Archiver — Streaming Archive Packaging
PassAudited by ClawScan on May 7, 2026.
Overview
The visible artifacts are a normal documentation-only Node.js archiving skill, with standard cautions around npm installation and choosing which files to package.
This skill appears reasonable for Node.js archive creation. Before installing, verify the npm package and consider pinning its version. When using it, give the agent exact files or directories to archive, exclude secrets such as .env files and credentials, and add authorization if adapting the HTTP download example.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, an archive could contain private or unnecessary files before being shared.
The skill demonstrates adding local files, directories, and glob matches into archives. This is expected for an archiving skill, but overly broad paths or patterns could include unintended files.
archive.file('local-file.txt', { name: 'renamed.txt' }); ... archive.directory('dist/', false); ... archive.glob('*.js', { cwd: __dirname });Use explicit paths, add ignore patterns for secrets and build artifacts, and inspect archives before uploading or sending them.
A different or future package version could behave differently than expected.
The skill relies on installing an npm package without a version pin in the shown command. This is common for Node.js library documentation, but it means runtime behavior depends on the package version installed from npm.
npm install archiver
Install from the official npm package, pin a known-good version, and review the lockfile/package provenance in sensitive projects.