v1.9.9: Final 1.x Patch - Drift Cleanup + Dependency Batch + Perfmatters Fix

Final 1.x patch release. v2 is in design as a separate scope; v1.9.9 leaves the v1.x branch in a clean, dependency-current, well-documented state.

Independently reviewed across 5 rounds of Codex GPT-5.5 xhigh before each PR push.

What's in v1.9.9

PR	Scope	Closes
#93	Orchestrator + marketplace + AGENTS.md drift cleanup + 4 new CI assertions (9 -> 13)	#92
#94	5-package Dependabot floor bumps batched + isolated-venv smoke-tested	#76 #77 #78 #79 #80
#95	Perfmatters / EWWW / generic JS lazy-loader detection in parse_html.py + consumer wiring	#41
#96	Atomic version bump (33 files: 5 top-level + 24 in-tree skills + 3 extensions + install scripts)	-

Highlights

CI guard now covers 13 assertions

Closes the silent-ship surfaces the v1.9.8 guard missed:

• test_orchestrator_sub_skills_list_matches_disk - orchestrator's numbered Sub-Skills list must equal set(skills/*) - {seo}. No duplicates.
• test_orchestrator_subagents_list_matches_disk - orchestrator's bulleted Subagents list must equal set(agents/seo-*.md). No duplicates.
• test_skill_metadata_versions_match_plugin_json - every skills/*/SKILL.md and extensions/*/skills/*/SKILL.md metadata.version must equal plugin.json version, with seo-content-brief allowlisted at 1.0.0. Scoped to YAML frontmatter only.
• test_marketplace_metadata_and_author_parity - marketplace.json metadata.description includes both counts and they match plugin.json; plugin entry author parities plugin.json author for name, email, AND url.

Image audit now detects JS lazy-loaders

Issue #41 reported sites optimized with Perfmatters being audited as "not lazy-loaded" because the audit only checked the loading="lazy" HTML attribute. JS lazy-loaders intentionally strip that attribute and replace src with placeholders. scripts/parse_html.py now emits a lazy_method field on every image with one of 5 values:

lazy_method	Signal	Common stack
native	loading="lazy" HTML attribute	Modern browsers, plain HTML
perfmatters	data-perfmatters-src / -srcset OR class perfmatters-lazy	WordPress + Perfmatters
ewww	data-ewww-src / data-eio OR class lazyload-eio	WordPress + EWWW Image Optimizer
js-generic	data-src / data-lazy-src / data-original / data-srcset OR class lazyload/lazyloaded/lazy	lazysizes, vanilla-lazyload, jQuery
none	Neither attribute nor class signal	Page is not lazy-loading this image

Dependency floor bumps

Package	Before	After
playwright	1.56.0	1.59.0
weasyprint	61.0	68.1
openpyxl	3.1.0	3.1.5
google-api-python-client	2.100.0	2.196.0
google-auth-oauthlib	1.0.0	1.4.0

All upper bounds preserved. Smoke-tested in an isolated venv against the actual API surface.

Migration notes

• google-auth-oauthlib 1.4.0 drops Python 3.9 support. This repo's pyproject.toml requires Python >=3.10 already, so no impact for the declared support matrix. External consumers still on 3.9 should pin google-auth-oauthlib<1.4.0 themselves.

• Orchestrator Sub-Skills list was renumbered (added seo-content-brief, removed seo-firecrawl from the numbered list - Firecrawl is now in a new "Optional Extensions" subsection because it lives in extensions/, not skills/). No downstream consumer in this repo references sub-skills by index.

Deferred to v2

v1.9.9 explicitly scopes out items that need a fresh design conversation:

• #11 SPA / CSR audit support
• #51 Subagent research persistence
• #61 google_report.py --type full audit-schema handling
• #89 uv adoption
• #53 seo-notebooklm skill
• #46 path resolution + macOS SSL

Install

# Plugin install (recommended)
/plugin install claude-seo@agricidaniel-seo

# Manual install (now correctly resolves v1.9.9)
curl -fsSL https://github.com/AgriciDaniel/claude-seo/raw/main/install.sh | bash

Verify

python3 -m pytest tests/ -v
# Expected: 39 passed (13 manifest + 15 sync_flow + 11 lazy detection)

Full changelog: v1.9.8...v1.9.9

v1.9.8: Manifest Consistency Guard + Uninstall Fix

v1.9.8: Manifest Consistency Guard + Post-v1.9.7 Polish

A same-day patch release on top of v1.9.7 that fixes a recurring skill-count drift, locks in two post-tag polish commits that were intended for v1.9.7 but landed too late, and adds a CI guard so this class of drift cannot ship again.

