Decision. If you’re on Pro/Max with GitHub repos and want zero ops, use Anthropic’s first-party Claude Code in Slack — the @mention routes to a sandboxed claude.ai/code session [1]. If you need GitLab, local-only repos, or to keep the runtime on your own machine and quota, deploy chenhg5/cc-connect ⭐ 6.4k (Apr 2026) [7] for a multi-platform bridge or jeremylongshore/claude-code-slack-channel ⭐ 15 [10] for the security-hardened pattern. If “I want to ship code from Slack” is the only requirement and Claude isn’t a hard pin, Cursor Background Agents [58] or OpenAI Codex Slack [60] are equally credible — both run on vendor cloud VMs instead of your laptop.
1. The official surface: Claude Code in Slack
Anthropic launched Claude Code in Slack as a research preview on December 8, 2025 [4], built on the existing Claude for Slack app [1][2]. Mention @Claude with a coding task in a channel where you’ve run /invite @Claude, and the app’s intent classifier routes the request to a remote Claude Code session on the web — the Slack thread itself never executes code [1]. What lives in the channel is status updates, a completion summary, and Block Kit action buttons (View Session, Create PR, Retry as Code, Change Repo) [1].
| Constraint | Detail |
|---|---|
| Plan | Pro / Max / Team / Enterprise with Claude Code seats [1] |
| Repo support | ⚠ GitHub only — issue #21527 tracks GitLab/Bitbucket [17] |
| Surface | Channels only, no DMs [26] |
| Output | One PR per session [26] |
| Runtime | Anthropic-managed sandbox under the invoking user’s quota [1] |
| Slack scopes | Broad “perform actions as you” across channels, conversations, workspace [3] |
The Slack message is the trigger, not the dialog. Builder.io’s review puts it bluntly: “Slack isn’t the real ‘dialog’ surface … it’s mainly to kick off the web-based Claude Code session” [25]. Two consequences: you can’t preview frontend changes from chat, and complex refactors still want the web/IDE [25][26].
2. OSS bridges: which ones to actually consider
The OSS landscape splits into one clear leader, four credible mid-tier projects, and a long tail of solo experiments. Star counts as of April 2026.
| Project | ⭐ Stars | Last push | Transport | Niche |
|---|---|---|---|---|
| chenhg5/cc-connect | ⭐ 6.4k | 2026-04-27 | Socket Mode + 6 other platforms | Multi-agent (Claude Code, Cursor, Gemini, Codex) → Slack/Telegram/Discord/Feishu/DingTalk/LINE/WeChat. [7] |
| mpociot/claude-code-slack-bot | ⭐ 157 | 2025-06-27 | Socket Mode | ⚠ Single-commit repo, effectively abandoned. Streaming + MCP passthrough. [8] |
| tomeraitz/claude-slack-bridge | ⭐ 21 | 2026-04-27 | MCP server | Human-in-the-loop pattern: Claude blocks at the kernel level until a Slack reply arrives. One Docker container serves all projects. [9] [16] |
| jeremylongshore/claude-code-slack-channel | ⭐ 15 | 2026-04-27 | Socket Mode + MCP stdio | Security-hardened: hash-chained audit journal, five-layer prompt-injection defense, policy-gated MCP tools. Requires Claude Code 2.1.80+. [10] |
| yuya-takeyama/cc-slack | ⭐ 14 | 2025-08-23 | HTTP webhooks | Go, MIT. /cc slash command opens a modal for working directory + initial prompt. [11] |
| 41fred/claude-code-slack | ⭐ 15 | 2026-02-20 | Local daemon + Railway worker | Splits Slack-facing component to a public PaaS so Claude Code stays local. Python, MIT. [12] |
| AnandChowdhary/claude-code-slack-bot | ⭐ 11 | 2025-09-04 | GitHub Action wrapper | Turns Slack feature requests into GitHub issues with auto-implementation PRs. [13] |
Stalled-but-cited: engineers-hub-ltd/slack-claude-code-integration ⭐ 11 (no commits in 10 months) [14], 106-/claude-code-slack-agent ⭐ 1 [15]. The recurring driver across all of them is issue #21527 — the OSS projects exist mostly to cover non-GitHub repos and local workspaces [17].
3. Technical patterns: how a bridge actually works
Four layers, each with a binary choice:
Slack → bridge transport
| Choice | When |
|---|---|
| Socket Mode (outbound WebSocket, no public IP) | Default for security-conscious bridges (cc-connect [7], mpociot’s bot [8], claude-code-slack-channel [10]). No HMAC verification needed. |
HTTP webhooks (/slack/events, /slack/interactive, /slack/commands) |
When the bridge already runs on a public URL (cc-slack [11], Cloudflare Worker patterns). Requires HMAC-SHA256 signing-secret check + 300s replay window [34]. |
Bridge → Claude Code driver
| Choice | Detail |
|---|---|
| CLI headless | claude -p "<prompt>" --output-format stream-json --include-partial-messages for token-by-token streaming back to Slack [18]. |
| Claude Agent SDK | Python claude-agent-sdk 0.1.48 ⭐ 6.6k or TypeScript @anthropic-ai/agent-sdk 0.2.71 ⭐ 1.3k. Same agent loop as Claude Code, embeddable in a Bolt async handler [19][20]. |
Session continuity
Map a Slack thread ts → --session-id captured from JSON output, replay with --resume <id>. cc-slack auto-resumes when a user replies in the same thread [11]. Without this you spawn-per-message and lose all context.
