惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Archives - TechRepublic
Security Archives - TechRepublic
罗磊的独立博客
T
The Blog of Author Tim Ferriss
The GitHub Blog
The GitHub Blog
Apple Machine Learning Research
Apple Machine Learning Research
The Register - Security
The Register - Security
J
Java Code Geeks
V2EX - 技术
V2EX - 技术
Vercel News
Vercel News
N
News and Events Feed by Topic
腾讯CDC
P
Proofpoint News Feed
N
News | PayPal Newsroom
www.infosecurity-magazine.com
www.infosecurity-magazine.com
爱范儿
爱范儿
O
OpenAI News
酷 壳 – CoolShell
酷 壳 – CoolShell
月光博客
月光博客
Martin Fowler
Martin Fowler
Engineering at Meta
Engineering at Meta
D
Docker
Y
Y Combinator Blog
博客园 - 聂微东
G
Google Developers Blog
S
Security @ Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
S
Schneier on Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
S
SegmentFault 最新的问题
云风的 BLOG
云风的 BLOG
阮一峰的网络日志
阮一峰的网络日志
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
CERT Recently Published Vulnerability Notes
I
Intezer
G
GRAHAM CLULEY
有赞技术团队
有赞技术团队
Attack and Defense Labs
Attack and Defense Labs
V
Visual Studio Blog
博客园 - Franky
博客园 - 三生石上(FineUI控件)
W
WeLiveSecurity
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Hugging Face - Blog
Hugging Face - Blog
Scott Helme
Scott Helme
T
Troy Hunt's Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
L
LINUX DO - 最新话题
C
Cybersecurity and Infrastructure Security Agency CISA

Hacker News - Newest: "AI"