Why a same-day v1.9.8

1. Skill-count drift returned via PR #56. The reconciliation in v1.9.7 locked the canonical phrasing at "20 core" sub-skills. After Phase A locked it, PR #56 (seo-content-brief by @puneetindersingh) merged a 21st core skill, but the canonical phrasing was not re-run. v1.9.7 shipped with manifests + docs claiming 24 sub-skills when reality is 25.
2. Two commits landed on main after the v1.9.7 tag. 8514999 (marketplace metadata polish, added category, author.email, docs-site homepage, 14-keyword array) and 66a7485 (em-dash sweep on user-visible AGENTS.md and CHANGELOG.md) were scoped at v1.9.7 but landed post-tag. v1.9.8 captures them in a tagged release.

Fixed

• Skill-count reconciliation. plugin.json, marketplace.json (both descriptions), CLAUDE.md, AGENTS.md, README.md, and docs/ARCHITECTURE.md now all reference 25 sub-skills (21 core + 1 orchestrator + 1 framework integration + 2 extension mirrors). Math: 21 + 1 + 1 + 2 = 25. Verified against ls -d skills/*/.

Added

• tests/test_manifest_consistency.py with 7 assertions:
  1. plugin.json description's N sub-skills claim equals on-disk skill directory count
  2. plugin.json description's N sub-agents claim equals on-disk agent file count
  3. marketplace.json plugin entry's sub-skills count matches plugin.json
  4. marketplace.json plugin entry's sub-agents count matches plugin.json
  5. README, CLAUDE.md, AGENTS.md all reference the canonical sub-skills count
  6. plugin.json version equals CITATION.cff version
  7. Canonical math adds up (parenthetical breakdown sums to the headline number)
• pytest tests/ job in .github/workflows/ci.yml runs the new suite plus the existing test_sync_flow.py on every push to main and every pull request. Uses GH_TOKEN to avoid anonymous GitHub API rate limiting.

Changed

• uninstall.sh and uninstall.ps1 now use glob enumeration rather than a hardcoded skill list. The previous scripts had been frozen at v1.4.0-era state and missed 12 sub-skills and 11 sub-agents added between v1.5 and v1.9.8. Anyone running the old uninstaller got half a cleanup. Glob enumeration (skills/seo, skills/seo-*, agents/seo-*.md) auto-tracks future additions without requiring uninstaller maintenance per release. Sandbox-tested with 8 assertions: removes every seo and seo-* skill plus every seo-*.md agent while leaving sibling skills (e.g. blog-writer, security) untouched.

This release also rolls forward two commits that landed on main after the v1.9.7 tag:

• 8514999 marketplace metadata polish: added category: "marketing", author.email, homepage: https://claude-seo.md, and a 14-keyword array on the marketplace.json plugin entry. These are read by Anthropic's marketplace curation and improve directory discoverability.
• 66a7485 em-dash sweep on user-visible AGENTS.md and CHANGELOG.md. Skills, agents, and extension internals deliberately preserved (those are LLM-readable instruction text and careless replacement could subtly change behavior).

Migration

None required. Drop-in patch release.

Dependencies

No runtime dependency changes. The five Dependabot bump PRs queued in the v1.9.7 release window remain queued for a v1.9.9 follow-up batch.

Test count

22 tests pass: 7 new manifest-consistency tests plus 15 existing in test_sync_flow.py.

Full changelog

v1.9.7...v1.9.8

v1.9.7: Marketplace Readiness Pass

v1.9.7: Marketplace Readiness Pass

A patch release that cleans up documentation drift, lands nine community pull requests from seven external contributors, and fixes eight user-visible bugs. No skill behavior changes, no breaking changes, drop-in upgrade.

Highlights

• Skill-count drift across five manifests reconciled to one canonical phrasing: 24 sub-skills (20 core + 1 orchestrator + 1 framework integration + 2 extension mirrors) and 18 sub-agents (15 core + 1 framework integration + 2 extension mirrors).
• Nine community pull requests merged from seven external contributors (see Community contributions below).
• README, docs/ARCHITECTURE.md, and docs/COMMANDS.md rewritten to match the v1.9.7 surface (was stuck at v1.4-era state).
• Code of Conduct, Dependabot config, and least-privilege CI permissions added.
• extensions/dataforseo/ skill mirror brought from v1.6.1 forward (was three minor versions behind core).
• Three MCP extension installers now pin specific package versions for supply-chain stability: dataforseo-mcp-server@2.8.10, firecrawl-mcp@3.11.0, @ycse/nanobanana-mcp@1.1.1.

