Skills
skills/show-karma/skills/find-funding-opportunities/Gen Agent Trust Hub

find-funding-opportunities

Pass

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by fetching and displaying untrusted content from an external API.
  • Ingestion points: Program titles and descriptions are retrieved from https://gapapi.karmahq.xyz/v2/program-registry/search in SKILL.md.
  • Boundary markers: The formatting logic in SKILL.md lacks explicit delimiters or instructions to ignore potential commands within the fetched data.
  • Capability inventory: The skill utilizes curl for network access.
  • Sanitization: Program descriptions are truncated to approximately 120 characters, providing minimal protection against adversarial content.
  • [COMMAND_EXECUTION]: The skill invokes curl and uuidgen within a Bash environment to facilitate communication with the Karma API. This behavior is expected and limited to the skill's core functionality.
  • [EXTERNAL_DOWNLOADS]: The skill connects to https://gapapi.karmahq.xyz to fetch program registry data. This domain is managed by the vendor (Karma) and is used for legitimate data retrieval purposes.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 5, 2026, 04:25 PM