I'm not too familiar with the process myself, but you can verify NSP and XCI files by verifying the ACID signature. As far as doing that with NSZ files, worst case would be having to convert it back to an NSP before verifying. Good news though, most title installers do signature verification by default and will throw an error if the signature check fails.
@blawar is far more knowledgeable than me about how sig checking works if he'd like to chime in.
I have seen that most installers have the option to run unsigned code and that it's often required installing NSZ's and NSP files according to youtube videos where people installed the youtube channel and some backups.
To be sure it might be a good idea to check if it's custom build, corrupt or infected. And if it's custom build, if you have to worry about it or not.
I tried looking at some of my NSZ's and XCI's with XCI Explorer and Tinfoil's website/ID database, all the game ID's matched, some of the SDK's did not match with the NSZ's, the NSZ's file structure could not be shown in XCI Explorer and none of the NCAid's from the XCI's could be found on the Tinfoil website but extracting the full game as a romfs did give me all the expected files I needed to create mods. I'm really trying to find a safe and easy way to verify if I have something to worry about or not at all, mostly in the cases where people run code unsigned.
I know you can never be certain running unsigned homebrew but unsigned backups do scare me.
Maybe
@Crusatyr knows how to look at the file structure when it comes to XCI files or what to look for in XCI Explorer if it doesn't match tinfoil but is a real backup.
the nsz can be verified with nicoboss’ nsz tool and nsc_builder
I can't get Nicoboss's tool to work because I already have python 2.7 running which doesn't play nice with python 3.x (requirement) causing pip to fail for some reason.
Is NSC_Builder easy to install and use?
Looking at the topic it looks like it requires some sort of different structure in my key dump? Or am I misunderstanding it because the post is a bit chaotic?
I can't find any dependency requirements either.