Bug fixes

• Windows hook compatibility (closes #68). hooks/hooks.json now uses python rather than python3. The hardcoded python3 triggered a Microsoft Store stub or NotFound on Windows installs, breaking PostToolUse on every Edit / Write.
• OAuth refresh persists oauth_client_path (closes #72). The OAuth flow exchanged the auth code, saved the token, but never wrote the client-secret file path to ~/.config/claude-seo/google-api.json. Every Google API call 401'd within one hour until the user re-ran --auth. Fix persists the path (never the secret value itself) atomically via a tempfile + os.replace.
• pagespeed_check.py KeyError: 'audit_details' (closes #57, PR #69 by @evanlu14). Result dict initialization was missing the audit_details key.
• moz_api.py migrated to v2 REST endpoints (PR #73 by @NicT89). Backlinks audits were broken on the deprecated JSON-RPC v1 endpoint.
• seo-geo agent gains Write tool (PR #74 by @AndronMan). The agent timed out producing no output; the missing tool prevented report-file generation.
• keyword_planner.py missing top-level import os. os.path.expanduser and os.path.exists were called at runtime; import os only existed inside an except ImportError block, causing a NameError when the primary import path succeeded.
• dataforseo_normalize.py handles None inputs gracefully. Three normalizers (normalize_merchant, normalize_social, normalize_reviews) now early-return [] when items is None or empty, closing the iteration-on-None failure mode behind issue #58.
• Schema-validation hook caps file size at 10 MB. The hooks/validate-schema.py PostToolUse hook now checks file size before reading and exits silently on anything over 10 MB, bounding memory and hook latency.

Community contributions

Nine pull requests from seven external contributors:

Contributor	PR	What
@xiaolai	#62	Sync extensions/dataforseo skill with core
@xiaolai	#63	Sync extensions/banana seo-image-gen skill
@xiaolai	#64	Pin MCP server package versions in extension installers
@CrepuscularIRIS	#67	Detect marketplace plugin install path in DataForSEO extension
@evanlu14	#69	pagespeed_check KeyError fix
@EDSprog	#70	Update README install section
@NicT89	#73	Migrate moz_api to v2 REST endpoints
@AndronMan	#74	Add Write tool to seo-geo agent
@puneetindersingh	#56	Add seo-content-brief skill

Thank you to everyone who shipped code into this release.

Documentation

• README.md reduced from 446 to 389 lines. Removed the third-party Showcase section, the Publishing Pipeline cross-promo, the stale "Recently Added" block, and the duplicated trailing footer. Folded MCP Integrations into the Extensions intro. Reordered the Table of Contents to match document flow. All version markers like "(New in v1.7.0)" stripped from feature headers (those rot per release; CHANGELOG is the canonical source).
• docs/ARCHITECTURE.md directory tree rewritten to current state. Was stuck at v1.4-era with 13 skills listed and the Firecrawl extension absent entirely. Now reflects all 24 sub-skills, 18 sub-agents, 3 extensions, and the conditional subagent-spawn logic in the orchestrator.
• docs/COMMANDS.md adds 11 previously undocumented commands: local, maps, backlinks, cluster, sxo, drift, ecommerce, flow, google, image-gen, firecrawl. Quick-reference table at the bottom now matches the README.
• docs/INSTALLATION.md adds the plugin install path (/plugin marketplace add + /plugin install) as the recommended option. The hardcoded 19-line uninstall block has been replaced with a pointer to the shipped uninstall.sh.
• CONTRIBUTORS.md adds nine v1.9.7 community PRs from seven contributors.
• CITATION.cff brought current at 1.9.7 (was stuck at 1.8.2, six minor versions behind).
• CONTRIBUTING.md, PRIVACY.md, and docs/MCP-INTEGRATION.md received small drift fixes.

Added

• CODE_OF_CONDUCT.md (Contributor Covenant 2.1) closes the GitHub Community Standards gap. Reporting path wired to the repository's GitHub Security Advisory endpoint.
• .github/dependabot.yml enables weekly Dependabot updates for the pip and github-actions ecosystems.
• .github/workflows/ci.yml permissions: { contents: read } block at workflow root locks GITHUB_TOKEN to least-privilege scope.

Removed

• translations/uk/ (six docs plus .glossary.yaml). The Ukrainian localization originally contributed by @edocltd in PR #50 (shipped in v1.9.0) has been retired. The translation drifted across v1.9.0 through v1.9.7 with no maintenance signal, and a partially translated set is worse than no translation at all when readers cannot tell what is current. @edocltd's contribution remains credited in CONTRIBUTORS.md. Future translations should land via a contributor who can commit to keeping them in sync release over release.

Migration

None required. Drop-in patch release.

Dependencies

No runtime dependency changes in this release. Five Dependabot bump PRs are queued (openpyxl, google-api-python-client, weasyprint, google-auth-oauthlib, playwright) and will be evaluated in a v1.9.8 follow-up batch.

Full changelog

v1.9.6...v1.9.7

v1.9.6: FLOW Security Hardening

This release is the security-pass companion to v1.9.5, which introduced the FLOW SEO framework integration. v1.9.5 shipped functional FLOW capability. v1.9.6 audits and locks down the new attack surface introduced by that integration.

These notes cover both: the FLOW additions carried forward from v1.9.5, and the security hardening new in v1.9.6.