AI can't read an investor deck AI as an attorney? Student uses ChatGPT, Gemini to sue UW over alleged racial discrimination Hacking MCP Servers in AI Systems – The Rug Pull: Tool Changes After Approval GitHub - MeepCastana/KubeezCut: Free Web based video editor GitHub - GenAI-Gurus/awesome-eu-ai-act: Curated tools, official sources, OSS, templates, and guides for EU AI Act compliance. Can AI judge journalism? A Thiel-backed startup says yes, even if it risks chilling whistleblowers Coming soon: 10 Things That Matter in AI Right Now DARPA built an AI to fact-check enemy weapons claims What explains heterogeneity in AI adoption? When AI Meets Muscle: Context-Aware Electrical Stimulation Promises a New Way to Guide Human Movements - Department of Computer Science AI Changed How We Build. It Did Not Change What Matters. Linux rules on using AI-generated code - Copilot is OK, but humans must take 'full responsibility for the… Meta spins up AI version of Mark Zuckerberg to engage with employees Code Mode: Let Your AI Write Programs, Not Just Call Tools | TanStack Blog GitHub - Delavalom/graft: Go framework for building AI agents. Type-safe tools, multi-provider (OpenAI, Anthropic, Gemini, Bedrock), zero vendor SDKs. India's TCS tops estimates, says new AI models did not dent services demand Gen Z's fading AI hype Strong feeling: we are in a folded AI reality GitHub - machinarii/total-recall-catalog: A reference catalog of latest knowledge retrieval, memory & RAG systems GitHub - mensfeld/code-on-incus: Give each AI agent its own isolated machine with root, Docker, and systemd. Active defense detects and stops threats automatically.. Quantization, LoRA, and the 8% Problem: Benchmarking Local LLMs for Production AI Iran war: We spoke to the man making Lego-style AI videos that experts say are powerful propaganda Powell, Bessent discussed Anthropic's Mythos AI cyber threat with major U.S. banks GitHub - immartian/bellamem: Persistent belief-graph memory for AI agents. Retrieves decisive context by importance — not recency, not RAG, not /compact. recursive-mode: The Repo-Native Operating System for AI Engineering After the attack on Sam Altman's home, will AI CEO's go on the offensive? The biggest advance in AI since the LLM Opus 4.6 vs GPT 5.4 One Prompt Unity World Generation Test “AI polls” are fake polls Client Challenge Can AI be a 'child of God'? Inside Anthropic's meeting with Christian leaders How to Switch AI Chatbots and Why You Might Want To GitHub - MattMessinger1/agentic_refund_guardrail: Safe refund policy layer for AI agents — Python + TypeScript. Same behavior, shared tests. Adam/papers/emergent_values_whitepaper.md at master · strangeadvancedmarketing/Adam Ask HN: How do you stop playing 20 questions with your AI coding tools How far can automation and AI support psychotherapy? - @theU GitHub - stagas/rtdiff: realtime git diff gui and AI-assisted commits A Mac Studio for Local AI — 6 Months Later A History of the Early Years of AI at the University of Edinburgh Why AI Coding Tools Still Feel Stuck on Localhost MSN AI Datacenters Are Becoming Strategic Targets twitter.com Penn Researchers Use AI to Surface Unreported GLP-1 Side Effects in Reddit Posts Show HN: MoodSense AI (ML and FastAPI and Gradio, Deployed on Hugging Face) Moodsense Ai - a Hugging Face Space by aman179102 AI models are terrible at betting on soccer—especially xAI Grok GitHub - xialeistudio/echoic GitHub - HimashaHerath/github-dev-wrapped: AI-powered weekly GitHub activity reports deployed to GitHub Pages GitHub - alejandrobalderas/claude-code-from-source: Architecture, patterns & internals of Anthropic's AI coding agent — reverse-engineered from source maps AI and Tech brief: Ireland ascendant GitHub - Titovilal/context0: Context0 - Never Surrender Training for a Marathon with an AI Coach: What Worked and What Didn't Cyber Pulse: Agentic Intel - Apps on Google Play I Built an AI PR Reviewer That Catches Bugs by Not Looking for Bugs Gen Z workers are so fearful AI will take their job they’re intentionally sabotaging their company’s AI rollout | Fortune How AI Is Reimagining the Game of Golf–For Both Players and Courses GitHub - nattergabriel/reseed: A CLI tool for managing and distributing agent skills across projects Is SVG the final frontier? My AI workflow evolved from prompts to a near-autonomous workflow MLSharp Help - 3DGS Viewer & Generator I put my cognitive field based AI's runtime on GitHub Is Numble the first AI-proof game? A3: Kubernetes for autonomous AI agent fleets | Emergent Principles Deepali Vyas ("The Elite Recruiter") GitHub - msmarkgu/RelayFreeLLM: A restful API designed to route user prompts to various AI model providers. Unionized ProPublica staff are on strike over AI, layoffs, and wages Unleashing the Advantage of Quantum AI We're heading for an AI-fueled 'dementia crisis,' brain scientist warns The AI-Assisted Breach of Mexico's Government Infrastructure [pdf] GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. MSN GitHub - visionscaper/collabmem: Enabling long-term collaboration with Agentic AI - building up episodic and world model memory over time with in-context awareness We gave an AI a 3 year retail lease in SF and asked it to make a profit | Andon Labs AI Code is Hollowing Out Open Source, and Maintainers are Looking the Other Way What leaked "SteamGPT" files could mean for the PC gaming platform's use of AI AI is the boss at this retail store. What could go wrong? GitHub - Wuzu11517/agentic-proxy: Local proxy meant to help reduce With Drones, Geophysics and ArtificiaI Intelligence, Researchers Prepare to Do Battle Against Land Mines A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report 在 Steam 上购买 FriedrichAI: Offline AI 立省 10% GitHub - inevolin/resume-cli: Hit Claude usage limits? Resume any AI coding session elsewhere. Switch tools at zero friction. GitHub - atripati/ark: AI Runtime Kernel — a context operating system for AI agents. Eliminates tool bloat, loads only what’s needed, and gives LLMs their reasoning space back. How to Build a Secure AI PR Reviewer with Claude, GitHub Actions, and JavaScript This Startup Wants You to Pay Up to Talk With AI Versions of Human Experts Intel Arc Pro B70 Brings 32GB VRAM to Local AI for $949 WordPress 7.0: The Good, the AI, and the Still Missing AI on the couch: Anthropic gives Claude 20 hours of psychiatry IatroBench: Pre-Registered Evidence of Iatrogenic Harm from AI Safety Measures AI Agents Know About Supabase. They Don't Always Use It Right. The history and future of AI at Google, with Sundar Pichai Inside an AI‑enabled device code phishing campaign How Meta Used AI to Map Tribal Knowledge in Large-Scale Data Pipelines AI for Systems: Using LLMs to Optimize Database Query Execution Forecasting the Economic Effects of AI Introducing Tinker: Play with AI, bring your ideas to life AI sheds light on an ancient gaming mystery People really hate AI but not as much as Iran—or Democrats | Fortune What is an AI Product Engineer? Phoebe Gates wants her $185 million AI startup to succeed with 'no ties to my privilege or my last name': 'I have a chip on my shoulder' | Fortune
Claude Tag: Build Your Own Slack AI Agent
Manveer Chawla · 2026-06-26 · via Hacker News - Newest: "AI"

“Today, 65% of our product team’s code is created by our internal version of Claude Tag.”