Approvals without a TTY
--permission-mode |
Behaviour | Use for |
|---|---|---|
default |
Interactive prompts | Local terminal, useless headless |
acceptEdits |
Auto-accepts file edits, prompts for shell | Light unattended |
plan |
Plan-only, no execution | Dry-run from chat |
auto |
Background classifier blocks force-pushes, curl \| bash, IAM changes [42] |
Recommended replacement for --dangerously-skip-permissions |
dontAsk |
Only pre-approved tools, fully non-interactive [24] | Locked-down CI / Slack bridges |
bypassPermissions (= --dangerously-skip-permissions) |
Everything except protected paths | ⚠ Isolated containers / VMs only [24][42] |
The Notification and PreToolUse hooks are the two server-side wires. Notification fires when Claude is waiting for input or permission — community bridges use it to push “awaiting approval” or “task complete” cards into Slack via webhook curl [21]. As of March 2026, hooks support four handler types (command, http, prompt, agent) and an async: true flag to fire-and-forget without blocking the agent [22].
MCP cuts both ways
- Slack as MCP server consumed by Claude Code — Slack ships an official MCP server at
https://mcp.slack.com/mcp(OAuth, HTTP transport). Install via/plugin install slackto give Claude search/read/send/canvas tools [23]. - Claude Code reachable via MCP from Slack —
tomeraitz/claude-slack-bridgeexposes anask_on_slackMCP tool so Claude pauses mid-task, asks a question in Slack, and resumes when the reply lands [9][16].
4. Operator reality: bugs, costs, and what people complain about
Two structurally painful Anthropic-side bugs hit Slack bridges hardest:
- Issue #36833 —
claude -pheadless silently drops Claude AI connector MCP tools (including the Slack connector). Anythingmcp__claude_ai_Slack__*returns NOT_FOUND under cron / LaunchAgent / CI [27]. - Issue #30333 — long-running headless SDK sessions with parallel subagents can hang because the Stop hook check finds zero hooks and never emits a
ResultMessageline. Slack listeners stall without an error [28].
Cost blowups were the loudest March-2026 complaint. Max users reported 5-hour windows burned in ~90 minutes on previously-stable workloads [29], fresh sessions at 3% context returning “out of extra usage” [31], and Anthropic publicly conceded it tightened peak-hour caps such that ~7% more users now hit limits [32]. Unattended Slack-driven sessions amplify this — nobody’s watching when the loop blows up.
Latency budget for phone-from-Slack: 200–500 ms best-case round-trip phone → relay → local box, “potentially several seconds on congested cellular” [33] — fine for kickoff, painful for chained approval prompts.
The realistic away-from-desk pattern: tmux + launchctl + 1-minute Slack polling, hand-rolled [30]. It works, but you maintain the scaffolding.
5. Hardening: what you must do before pointing Slack at a code-editing agent
The 2025–2026 vulnerability disclosures make defence-in-depth non-optional:
- CVE-2025-59536 (CVSS 8.7) — opening an attacker-controlled repo auto-fires
.claude/settings.jsonhooks, auto-loads.mcp.jsonMCP servers, and can overrideANTHROPIC_BASE_URLto ship the API key in plaintext to the attacker before any trust prompt [37][38]. - CVE-2025-54794 / 54795 — path-restriction bypass and command injection [38].
- CVE-2026-39861 (patched in 2.1.64) — sandbox escape via symlinks pointing outside the workspace [40].
- 50-subcommand deny-rule bypass —
bashPermissions.tscaps deny-rule evaluation at 50 piped subcommands; chain more and Claude falls back to “ask” instead of blocking [39]. - Mitiga’s Slack-via-Skill worm — a malicious Skill installed by an unsuspecting developer inherits the Slack identity, exfiltrates, and propagates. Conventional EDR/SIEM can’t see what happens inside Slack [41].