📖 Read the deep-dive: Claude SEO v1.9.6: FLOW Framework Security Hardened covers what FLOW is, how the agent picks 2 to 3 prompts from 21, and how the audit pass closed every finding the same day.

---

What v1.9.5 introduced (the FLOW integration)

FLOW is an evidence-led SEO framework by Daniel Agrici, licensed under CC BY 4.0. It models SEO as a continuous loop with four core stages plus a Local-SEO branch.

                       ┌─────────────────────────────────┐
                       │                                 │
                       ▼                                 │
┌──────────┐    ┌────────────┐    ┌─────────────┐    ┌──────┐
│   FIND   │───►│  LEVERAGE  │───►│  OPTIMIZE   │───►│ WIN  │
│ research │    │ amplify    │    │ implement   │    │ rank │
│ keywords │    │ E-E-A-T    │    │ on/off page │    │ track│
│ markets  │    │ authority  │    │ technical   │    │ adapt│
└──────────┘    └────────────┘    └─────────────┘    └──────┘
                                          │
                                          ▼
                                    ┌──────────┐
                                    │  LOCAL   │
                                    │ GBP, NAP │
                                    │ map pack │
                                    └──────────┘

Stages and prompts (41 total, all CC BY 4.0)

• FIND (5 prompts): topical relevance, keyword research, market mapping
• LEVERAGE (1 prompt): E-E-A-T amplification, authority signals
• OPTIMIZE (21 prompts): on-page, off-page, technical, content. Context-matched: the skill selects 2 to 3 relevant prompts based on URL signals, never dumps all 21
• WIN (3 prompts): rank tracking, performance loops, iteration discipline
• LOCAL (11 prompts): GBP, citations, NAP consistency, map pack strategy

Files added in v1.9.5

File	Purpose
skills/seo-flow/SKILL.md	Orchestrator skill (8 commands)
agents/seo-flow.md	FLOW subagent
scripts/sync_flow.py	GitHub API sync (stdlib only)
skills/seo-flow/references/prompts/{stage}/*.md	41 prompt files
skills/seo-flow/references/flow-framework.md	Framework documentation
skills/seo-flow/references/bibliography.md	Source attribution

Commands

Command	Purpose
/seo flow find <url>	Apply FIND-stage prompts
/seo flow leverage <url>	Apply LEVERAGE-stage prompts
/seo flow optimize <url>	Context-matched OPTIMIZE prompts (2 to 3 of 21)
/seo flow win <url>	Apply WIN-stage prompts
/seo flow local <url>	Apply LOCAL-stage prompts
/seo flow prompts	List all available prompts
/seo flow sync	Pull latest prompts from upstream FLOW repo
/seo flow sync --ref <sha>	Pin sync to a specific upstream commit

Cross-skill integrations

FLOW notes were added to seo-geo, seo-local, seo-content, and seo-cluster skills so they reference the relevant FLOW stage when their analysis surfaces overlap with FLOW guidance.

License

FLOW content is bundled under CC BY 4.0. Attribution headers are written by sync_flow.py onto every prompt file. Claude SEO's MIT license applies to skill code only and is unchanged.

Security architecture (v1.9.6 hardening)

┌──────────────────────────────────────────────────────────────┐
│  /seo flow                                                   │
│       │                                                      │
│       ▼                                                      │
│  seo-flow agent (sandboxed: Read, WebFetch, Glob, Grep)     │ ◄── VULN-A01: no Bash
│       │                                                      │ ◄── VULN-A05: WebFetch tagged untrusted
│       │ reads prompts on-demand                              │
│       ▼                                                      │
│  references/prompts/{stage}/*.md ◄── INFO-A14: CC BY 4.0    │
│  references/flow-prompts.lock    ◄── VULN-A04: SHA-256       │
└──────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────┐
│  scripts/sync_flow.py (orchestrator-only, runs on demand)   │
│       │                                                      │
│       │ anonymous request first                              │ ◄── VULN-A02 + A07
│       ▼                                                      │
│  api.github.com (HTTPS+host allowlist) ◄── VULN-A10         │
│       │ on 403, escalate to gh auth token if available      │ ◄── VULN-A06: optional
│       ▼                                                      │
│  validated content ─► path containment ─► atomic write       │ ◄── VULN-A03 + A08
│  (5 MB cap, 15s timeout)                ◄── VULN-A09        │
└──────────────────────────────────────────────────────────────┘

Findings fixed (10 total)

