Someone posted a whole bunch of
erotic jpegs named by their hash. It appears you don't validate zip files before they're accepted and have no flood protection. Perhaps also checking that they have a valid name (anything_anything) too.
I'd recommend limiting number of results when viewing a board and adding pages or some sort of dynamically loading page as you scroll. It can get taxing to list hundreds of results in a timely and clean manner.
To prevent name collisions, you may want to save add-ons by their hash. You may run in to collisions with /addons/[filename].zip being your path. You could instead save it as /addons/[hash] and use a Content-Disposition header to specify the download name.
Also, I don't condone the
BLOCKLAND GLASS FOREVER
included in the spam whatsoever. Glass started like a site very similar to this and it took 2+ years to grow to where it is. There were two other sites being developed with the same intention at the time. I thought competition would be good, but those projects pretty much halted.
If your intention really is to catalog add-ons and provide an all-inclusive place to upload them, I'd recommend looking in to perhaps some form of scraper for the Add-Ons board. Have your project host every add-on available, as a true "open market repository". That would give it a unique purpose that doesn't overlap with Glass. That could help with community support and your own motivation for the project.