That’s Anthropic, talking about its own engineering team. And this is not code autocomplete or a chatbot generating snippets in isolation. Claude Tag is a shared agent inside Slack that teammates mention by name to investigate bugs, pull metrics, work support tickets, and complete longer-running tasks. It reads thread context, connects to approved tools and codebases, and posts results back in the same conversation.

The question is not whether Claude Tag is impressive. It is: what would your team delegate if you had one?

You do not need to recreate Anthropic’s entire product to find out. This tutorial recreates Claude Tag’s core interaction pattern, not Anthropic’s proprietary product. Start with one high-value Slack workflow, give the agent a small toolset, and use Arcade.dev for the action layer: tool connectivity, authorization, and controlled access to external systems.

Key takeaways: Claude Tag and building your own Slack AI agent

  • Claude Tag is Anthropic’s shared AI agent for Slack. It lets teams mention @Claude in selected channels to complete multi-step work using conversation context, connected tools, and codebases.
  • Claude Tag turns Slack into the agent interface. It can remember relevant channel context, work asynchronously, use a dedicated identity, and return results in the thread where the request began.
  • You can recreate the core Claude Tag pattern. This tutorial builds a Claude Tag-style Slack AI agent with Python, Slack Bolt, OpenAI, and Arcade.
  • Arcade provides secure tool access. The example connects the agent to read-only GitHub, Datadog, and PagerDuty tools while Arcade handles authorization, credentials, tool execution, and access controls.
  • Start with one bounded workflow. Incident triage is a strong first use case because it crosses multiple systems, produces reviewable evidence, and does not require irreversible actions.
  • Production agents need explicit safeguards. Restrict the agent to approved Slack channels, use dedicated or per-user identities, require human approval for consequential writes, log its actions, and maintain a kill switch.

What is Claude Tag and why does your team want it?

Anthropic launched Claude Tag on June 23, 2026 as a beta for Enterprise and Team customers. The operating model is simple: Claude joins selected Slack channels as a teammate. Anyone in the channel can tag @Claude with a request. It breaks the task into stages, works through them using connected tools, and replies in-thread with what it produced. Once a thread is active, anyone there can steer it without re-mentioning the agent.

What makes this different from a personal chatbot is that the work happens in public. The channel is the interface, the context, and the audit trail. A single shared Claude instance serves an entire channel, building persistent memory as it follows along. It can work asynchronously, schedule its own follow-up tasks, and combine context from Slack threads, Google Drive docs, ticketing systems, and data warehouses into a single answer.

The underlying insight is not about AI capabilities. It is about where work starts. Most cross-functional tasks begin as a Slack message. Someone asks a question, flags a problem, or requests information that lives across three systems. The true value of shared agents is when it can do useful work in a place where that work already begins.

Do not build an AI employee. Pick one workflow.

The fastest way to stall an agent project is to scope it as “an AI that can do anything.” Start with one workflow. Choose something that is:

  • Frequent. The team does it every week, ideally every day.
  • Cross-system. It requires pulling context from two or more tools (Slack, GitHub, a dashboard, a CRM).
  • Tedious to investigate manually. Someone has to copy-paste between tabs, summarize findings, and post an update.
  • Easy for a human to review. The agent produces a summary or recommendation, not a final irreversible action.

Some high-value starting points:

Incident triage across Slack, GitHub, and observability tools. When errors spike after a deployment, the agent pulls recent commits, queries Datadog for error rates and latency, checks PagerDuty for related incidents, and posts a structured summary with evidence links.

Support escalation summaries using your ticketing system, CRM, and internal docs. Instead of an engineer spending 15 minutes rebuilding context on an escalated ticket, the agent does it in seconds and posts the summary in the escalation channel.

Product-feedback triage that reads a Slack thread, extracts the core request, checks for duplicates in Linear or Jira, and creates a properly tagged issue with the original thread linked.

Account research that pulls together CRM data, recent email threads, product usage metrics, and internal notes before a customer call.

