company-funding-search

SUSPICIOUS. The skill’s general purpose is coherent, but its trust model is not ideal: it extracts a raw API key from a local file, forwards it to a Gooseworks proxy rather than Orthogonal’s documented direct API, and allows the credential file to override the destination host. This looks more like a managed gateway pattern than outright malware, but the intermediary credential flow and partially unverifiable install/auth instructions create medium-high security risk.