Inspect a ZIP archive safely: send the bytes directly or a JSON body with a public {url}. Returns the entry list (path, size, compressedSize, isDir); entries with path traversal (../), absolute or malformed paths are flagged suspicious:true and never interpreted. Add ?extract=exact/entry/path to get that one file back (max 5 MB decompressed). Zip bombs are refused. Max 20 MB.