Start narrow. A focused agent earns trust faster than a broadly capable one.

How does a Claude Tag-style Slack agent work?

The architecture behind a Claude Tag-style agent has four layers:

  1. Slack is the interface. Users tag the agent in a thread. Slack delivers the triggering event; your application retrieves thread context via the API and displays results.
  2. The model is the reasoning layer. It understands the request, decides what information it needs, and synthesizes a response. Use whatever LLM and agent framework fits your stack.
  3. Arcade is the action layer. It connects the agent to approved tools, handles authorization and token management, and enforces access policy. The model never sees credentials.
  4. Your app handles orchestration. Task state, retries, async job processing, and posting updates back to Slack.

Slack AI agent architecture showing the five stages from a Slack @mention, through the agent's reasoning loop and the Arcade API MCP Gateway, to approved tools and the result returned in Slack

Each layer is independently replaceable. Swap the model, change the framework, add tools. The boundaries stay clean.

What we are building is a shared agent, not a multi-user agent. Every tool call runs under a single service identity regardless of who tagged the bot. Step 4 covers how to add per-user authorization if your use case requires it.

This prototype starts a run only when mentioned. Claude Tag’s production experience supports unmentioned follow-ups within an active thread. To add that behavior, subscribe to message.channels and message.groups, track active thread IDs, and filter out bot-generated messages. That is a production extension beyond the scope of this walkthrough.

How to build a Claude Tag-style Slack agent with Arcade

This walkthrough uses Python with Slack’s Bolt framework and the Arcade Python SDK. The same pattern works with any language or agent framework that supports MCP or Arcade’s REST API.

Prerequisites

You need Python 3.8+, permission to create and install a Slack app, an Arcade account and API key, and an OpenAI API key. For local Slack Events API testing, also install and authenticate the ngrok CLI or another public HTTPS tunnel.

python3 -m venv .venv
source .venv/bin/activate
python -m pip install slack-bolt arcadepy openai

Step 1: Create the Slack app and event trigger

Create a Slack app at api.slack.com/apps. Under OAuth & Permissions, add the bot scopes app_mentions:read, chat:write, channels:history, and groups:history. Install the app to your workspace, then copy the Bot User OAuth Token (xoxb-...) and Signing Secret from the app settings.

You now have everything needed to set the environment variables:

export SLACK_BOT_TOKEN="xoxb-..."
export SLACK_SIGNING_SECRET="..."
export ARCADE_API_KEY="..."
export ARCADE_USER_ID="you@company.com"
export OPENAI_API_KEY="..."
export SLACK_ALLOWED_CHANNEL_IDS="C0123456789"

For ARCADE_USER_ID, use the email associated with your Arcade account. Arcade’s default development verifier expects that identity. This is the single shared identity under which every tool call executes. All mentions in all approved channels resolve to this one account. It does not create GitHub or PagerDuty service accounts on its own. If the agent must act under a dedicated downstream identity, use dedicated accounts during the OAuth flows in Step 2.

Replace C0123456789 with your actual Slack channel ID. Open the channel in Slack’s web or desktop app and copy the C... portion of its URL (https://app.slack.com/client/T.../C...). See Slack’s guide to locating IDs for details.

SLACK_ALLOWED_CHANNEL_IDS restricts the agent to specific channels, enforcing the per-channel scoping that Claude Tag uses. Comma-separate multiple channel IDs. If different channels need different permissions or toolsets, you will need a channel_id-to-identity mapping or separate deployments.

Slack’s three-second rule is the critical implementation detail. Your endpoint must return HTTP 200 within three seconds or Slack marks delivery as failed and retries up to three times. Bolt handles acknowledgement automatically when you use the standard decorator pattern. For production workloads where agent processing takes longer, offload work to a task queue. Deduplicate on Slack’s top-level event_id before enqueueing work, otherwise retries can execute the same tools twice.

