Archiver — Streaming Archive Packaging
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: archiver Version: 1.0.0 The skill bundle provides documentation and code examples for the legitimate Node.js 'archiver' library. It contains standard usage patterns for creating ZIP and TAR archives and lacks any indicators of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, an archive could contain private or unnecessary files before being shared.
The skill demonstrates adding local files, directories, and glob matches into archives. This is expected for an archiving skill, but overly broad paths or patterns could include unintended files.
archive.file('local-file.txt', { name: 'renamed.txt' }); ... archive.directory('dist/', false); ... archive.glob('*.js', { cwd: __dirname });Use explicit paths, add ignore patterns for secrets and build artifacts, and inspect archives before uploading or sending them.
A different or future package version could behave differently than expected.
The skill relies on installing an npm package without a version pin in the shown command. This is common for Node.js library documentation, but it means runtime behavior depends on the package version installed from npm.
npm install archiver
Install from the official npm package, pin a known-good version, and review the lockfile/package provenance in sensitive projects.