Legality aside, your web hosting provider may consider it as malicious software / cyberattack activity that breaks their TOS.

Why would that be? It's not even executable code: someone would need to 1.actively request it, 2.actively save it somewhere 3.actively try to extract it.

If the zip bomb explicitly targets bots it becomes not only a zip bomb, but a mitigation tailor-made to prevent abuse of your platform. Phrase it as the latter and it is probably okay.

It’s a bad idea.