Save this as app.py:

import logging
import os

from slack_bolt import App
from agent import run_agent  # Step 3

ALLOWED_CHANNEL_IDS = {
    value.strip()
    for value in os.environ["SLACK_ALLOWED_CHANNEL_IDS"].split(",")
    if value.strip()
}

app = App(
    token=os.environ["SLACK_BOT_TOKEN"],
    signing_secret=os.environ["SLACK_SIGNING_SECRET"],
)


@app.event("app_mention")
def handle_mention(event, client, say, context, logger):
    if event["channel"] not in ALLOWED_CHANNEL_IDS:
        logger.warning("Ignoring mention from unauthorized channel %s", event["channel"])
        return

    # Ignore messages from bots (including this one) to prevent loops
    if event.get("bot_id"):
        return

    thread_ts = event.get("thread_ts") or event["ts"]

    try:
        # Retrieve up to 50 messages of thread context.
        # Production implementations should follow
        # response_metadata.next_cursor for longer threads.
        replies = client.conversations_replies(
            channel=event["channel"],
            ts=thread_ts,
            limit=50,
        )
        bot_user_id = context.get("bot_user_id")
        transcript = []
        for message in replies.get("messages", []):
            text = message.get("text", "")
            if bot_user_id:
                text = text.replace(f"<@{bot_user_id}>", "").strip()
            if text:
                speaker = message.get("user") or message.get("bot_id", "unknown")
                transcript.append(f"{speaker}: {text}")

        say("On it. Gathering context...", thread_ts=thread_ts)

        result = run_agent(
            os.environ["ARCADE_USER_ID"],
            "\n".join(transcript),
        )
        # Slack recommends keeping messages under 4,000 characters.
        # Truncate or chunk longer responses in production.
        say(result, thread_ts=thread_ts)
    except Exception:
        logger.exception("Agent failed")
        say(
            "I couldn't complete that investigation. Check the application logs.",
            thread_ts=thread_ts,
        )


if __name__ == "__main__":
    logging.basicConfig(level=logging.INFO)
    # This is Bolt's built-in development server. For production,
    # deploy through a supported web-framework adapter (e.g. Flask + Gunicorn).
    app.start(port=int(os.environ.get("PORT", "3000")))

A few things to note. Bolt handles signing-secret verification automatically when you pass signing_secret to the App constructor. The channel allowlist on the first check enforces per-channel scoping so the agent only responds in channels you have explicitly approved. The conversations_replies call retrieves up to one page of thread context so the agent sees more than just the triggering message. Slack’s Events API delivers only the triggering event, not the thread history, so your app must fetch it. And the event.get("bot_id") guard prevents the agent from responding to its own messages and creating an infinite loop.

Step 2: Connect GitHub, Datadog, and PagerDuty with Arcade

Arcade connects your agent to external systems through a curated set of tools. For incident triage, you need read-only tools from GitHub, Datadog, and PagerDuty. Select specific tools rather than loading entire toolkits. Toolkits include write operations that contradict a read-only agent’s scope, and a narrower tool list helps the model pick the right tool more reliably.

These tool names match Arcade’s current GitHub, Datadog, and PagerDuty catalogs:

TOOL_NAMES = [
    "Github.ListRepositoryActivities",
    "Github.GetPullRequest",
    "Datadog.AggregateEvents",
    "Datadog.SearchLogs",
    "Pagerduty.ListIncidents",
    "Pagerduty.ListLogEntries",
]

Authorize tools before first use. GitHub and PagerDuty require OAuth authorization. Datadog requires API credentials configured as Arcade secrets (DATADOG_API_KEY, DATADOG_APPLICATION_KEY, and DATADOG_SITE). Configure the Datadog secrets in the Arcade secrets dashboard, then save the following as authorize.py and run it once to complete the OAuth flows:

from arcadepy import Arcade
import os

arcade = Arcade()
user_id = os.environ["ARCADE_USER_ID"]

OAUTH_TOOLS = [
    "Github.ListRepositoryActivities",
    "Github.GetPullRequest",
    "Pagerduty.ListIncidents",
    "Pagerduty.ListLogEntries",
]

for tool_name in OAUTH_TOOLS:
    auth = arcade.tools.authorize(tool_name=tool_name, user_id=user_id)
    if auth.status != "completed":
        print(f"Authorize {tool_name}: {auth.url}")
        arcade.auth.wait_for_completion(auth.id)

print("All OAuth-backed tools authorized.")

Open each URL and complete the OAuth consent. Arcade stores the tokens and refreshes them automatically. Subsequent calls reuse the authorization until it expires, is revoked, or a tool requires additional permissions. See Arcade’s authorization guide for the full setup flow.

If your agent framework supports MCP natively, you can alternatively create an Arcade MCP Gateway that federates these tools behind a single Streamable-HTTP endpoint. The gateway serves tool definitions over MCP, so your agent discovers exactly the tools you curated. The direct SDK approach shown here works with any framework.

