Skip to content

Privacy policy states "no network requests," but the update-check hook makes one #44

Description

@bryan-anthropic

Hi — thanks for publishing the Indigo plugin. While reviewing it for the Claude Code
plugin directory, we observed a small inconsistency we wanted to flag so the listing's
documentation is accurate.

What we observed

  • The SessionStart hook (hooks/check-update.js) makes an outbound network request:
    an HTTPS GET to raw.githubusercontent.com/.../.claude-plugin/plugin.json to check
    whether a newer version is available (cached for ~1 hour, run in a background process).
  • PRIVACY.md currently states "No network requests made by the plugin," "No API calls
    to external services," and "No external communication."

The update check itself looks benign — it compares versions and, from what we can see,
transmits no user data. The only issue is that the privacy policy currently says the
opposite of what the plugin does.

What would resolve it
To keep the directory listing accurate, we'd ask that the privacy policy be updated to
describe the update check — what it contacts and what (if anything) is sent — and, ideally,
that you offer a way for users to disable it (e.g. an environment variable the hook checks).

Happy to answer any questions. Thanks again for the plugin.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions