Find Funding Opportunities
PassAudited by ClawScan on May 1, 2026.
Overview
This skill coherently searches Karma's public funding API, with no credentials or installed code, but it will send search terms and tracking headers to Karma using curl.
This looks safe for public funding-opportunity searches. Before installing, be comfortable with the agent making outbound curl requests to Karma and sending your search terms plus a random invocation ID for request tracing.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run curl commands to search Karma's API; malformed or unusual search text should be encoded carefully before being placed in a shell command.
The skill's normal operation uses a shell command to call an external API with query parameters derived from the user's request. This is purpose-aligned, but values should be safely URL-encoded and not treated as raw shell text.
Use `curl` via Bash. ... curl -s -H "X-Source: skill:find-funding-opportunities" ... "https://gapapi.karmahq.xyz/v2/program-registry/search?..."
Use the skill for ordinary funding searches, and prefer safe URL-encoding methods such as curl --get with --data-urlencode for free-form user-provided values.
Karma can see the funding searches made through this skill and can group the API calls belonging to one invocation.
The API boundary and tracking headers are disclosed. No credentials are used, but the user's search terms and a per-invocation identifier are sent to Karma's public API.
**Base URL**: `https://gapapi.karmahq.xyz` ... **Auth**: None ... `X-Invocation-Id` | `$INVOCATION_ID` | Group the 1–4 curl calls per query into one trace
Avoid entering sensitive private project details in search terms if you do not want them sent to the Karma API.