Tool selection is both a technical and product decision. The fewer tools the agent sees, the more reliably it picks the right one.

Step 3: Build the tool-calling agent loop

This is the piece that connects the Slack trigger to the tools. Your agent runtime sits between Slack and Arcade: it receives the thread transcript, uses an LLM to decide what tools to call, and executes them through Arcade.

Arcade is framework-agnostic. It works with LangGraph, the OpenAI Agents SDK, CrewAI, Mastra, Pydantic AI, Google ADK, or any MCP-compatible client. The integration has two touchpoints, both through the arcadepy SDK: tools.formatted.get to load tool definitions, and tools.execute to run them.

Save the following as agent.py. This is the run_agent function imported in Step 1, using the OpenAI Chat Completions API directly:

import json
import os

from arcadepy import Arcade
from openai import OpenAI

arcade = Arcade()   # reads ARCADE_API_KEY from env
llm = OpenAI()      # reads OPENAI_API_KEY from env

# Load tools once at startup, not on every request
TOOL_NAMES = [
    "Github.ListRepositoryActivities",
    "Github.GetPullRequest",
    "Datadog.AggregateEvents",
    "Datadog.SearchLogs",
    "Pagerduty.ListIncidents",
    "Pagerduty.ListLogEntries",
]

OPENAI_TOOLS = []
ARCADE_NAME_BY_FUNCTION = {}

for arcade_name in TOOL_NAMES:
    definition = arcade.tools.formatted.get(
        name=arcade_name,
        format="openai",
    )
    OPENAI_TOOLS.append(definition)
    ARCADE_NAME_BY_FUNCTION[definition["function"]["name"]] = arcade_name

SYSTEM_PROMPT = (
    "You investigate production incidents using only the supplied read-only "
    "tools. Return a concise summary, evidence with source identifiers or "
    "links, a recommended next step, and an Actions taken section. Never "
    "claim a query succeeded unless its tool result confirms success."
)

MAX_TOOL_ROUNDS = 8


def run_agent(user_id: str, query: str) -> str:
    messages = [
        {"role": "system", "content": SYSTEM_PROMPT},
        {"role": "user", "content": query},
    ]

    for _ in range(MAX_TOOL_ROUNDS):
        response = llm.chat.completions.create(
            model=os.getenv("OPENAI_MODEL", "gpt-4.1"),
            messages=messages,
            tools=OPENAI_TOOLS,
            store=False,
        )
        msg = response.choices[0].message
        messages.append(msg)

        if not msg.tool_calls:
            return msg.content or "No response was produced."

        for tc in msg.tool_calls:
            arcade_name = ARCADE_NAME_BY_FUNCTION[tc.function.name]
            result = arcade.tools.execute(
                tool_name=arcade_name,
                input=json.loads(tc.function.arguments),
                user_id=user_id,
            )

            if result.success and result.output:
                value = result.output.value
            else:
                error = (
                    result.output.error.message
                    if result.output and result.output.error
                    else "Unknown tool error"
                )
                value = {"error": error}

            messages.append({
                "role": "tool",
                "tool_call_id": tc.id,
                "content": json.dumps(value, default=str),
            })

    raise RuntimeError("Agent exceeded the maximum number of tool rounds")

A few things worth noting. Tools are loaded once at module level using formatted.get for each specific tool, which avoids pulling in unwanted write operations and eliminates per-request overhead. The ARCADE_NAME_BY_FUNCTION mapping handles the translation between OpenAI’s function names and Arcade’s tool names. The loop caps at MAX_TOOL_ROUNDS to prevent runaway execution. Structured tool failures returned by Arcade are fed back to the model as tool results, so it can report issues in its summary rather than crashing silently. Network and SDK exceptions still bubble to the outer Slack handler. And store=False disables storage of the Chat Completion as application state. It does not itself enable Zero Data Retention; API requests may still generate abuse-monitoring logs according to your organization’s data-control settings.

Arcade documents formatted.get, formatted.list, and the OpenAI format here. Chat Completions remains supported, and GPT-4.1 supports function calling. OpenAI recommends the Responses API for new projects, but the pattern above is valid. For a complete Slack-to-Arcade reference implementation using LangGraph, see ArcadeAI/SlackAgent. For other frameworks, see Arcade’s framework-specific setup guides.