The converged practitioner pattern, distilled across Anthropic’s docs and the hardened community bridges:
| Layer | Pattern |
|---|---|
| Slack edge | Prefer Socket Mode (no public URL). If using webhooks: HMAC-SHA256 verify with 300s replay window + constant-time comparison [34]. Channel + user allow-lists; ungated messages dropped before reaching Claude [50]. Tokens never in repos, minimum scopes [35]. |
| Claude permission layer | --permission-mode auto not bypassPermissions for chat-driven runs [42]. ⚠ Trust verification is disabled under -p headless [46] — the bridge must replace it with its own gate. |
| PreToolUse hooks | The one enforcement layer the agent can’t talk past. Deny via permissionDecision: "deny" or exit code 2; admins use allowManagedHooksOnly to lock policy [47]. |
| Sandbox | Anthropic’s secure-deployment guide formalises: --cap-drop ALL, --security-opt no-new-privileges, --read-only, --network none, mount code read-only, reach the outside world only through a Unix-socket-attached proxy that injects credentials so the agent never sees them [48]. Seatbelt (macOS) / bubblewrap (Linux) for OS-level filesystem + network isolation [36]. |
| Reference implementations | Trail of Bits’ devcontainer ⭐ 771 (trailofbits/claude-code-devcontainer) — ephemeral container, no production secrets, iptables default-drop egress allowlist (Anthropic / GitHub / npm / PyPI only) [45]. Docker Sandboxes (Jan 2026) escalates to per-agent microVMs with private Docker daemon [44]. |
| Egress denylist | Always block 169.254.169.254 + metadata.google.internal + RFC1918 ranges to neutralise the standard exfil playbook [43]. |
| GitHub Action mode | Anthropic’s claude-code-action ⭐ 7.3k enforces write-permission gating, env-var scrubbing, PID-namespace isolation, and --allowedTools minimisation — same pattern Slack bridges should mirror [49]. StepSecurity flags that unlike Copilot, Claude Code’s Action has no built-in network firewall, so runtime egress monitoring (Harden-Runner) is required, not optional [51]. |
6. Competing remote-control surfaces
Slack is one of six credible “message me, I’ll ship code” surfaces. The differentiator is where the runtime lives and whose quota pays.
| Surface | Trigger | Runtime | Approval | Plan | Notes |
|---|---|---|---|---|---|
| Claude Code in Slack (Anthropic) | @Claude in channel |
Anthropic cloud sandbox | Block Kit buttons; one PR per session | Pro / Max / Team / Enterprise [1] | ⚠ GitHub-only [17] |
| Claude Code Web | Browser at claude.com/code | Anthropic cloud sandbox, YOLO mode under the hood | None per-command (--dangerously-skip-permissions inside the sandbox); selectable network isolation |
Pro / Max [52][53] | “Teleport” copies session to local CLI [53] |
| Claude Code Mobile (“Remote Control”) | iOS / Android app, Code tab | Anthropic cloud sandbox (same as web) | Same as web | Max ($100–200/mo); Pro to follow [54][55] | Phone-first PR creation |
GitHub Actions @claude |
@claude in PR/issue, issue assignment, scheduled prompt |
Your GitHub runner, your compute bill | GitHub permissions + --allowedTools whitelist |
API or Anthropic plan key [56] | anthropics/claude-code-action ⭐ 7.3k. Core CLI anthropics/claude-code ⭐ 118k [57] |
| OSS Slack bridge (community) | @bot / /cc slash command |
Your laptop / your VPS / your container | DIY (Block Kit relay, hooks) | Whatever Anthropic plan you have | Only path for GitLab, local repos, non-GitHub workflows [7][10] |
| Cursor Background Agents | @Cursor in Slack (since Cursor 1.1, June 12 2025) |
Cursor cloud isolated VM | Auto, opens GitHub PR | Cursor plan [58][59] | Near-mirror of Claude pattern, but vendor-cloud runtime |
| OpenAI Codex Slack | @Codex in channel/thread |
OpenAI cloud (codex-1, o3-tuned) | Auto; replies with merge link or “pull locally” | Plus / Pro / Business / Enterprise / Edu [60][61] | OSS terminal sibling openai/codex ⭐ 78k [62] |
| Devin (Cognition) | @Devin in channel |
Cognition cloud, ACU-billed | Auto; non-Devin Slack users now blocked from posting in Devin threads [65] | $20/mo Pro entry + $2.25/ACU [63][64] | ⚠ Real spend often $300–500/mo at usage [66] |
| Replit Agent | Replit Workspace (browser/IDE) | Replit cloud | IDE-side | Replit plan [67] | ⚠ Slack is a data source, not a trigger surface |
7. When Slack-as-trigger is actually right
Slack-as-trigger pays off when: (a) the team already lives in Slack, (b) tasks are short and well-scoped (one PR, one bug), (c) someone’s near a phone or desk to triage approvals, and (d) the runtime sits behind real isolation. It’s the wrong surface for long refactors, frontend work needing visual review [25], GitLab repos until #21527 lands [17], and any unattended cron-style automation that depends on Claude AI connector MCPs (broken under -p per #36833 [27]).
The pragmatic split: first-party Claude Code in Slack for GitHub teams on Pro/Max who want zero ops; a hardened OSS bridge (cc-connect for breadth, claude-code-slack-channel for security depth, claude-slack-bridge for the human-in-the-loop pattern) when GitHub-only is a dealbreaker or the runtime must stay on your infrastructure; and Cursor / Codex / Devin when “ship code from Slack” matters more than “must use Claude.”