tracekit-java-sdk

SUSPICIOUS. The Java APM/instrumentation behavior is broadly aligned with the stated purpose, and the data flow to TraceKit endpoints is plausible for observability. However, the skill expands scope with transitive use of an unreviewed tracekit-auth skill, a referenced local auth script of unknown provenance, automatic credential/bootstrap flow, and optional LLM content capture that can export sensitive prompts and runtime data. Risk is moderate rather than clearly malicious.