Step 4: Run and test the agent

With all three files saved:

  1. Run python authorize.py once to complete the OAuth flows.
  2. Run python app.py to start the Bolt development server.
  3. In another terminal, run ngrok http 3000 to expose the server.
  4. In your Slack app settings, set the Request URL to https://<your-ngrok-host>/slack/events, subscribe to app_mention, and reinstall the app if Slack prompts you.
  5. Invite the bot to your test channel with /invite @YourBot and try a mention.

Step 5: Configure identity and secure tool access

The prototype above is a shared agent: one fixed service identity (ARCADE_USER_ID) handles every tool call, no matter which teammate tagged the bot. That is the right starting point for a read-only agent, but it is not the only option. A multi-user agent, where each person authorizes tools under their own identity, requires a different auth pattern. Which identity the agent uses, and whether users need to authorize tools themselves, depends on the access model you choose.

A useful architecture for recreating the Claude Tag pattern uses two identity models. Public launch material confirms Claude Tag’s channel-scoped shared identity, and the DM model extends naturally from it:

In shared channels, the agent acts under its own dedicated identity, not the tagging user’s. Permissions are scoped per-channel.

In DMs, the agent runs with the user’s own connectors and credentials.

Replicate this with Arcade’s auth patterns:

For shared-channel agents (like #eng-incidents), use a fixed service identity as shown in Steps 1 through 3. If you are connecting through an MCP Gateway instead of the direct SDK, Arcade Headers authenticates the gateway connection. An important distinction: Arcade Headers authenticates the connection to the gateway itself, but it does not bypass OAuth authorization required by individual tools like GitHub or PagerDuty. Gateway authentication and tool-level authorization are separate layers. That is why the one-time setup in Step 2 is necessary regardless of which auth mode you choose.

For personal DM agents, the tools change too. Instead of shared incident-response tools, a DM agent might access a user’s own Gmail, Calendar, or Drive. Use per-user OAuth through Arcade’s tools.authorize flow. When a tool requires the user’s own credentials, Arcade returns an authorization URL. Your app posts that URL to the user in Slack, waits for consent, then resumes execution. The model never sees the token.

def authorize_and_execute(arcade, slack_client, channel_id, user_id):
    """Authorize a tool for a specific user and execute it."""
    auth = arcade.tools.authorize(
        tool_name="Gmail.ListEmails",
        user_id=user_id,
    )
    if auth.status != "completed":
        # In a DM, use a persistent message (no need for ephemeral)
        slack_client.chat_postMessage(
            channel=channel_id,
            text=f"Please authorize Gmail access: {auth.url}",
        )
        arcade.auth.wait_for_completion(auth.id)

    return arcade.tools.execute(
        tool_name="Gmail.ListEmails",
        user_id=user_id,
    )

Arcade stores and refreshes OAuth tokens automatically. Subsequent calls reuse the authorization until it expires, is revoked, or a tool requires additional permissions.

Note that Step 1 does not currently implement DM support. To add it, you need the bot scope im:history, the bot event message.im, and a separate @app.event("message") handler that checks event["channel_type"] == "im" and filters out bot messages. Slack does not deliver DMs as app_mention events. See Slack’s message.im documentation.

For a per-user identity without requiring email scopes in Slack, Arcade accepts any consistent unique identifier. A composite Slack identity like f"{body['team_id']}:{event['user']}" works and avoids the need for users:read or users:read.email permissions.

For production multi-user agents, use Arcade’s custom user verifier so end-user identity is verified against your own identity system rather than relying on Slack ID mapping alone. Note that production multi-user OAuth also requires your own provider OAuth app credentials, since Arcade’s default OAuth apps use the Arcade verifier.

Step 6: Return auditable results in Slack

Trustworthy agents show their work. Structure every response so a human can verify what happened before acting on it.

Here is what a good incident-triage response looks like in Slack:

Summary: Checkout error rate increased 340% starting at 14:32 UTC, correlating with deployment v2.41.3 merged at 14:28.
Evidence:
- Datadog: p99 latency spiked from 220ms to 1,400ms at 14:32
- GitHub: PR #1847 modified the payment validation middleware
- PagerDuty: No prior incidents on checkout-service in the last 7 days
Recommended next step: Review the diff in PR #1847, specifically checkout/validation.py lines 84-112. Consider a rollback if error rate does not stabilize within 15 minutes.
Actions taken: Read-only queries to GitHub, Datadog, and PagerDuty. No writes performed.

