To inspect a suspicious archive before extracting, drop it into Zro7 Inspect Archive. libarchive.js reads the central directory and lists every entry — filename, path, size, compression ratio, timestamp — plus warnings for the three attacks that matter: zip bombs, path traversal, and hidden executables. Nothing is written to your disk until you approve.
Attacks a listing reveals
1. Zip bombs
A 42 KB ZIP that expands to 4.5 PB (the classic "42.zip") shows a compression ratio of 100,000,000:1 in the listing. Zro7 flags any entry with a ratio above 100:1 as a bomb candidate.
2. Path traversal ("zip slip")
Entries with paths like ../../etc/passwd or C:\Windows\System32\... try to write outside the extraction folder. Zro7 highlights any path containing ../, absolute paths, or drive letters.
3. Executable payloads disguised as documents
"Invoice.pdf.exe", ".scr", ".js", ".vbs", ".bat", ".ps1", ".lnk" inside a ZIP labelled Invoice_September.zip is the #1 email malware pattern. The listing shows the true filename with all extensions; Zro7 flags common executable extensions.
Why local inspection matters
Uploading a suspected malware ZIP to a cloud unarchiver puts the operator in the blast radius — some scan-and-log services keep the payload. Browser-side inspection reads only the central directory (a few KB) and never executes anything.
Steps
- Open Inspect Archive.
- Drop the archive. Entries and warnings render.
- Extract selectively (or not at all).
Zro7