Archiver — Streaming Archive Packaging
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, an archive could contain private or unnecessary files before being shared.
The skill demonstrates adding local files, directories, and glob matches into archives. This is expected for an archiving skill, but overly broad paths or patterns could include unintended files.
archive.file('local-file.txt', { name: 'renamed.txt' }); ... archive.directory('dist/', false); ... archive.glob('*.js', { cwd: __dirname });Use explicit paths, add ignore patterns for secrets and build artifacts, and inspect archives before uploading or sending them.
A different or future package version could behave differently than expected.
The skill relies on installing an npm package without a version pin in the shown command. This is common for Node.js library documentation, but it means runtime behavior depends on the package version installed from npm.
npm install archiver
Install from the official npm package, pin a known-good version, and review the lockfile/package provenance in sensitive projects.