The “actions taken” line matters. It tells the team exactly what the agent did and, just as importantly, what it did not do.

How to secure and govern a Claude Tag-style Slack agent

Governance is not a compliance afterthought. It is what lets teams deploy useful agents in the first place. Without clear controls, security teams will block the project before it ships.

Start read-only. Give the agent query access to GitHub, Datadog, and PagerDuty. Do not grant write access until the team has confidence in the agent’s judgment.

Require approval before consequential writes. Opening a PR, acknowledging a PagerDuty incident, posting to a customer-facing channel: these should require a human to confirm. Arcade’s Contextual Access hooks let you enforce this with pre-execution webhooks that allow, deny, or modify tool execution. Your application collects the human approval and resumes the job; Contextual Access handles the policy-enforcement layer.

Scope tool access by workflow. The incident agent should not see CRM tools. The support agent should not see deployment tooling. Separate tool sets per workflow enforce this structurally, whether you use explicit tool lists in the SDK or separate MCP Gateways.

Log what the agent did. Arcade’s audit logs capture administrative actions by default. Combine these with your application-level logs and downstream SaaS audit trails so you can always answer: what did the agent do, under which identity, in which system?

Make it easy to stop. A kill switch is a feature. Revoking the agent’s dedicated API key or disabling the Slack app should take seconds.

Build the Slack agent your team will actually tag

The goal is not an AI agent that can do everything. It is one dependable agent that removes friction from a workflow your team performs every week.

Pick the workflow. Define the toolset. Wire up the Slack trigger. Connect the tools through Arcade.dev. Start read-only, return inspectable results, and expand scope as trust builds.

The team that ships a useful agent in one channel next week will learn more than the team that spends a quarter designing a platform for every channel.

Start here:

  • Identify one recurring, cross-system workflow your team performs in Slack
  • Pick a small read-only toolset from Arcade’s tool catalog
  • Authorize those tools for your service identity (python authorize.py)
  • Build the Slack trigger with thread context retrieval and error handling
  • Deploy, observe, and expand deliberately

Explore Arcade’s tool catalog, authorization guides, and MCP Gateway documentation to get started. The code from this guide is on GitHub. Fork it and build something useful.

Frequently Asked Questions

What is Claude Tag?

Claude Tag is Anthropic’s shared AI agent for Slack, launched on June 23, 2026 for Enterprise and Team customers. Unlike the previous Claude in Slack integration, which ran as a personal assistant under each user’s own account, Claude Tag operates as a shared teammate in channels. Anyone can tag @Claude, and the entire exchange is visible to the channel. It reads thread context, uses connected tools, and posts structured results in-thread.

How is Claude Tag different from Claude in Slack?

Claude in Slack gave each user a private instance that acted under their personal permissions and usage quota. Claude Tag replaces that with a single shared identity per channel, scoped by an admin. Work is visible to the whole channel, anyone can pick up a conversation where someone else left off, and Claude builds persistent context as it follows along. Anthropic will automatically migrate existing Claude in Slack workspaces to Claude Tag on August 3, 2026.

Can you build your own version of Claude Tag?

Yes. Claude Tag’s core interaction pattern is reproducible: a Slack event trigger, an LLM reasoning loop, and authorized access to external tools. This tutorial builds that pattern with Python, Slack Bolt, and Arcade. Arcade handles tool connectivity and OAuth token management so you can connect to systems like GitHub, Datadog, and PagerDuty without managing credentials yourself. The result is not Anthropic’s proprietary product, but a Claude Tag-style agent you fully control.

What does Arcade do in a Slack AI agent?

Arcade is the action layer between your agent and external tools. It handles three things: loading tool definitions formatted for your LLM, executing tool calls with the correct credentials injected at runtime, and managing OAuth authorization flows so the model never sees tokens or API keys. You choose which tools the agent can access, and Arcade enforces that scope on every request.

Does my Slack AI agent have access to user passwords or API keys?

No. Arcade manages all credentials on the server side. When a tool requires OAuth (like GitHub or PagerDuty), the user completes a consent flow once and Arcade stores and refreshes the token. When a tool requires API keys (like Datadog), those are configured as secrets in the Arcade dashboard. The LLM and your application code never see raw credentials. Arcade injects the right token at execution time.