Hi — thanks for publishing the Indigo plugin. While reviewing it for the Claude Code
plugin directory, we observed a small inconsistency we wanted to flag so the listing's
documentation is accurate.
What we observed
- The
SessionStart hook (hooks/check-update.js) makes an outbound network request:
an HTTPS GET to raw.githubusercontent.com/.../.claude-plugin/plugin.json to check
whether a newer version is available (cached for ~1 hour, run in a background process).
PRIVACY.md currently states "No network requests made by the plugin," "No API calls
to external services," and "No external communication."
The update check itself looks benign — it compares versions and, from what we can see,
transmits no user data. The only issue is that the privacy policy currently says the
opposite of what the plugin does.
What would resolve it
To keep the directory listing accurate, we'd ask that the privacy policy be updated to
describe the update check — what it contacts and what (if anything) is sent — and, ideally,
that you offer a way for users to disable it (e.g. an environment variable the hook checks).
Happy to answer any questions. Thanks again for the plugin.
Hi — thanks for publishing the Indigo plugin. While reviewing it for the Claude Code
plugin directory, we observed a small inconsistency we wanted to flag so the listing's
documentation is accurate.
What we observed
SessionStarthook (hooks/check-update.js) makes an outbound network request:an HTTPS GET to
raw.githubusercontent.com/.../.claude-plugin/plugin.jsonto checkwhether a newer version is available (cached for ~1 hour, run in a background process).
PRIVACY.mdcurrently states "No network requests made by the plugin," "No API callsto external services," and "No external communication."
The update check itself looks benign — it compares versions and, from what we can see,
transmits no user data. The only issue is that the privacy policy currently says the
opposite of what the plugin does.
What would resolve it
To keep the directory listing accurate, we'd ask that the privacy policy be updated to
describe the update check — what it contacts and what (if anything) is sent — and, ideally,
that you offer a way for users to disable it (e.g. an environment variable the hook checks).
Happy to answer any questions. Thanks again for the plugin.