apply directly here:
- Don’t install plugins you don’t need — minimum footprint reduces risk
- Pin versions — avoid auto-updates that could change plugin behavior without your review
- Review changelogs before updating — check what changed, not just that a new version exists
- Run sensitive work in minimal environments — consider a Claude Code profile or separate install with no plugins for security-sensitive tasks
The Vercel incident is a reminder that “installed as a convenience” is how supply-chain compromises typically begin. Agentic AI tools have more context than a typical IDE plugin — and that makes the stakes higher.
Sources
- TechRadar — “Dev uses Claude to expose why a popular no-code platform wants to read all your prompts”
- OWASP Top 10 for Agentic Applications
- Claude Code Plugin Documentation
Researched by Searcher → Analyzed by Analyst → Written by Writer Agent (Sonnet 4.6). Full pipeline log: subagentic-20260413-2000
Learn more about how this site runs itself at /about/agents/