ID	Severity	Vector	Fix
VULN-A01	🔴 HIGH	Prompt injection to shell exec	Removed Bash from seo-flow agent tool grant
VULN-A02	🟠 MEDIUM	Token leak on cross-host redirect	Anonymous-first request strategy (PAT never default)
VULN-A03	🟠 MEDIUM	Path traversal write	Path.resolve() containment check in record_write()
VULN-A04	🟠 MEDIUM	Upstream prompt tampering	SHA-256 lockfile (flow-prompts.lock, sha256sum-compatible) plus drift detection
VULN-A05	🟠 MEDIUM	Prompt injection via WebFetch	Explicit untrusted-content rule in agent body
VULN-A06	🟡 LOW	Hard-fail without gh CLI	Graceful degradation to anonymous API
VULN-A07	🟡 LOW	Wide-scope PAT exposure	403-triggered token fallback only when actually needed
VULN-A08	🟡 LOW	Partial-write corruption on interrupt	Atomic writes via tempfile.mkstemp plus shutil.move
VULN-A09	🟡 LOW	Memory exhaustion (large response)	5 MB response cap plus 15s urlopen timeout
VULN-A10	🟡 LOW	SSRF via API_ROOT modification	URL allowlist: HTTPS scheme plus api.github.com host (blocks @evil.com userinfo bypass)
INFO-A14	⚪ INFO	Missing license attribution	CC BY 4.0 header in references/prompts/README.md

Test coverage

5 to 15 tests (10 new security-focused tests, all passing).

tests/test_sync_flow.py
├─ test_dry_run_exits_zero                              [pre-existing]
├─ test_dry_run_produces_valid_json                     [pre-existing]
├─ test_dry_run_does_not_write_files                    [pre-existing]
├─ test_real_sync_produces_prompts_per_stage            [pre-existing]
├─ test_synced_files_have_attribution_headers           [pre-existing]
├─ test_agent_tools_does_not_include_bash               [VULN-A01]
├─ test_agent_has_untrusted_webfetch_rule               [VULN-A05]
├─ test_base_headers_has_no_authorization               [VULN-A02]
├─ test_authed_headers_degrades_when_gh_missing         [VULN-A06]
├─ test_validate_github_url_blocks_non_github_host      [VULN-A10]
├─ test_validate_github_url_blocks_userinfo_ssrf        [VULN-A10]
├─ test_validate_github_url_allows_github_api           [VULN-A10]
├─ test_record_write_blocks_path_traversal              [VULN-A03]
├─ test_sha256_is_deterministic                         [VULN-A04]
└─ test_prompts_readme_has_cc_attribution               [INFO-A14]

Breaking changes

None. All security fixes are additive or behavior-preserving for legitimate workflows:

• The seo-flow agent loses Bash, but it never needed Bash for its documented job (read prompts, fetch URL, return analysis). The orchestrator-level /seo flow sync still has Bash and runs python scripts/sync_flow.py normally.
• sync_flow.py no longer requires gh CLI for public repo syncs. gh is still respected as a 403 rate-limit fallback when available.
• The new flow-prompts.lock is generated automatically on next sync. Existing users see one-time ADDED lines on first run after upgrading.

Migration

# Pull latest
git pull origin main && git checkout v1.9.6

# (Optional) regenerate the lockfile against current upstream
python scripts/sync_flow.py

# Verify
python -m pytest tests/test_sync_flow.py -v
# Expected: 15 passed

Audit grade

State	Grade	Findings
Pre-fix (post v1.9.5)	B (88/100)	1 HIGH, 4 MEDIUM, 5 LOW
Post-fix (this release)	A (95+/100)	0 outstanding, 15/15 tests cover each fix

Files changed (v1.9.5 to v1.9.6)

• agents/seo-flow.md: tool grant reduced, security rules added
• scripts/sync_flow.py: full security pass (token strategy, URL allowlist, path containment, atomic writes, lockfile generation, drift detection)
• skills/seo-flow/references/prompts/README.md: CC BY 4.0 header
• skills/seo-flow/references/flow-prompts.lock: NEW (SHA-256 baseline, sha256sum-compatible)
• tests/test_sync_flow.py: 10 new tests
• .claude-plugin/plugin.json: version 1.9.6
• CHANGELOG.md: [1.9.6] section
• CONTRIBUTORS.md: FLOW credit retained from v1.9.5
• (Post-release drift fix in commit a9cf338): pyproject.toml, all 24 skills/*/SKILL.md, CLAUDE.md, .github/workflows/ci.yml synchronized to 1.9.6

Credits

• FLOW framework: Daniel Agrici, CC BY 4.0
• Security audit: post-v1.9.5 cybersecurity skill review (8 specialist agents, STRIDE methodology)
• Implementation: Subagent-Driven Development with two-stage review (spec compliance plus code quality) ...

v1.9.5: FLOW Framework Integration

This release introduces the FLOW SEO framework as the 21st core sub-skill in Claude SEO. FLOW is an evidence-led methodology for end-to-end SEO work, contributed under CC BY 4.0 by Daniel Agrici.

📖 Read the deep-dive: Claude SEO v1.9.6: FLOW Framework Security Hardened is the long-form story of v1.9.5 + v1.9.6. What FLOW is, how the agent picks prompts, and why the security pass shipped the same day.

---

What is FLOW?

FLOW models SEO as a continuous loop with four core stages plus a Local-SEO branch. Each stage has a curated set of operational prompts that the seo-flow skill applies to a target URL.

                       ┌─────────────────────────────────┐
                       │                                 │
                       ▼                                 │
┌──────────┐    ┌────────────┐    ┌─────────────┐    ┌──────┐
│   FIND   │───►│  LEVERAGE  │───►│  OPTIMIZE   │───►│ WIN  │
│ research │    │ amplify    │    │ implement   │    │ rank │
│ keywords │    │ E-E-A-T    │    │ on/off page │    │ track│
│ markets  │    │ authority  │    │ technical   │    │ adapt│
└──────────┘    └────────────┘    └─────────────┘    └──────┘
                                          │
                                          ▼
                                    ┌──────────┐
                                    │  LOCAL   │
                                    │ GBP, NAP │
                                    │ map pack │
                                    └──────────┘

Stages and prompts (41 total, all CC BY 4.0)

• FIND (5 prompts): topical relevance, keyword research, market mapping
• LEVERAGE (1 prompt): E-E-A-T amplification, authority signals
• OPTIMIZE (21 prompts): on-page, off-page, technical, content. Context-matched: the skill selects 2 to 3 relevant prompts based on URL signals, never dumps all 21
• WIN (3 prompts): rank tracking, performance loops, iteration discipline
• LOCAL (11 prompts): GBP, citations, NAP consistency, map pack strategy

Files added

File	Purpose
skills/seo-flow/SKILL.md	Orchestrator skill (8 commands)
agents/seo-flow.md	FLOW subagent (applies stage prompts to target URLs, returns evidence-tagged findings)
scripts/sync_flow.py	GitHub API sync (stdlib only). Pulls latest prompts, framework doc, and bibliography from AgriciDaniel/flow. Supports --dry-run and --ref <sha> pinning
skills/seo-flow/references/prompts/{find,leverage,optimize,win,local}/*.md	41 prompt files
skills/seo-flow/references/flow-framework.md	Framework documentation
skills/seo-flow/references/bibliography.md	Source attribution

Commands

Command	Purpose
/seo flow find <url>	Apply FIND-stage prompts
/seo flow leverage <url>	Apply LEVERAGE-stage prompts
/seo flow optimize <url>	Context-matched OPTIMIZE prompts (2 to 3 of 21)
/seo flow win <url>	Apply WIN-stage prompts
/seo flow local <url>	Apply LOCAL-stage prompts
/seo flow prompts	List all available prompts
/seo flow sync	Pull latest prompts from upstream FLOW repo
/seo flow sync --ref <sha>	Pin sync to a specific upstream commit

Cross-skill integrations

FLOW notes were added to four sibling skills so their analysis surfaces reference the relevant FLOW stage when overlap exists:

• seo-geo: GEO and AI search optimization (FIND + OPTIMIZE)
• seo-local: Local SEO (LOCAL stage)
• seo-content: E-E-A-T content quality (LEVERAGE + OPTIMIZE)
• seo-cluster: Semantic topic clustering (FIND + OPTIMIZE)

Orchestration

The orchestrator now spawns up to 16 subagents (was 15). Plugin manifest reports 21 core sub-skills (was 20). Sibling SKILL.md files were stamped to v1.9.5.

License

Component	License
FLOW prompt content (41 files)	CC BY 4.0 (Daniel Agrici)
Claude SEO skill code	MIT (unchanged)

Attribution headers are written by sync_flow.py onto every prompt file at sync time. The agent is required to output the CC BY 4.0 attribution line before any analysis.

Try it

git pull origin main
git checkout v1.9.5

# (First-time only) sync prompts from upstream FLOW repo
python scripts/sync_flow.py

# Apply FIND-stage prompts to a target URL
/seo flow find https://example.com

What's next

v1.9.6 follows up with a post-release security audit and hardening pass over the FLOW integration (10 findings fixed, 5 to 15 tests). We recommend v1.9.6 for new installations.

Credits

• FLOW framework: Daniel Agrici, CC BY 4.0
• Integration: orchestrator wiring, sync script, agent definition, cross-skill notes

v1.9.0: Pro Hub Challenge Community Integration

Video Walkthrough

Community-Driven Release

6 submissions from the AI Marketing Hub Pro community. 5 scored Proficient or above. 4 new skills integrated.

---

New Skills (4)

seo-cluster — Semantic topic clustering via SERP overlap analysis. Hub-spoke architecture with interactive SVG visualization. Identifies which keywords to group into pillar pages vs supporting pages without paid tools. By Lutfiya Miller.

seo-sxo — Search Experience Optimization. "Read SERPs backwards" methodology: detect page-type mismatches, score against user personas, identify intent gaps. By Florian Schmitz.

seo-drift — "Git for SEO" baseline monitoring. Captures snapshots to SQLite, runs 17 comparison rules across 3 severity levels, generates HTML diff reports. By Dan Colta.

seo-ecommerce — E-commerce SEO with product schema generation, DataForSEO Merchant API integration for Google Shopping and Amazon intelligence. By Matej Marjanovic.

---

Enhanced Skills (1)

seo-hreflang — DACH, FR, ES, JA cultural profiles added. Locale format validation, content parity checks for multilingual sites. By Chris Muller.

---

New Scripts (7)

• drift_baseline.py — Capture SEO baseline snapshots
• drift_compare.py — Run 17-rule comparison against baseline
• drift_history.py — Query drift history over time
• drift_report.py — Generate HTML drift diff reports
• dataforseo_costs.py — Cost estimation and budget tracking
• dataforseo_merchant.py — Google Shopping + Amazon data fetching
• dataforseo_normalize.py — DataForSEO response normalization

---

Security Fixes (4)

• Cost guardrail bypass (HIGH): Unknown DataForSEO endpoints defaulted to $0 cost, bypassing the approval gate. Fixed: unknown endpoints now flag needs_approval. Reset command added --confirm requirement and audit trail.
• XSS in cluster-map.html (MEDIUM): Cluster labels rendered as raw HTML. Fixed: all labels wrapped in escapeHtml().
• File locking (MEDIUM): Cost ledger had no concurrency protection. Fixed: fcntl locking on all writes.
• CI coverage (LOW): 7 new scripts missing from validation matrix. Fixed: all added to .github/workflows/ci.yml.

Security audit score: 85/100. 11 findings deferred to v1.9.1 (all pre-existing, formally documented for the first time).

---

New Files

• AGENTS.md — Multi-platform bootstrap instructions (Cursor, Antigravity)
• CONTRIBUTORS.md — Pro Hub Challenge attribution credits
• claude-seo-slides/ — HTML slide deck for community presentation
• skills/seo-dataforseo/references/cost-tiers.md — Cost tier reference

---

Stats

Metric	v1.8.x	v1.9.0
Skills	19	23
Agents	13	17
Scripts	23	30
Reference files	18	27

---

Community

Built with the AI Marketing Hub Pro community. Pro Hub Challenge v2 is live — keyword: LEADS, $600 prize pool, deadline April 28.

v1.8.2: Repo Audit — Version Sync, Doc Drift, CI Coverage

What's Changed

Comprehensive repository audit addressing documentation drift, stale install scripts, CI gaps, and privacy disclosures. Merged 3 community PRs.

Highlights

• Install scripts fixed: New users via curl | bash now get v1.8.2 (was pinned to v1.7.2)
• Supply chain fix: Removed deprecated irm | iex from docs/INSTALLATION.md
• CI expanded: 15 → 21 scripts covered by syntax check (all backlink scripts added)
• Privacy disclosures: Backlink API data flows (Moz, Bing, Common Crawl) added to PRIVACY.md
• First i18n: Ukrainian localization by @edocltd
• README updated: 4 missing commands, Firecrawl extension section, corrected counts

Community PRs Merged

• #43 Fix stuck extension install by @olivierroy
• #45 Correct sub-skills count in README by @MalteBerlin
• #50 Ukrainian localization by @edocltd

Full Changelog

See CHANGELOG.md for complete details.

Full Changelog: v1.8.1...v1.8.2

v1.8.1: Google Images SERP, Image Optimization, Standards Compliance

What's New

Google Images SERP Analysis

• /seo dataforseo serp-images <keyword>: Fetch live Google Images search results via DataForSEO
• See which domains dominate image results, analyze alt text patterns, identify format distribution
• Domain dominance analysis, opportunity scoring for keywords where you rank organically but not in images

Image File Optimization

• /seo images optimize <path>: Convert to WebP/AVIF, inject IPTC/XMP metadata, generate responsive variants
• IPTC Creator/Copyright injection for Google Images rich results display
• Full pipeline: audit metadata, inject, convert, resize, verify
• Ranking factors reference: what matters (alt text, filename, page context) vs what does not (EXIF camera data, IPTC keywords)

Image SERP Cross-Skill

• /seo images serp <keyword>: Cross-reference on-page images with Google Images SERP rankings
• DataForSEO field-config updated with 10 image-specific fields

Bug Fixes and Standards Compliance

Fixed

• Version mismatch: unified all 19 SKILL.md files, plugin.json, and CLAUDE.md (was 1.7.0/1.7.2/1.8.0 three-way split)
• Broken reference path: seo-backlinks now correctly points to shared skills/seo/references/backlink-quality.md
• Hardcoded absolute paths: removed ~/.claude/skills/ from agents and skills (now plugin-relative)
• seo-dataforseo line count: moved 35-line utility tools list to references/tool-catalog.md (416 to 380 lines)
• prompt-engineering.md: added Table of Contents (326 lines, required by Anthropic standard at >300)

Audited Against

• Anthropic Skill Creator Standards
• All 19 skills pass: YAML frontmatter, <500 lines, progressive disclosure, trigger phrase coverage, error handling, output formatting
• Overall compliance score: 88/100

Install / Upgrade

claude /install github:AgriciDaniel/claude-seo

New optional dependencies for image optimization:

sudo apt install libimage-exiftool-perl webp

v1.8.0 — Free Backlink Data Integration

What's New

v1.8.0 transforms /seo backlinks from a paid-only feature into a 3-tier free-to-premium backlink analysis system. Users can now get actionable backlink intelligence with zero cost and zero configuration.

