[Security research test — HackerOne] Verifying claude.yml @claude trigger for non-collaborators
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
This issue is part of an authorized security research test for Anthropic's
HackerOne bug bounty program. It verifies whether claude.yml's @claude
trigger fires for an account with zero collaborator access to this repo.
@claude — no action requested. This is a trigger-verification test only.
Please feel free to close once observed.
What Should Happen?
N/A — this is not a functional bug. This is an authorized security
research test (HackerOne) to verify the claude.yml @claude trigger
for non-collaborator accounts.
Error Messages/Logs
Steps to Reproduce
- Open this issue (containing "@claude") as an account with zero
collaborator access to the repo.
- Observe whether claude.yml fires in the Actions tab in response to
the @claude mention in the issue body.
Claude Model
None
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
N/A (security research test)
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Other
Additional Information
_No response_
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