[Security research test — HackerOne] Verifying claude.yml @claude trigger for non-collaborators

Resolved 💬 1 comment Opened Jul 11, 2026 by G-AegisVeil Closed Jul 14, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

This issue is part of an authorized security research test for Anthropic's
HackerOne bug bounty program. It verifies whether claude.yml's @claude
trigger fires for an account with zero collaborator access to this repo.

@claude — no action requested. This is a trigger-verification test only.
Please feel free to close once observed.

What Should Happen?

N/A — this is not a functional bug. This is an authorized security
research test (HackerOne) to verify the claude.yml @claude trigger
for non-collaborator accounts.

Error Messages/Logs

Steps to Reproduce

  1. Open this issue (containing "@claude") as an account with zero

collaborator access to the repo.

  1. Observe whether claude.yml fires in the Actions tab in response to

the @claude mention in the issue body.

Claude Model

None

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

N/A (security research test)

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

Other

Additional Information

_No response_

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