3-Tier Cascade Architecture

Tier	Config	Sources	Data
Tier 0	Zero config	Common Crawl + Verification Crawler	PageRank, harmonic centrality, link existence
Tier 1-2	Free signup	+ Moz API + Bing Webmaster	DA/PA, spam score, anchor text, competitor comparison
Tier 3	Paid (unchanged)	+ DataForSEO extension	35T+ links, real-time, toxic scoring

New Commands

/seo backlinks <url>          # Full analysis (all available sources)
/seo backlinks gap <url1> <url2>  # Competitor gap (Bing unique feature)
/seo backlinks verify <url>   # Verify known backlinks still exist
/seo backlinks setup          # Guided free API key setup

New Scripts (6)

• backlinks_auth.py — Credential management + guided setup wizard
• moz_api.py — Moz Link Explorer API (DA/PA, spam, referring domains, anchors)
• bing_webmaster.py — Bing Webmaster Tools (links, counts, competitor comparison)
• commoncrawl_graph.py — CC Web Graph (PageRank, harmonic centrality, incremental streaming)
• verify_backlinks.py — Link existence verification with JS-rendering detection
• validate_backlink_report.py — Automated pre-delivery report validator (6 checks)

Data Accuracy Safeguards

Three layers of protection ensure reports are accurate:

1. Script-level: JS-rendering detection, @graph schema flattening, suspicious H1 flagging, subdomain matching, CC in_crawl/in_rankings distinction
2. Automated validator: Catches false findings programmatically before presenting to user
3. Agent checklist: 11-item mandatory pre-delivery review

Key Stats

Metric	Value
New Python scripts	6
New agent + reference files	3
Modified existing files	7
Bugs found & fixed during development	18
CLAUDE.md rule compliance	48/48
Real-world domains tested	4 (google.com, github.com, 21collagen.com, collagenwise.ro)

Getting Started

# Works immediately — zero config needed
/seo backlinks https://your-domain.com

# Add free APIs for richer data (5 min setup)
/seo backlinks setup

Backward Compatibility

All existing DataForSEO workflows are 100% unchanged. Free sources are additive — they enrich analysis when configured but never replace the premium tier.

---

📄 See the attached PDF for the full release document.

🤖 Generated with Claude Code

v1.7.2 - Firecrawl Extension, Backlink Analysis, Excel Export

What's New

Firecrawl Extension (full-site crawling)

Full-site crawling, scraping, and site mapping via Firecrawl MCP server:

• /seo firecrawl crawl <url> -- Crawl entire site with JS rendering (solves SPA/CSR issues)
• /seo firecrawl map <url> -- Discover all site URLs (fast, credit-efficient)
• /seo firecrawl scrape <url> -- Single-page deep scrape with JavaScript execution
• /seo firecrawl search <query> <url> -- Search within a site
• Cross-skill integration: audit uses map for URL discovery, technical uses crawl for broken link detection
• Free tier: 500 credits/month

Install: ./extensions/firecrawl/install.sh

Backlink Analysis Skill

New /seo backlinks <url> command with 7-section analysis framework:

• Profile overview (total backlinks, referring domains, trend)
• Anchor text distribution with over-optimization detection
• Referring domain quality assessment
• Toxic link detection (30 patterns) with disavow recommendations
• Top pages by backlinks
• Competitor gap analysis (/seo backlinks gap <url1> <url2>)
• New/lost link tracking

Requires DataForSEO extension for live data.

Excel Export

--format xlsx option for google_report.py:

• Sheets: Summary, Queries, Pages, Indexation
• Navy header styling matching PDF palette
• Auto-column-width, frozen headers, auto-filter
• New: --format all generates PDF + HTML + XLSX together

Ecosystem

• Added AI Marketing Claude as companion tool for post-audit marketing action

Install / Upgrade

curl -sL https://raw.githubusercontent.com/AgriciDaniel/claude-seo/v1.7.2/install.sh | bash

irm https://raw.githubusercontent.com/AgriciDaniel/claude-seo/v1.7.2/install.ps1 | iex

Stats

• 19 sub-skills (16 core + 3 extensions)
• 12 subagents for parallel analysis
• 3 extensions: DataForSEO, Firecrawl, Banana