Traditional awk is not embeddable in C application. They can be ran as separate processes and piped in through a text protocol over stdio. But that is a rather heavyweight solution.
There is an AWK implementation called libmawk that provides an API for embedding. But it's still a rather heavy implementation - more than 6 times bigger than the single-file version of libfawk (using sloc for comparison).
Libmawk is a good alternative if the application needs full blown AWK scripting with regex, math functions, pattern matching loop and so on, and can afford the extra complexity in APIs and the external dependency.
Libfawk is a good alternative if the application needs fully integrated AWK scripting with the smallest possible footprint.
Tcl has a very small syntax and interpreter. Unfortunately over the years the lib and ecosystem shipped with the tcl distribution grew considerably. Currently a source checkout of tcl is more than 86 times (!) bigger than the single file version of libfawk.
Lua is a nice, minimalistic language - but it is still about 5 times bigger than the single-file version of libfawk (using sloc for comparison).
Lua supports a very similar feature set, with a few extras over libfawk so it is a good alternative when a slightly bigger but more common language is needed for an app and it can tolerate the external dependency (or can embed 12.5k sloc).
I personally didn't like the lua syntax - besides the size minimum, that was my other main motivation for libfawk.
For minimalism. The main goal is to keep libfawk as small as possible. There are great examples out there when a language started out with a very small syntax but then picked up an enormous amount of standard libraries, very often to compensate for the lacking language syntax, but sometimes only because "this one more call in the API should be useful anyway".
Libfawk is the opposite: it tries to find the minimum that is still usable and leaves extending the language with libs to the host application.
for example a lot of operators like ++ or +=. The key here is size: these operators take only a few lines extra code in the parser and zero extra lines in the VM.
Fawk is very simple and small. On the one hand this means the code can be easily reviewed and audited. On the other hand it's too small to implement advanced security features, like true random numbers - which can pose risks, e.g. with DoS on hash collisions.
Generally, untrusted user input should always be validated by the script and the host app (where possible). Since all I/O and scheduling is implemented by the host app, it's mainly the host app's responsibility to make the environment secure.
A more detailed analysis of the topic is available here.