context safety score
A score of 42/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
hidden instruction
high hidden content ratio detected in DOM
credential harvesting
The site provides a tool explicitly designed to generate Google 2FA TOTP codes from user-supplied secret keys. Users are instructed to paste their 2FA secret keys (TOTP seeds) into an input form. Submitting these secrets to a third-party site fully compromises 2FA protection, as possession of the seed allows anyone to generate valid codes at any time. (location: page.html and page-text.txt: '谷歌双重验证码获取' form with '双重验证密钥(2FA)' input field)
credential harvesting
Three credential-capturing forms are present (credential_form_count=3). The primary form accepts 2FA secret keys (TOTP seeds) from users. A TOTP seed is a permanent secret — unlike a one-time code, whoever holds the seed can generate valid codes indefinitely, fully bypassing 2FA. Submitting it to this third-party service constitutes complete credential compromise. (location: page.html: multiple input forms including 2FA key intake form)
social engineering
The site is branded as a cross-border e-commerce toolbox ('跨境工具箱') and markets itself as a free, legitimate utility. It normalizes the dangerous practice of entering 2FA secret keys into external websites by framing it as a convenience tool. Tutorial content (e.g., Facebook login guides, cookie import tutorials) targets users of platforms where account takeover is common, making it a vector to harvest credentials under the guise of a helpful tool. (location: page-text.txt: tool list, tutorial list, and site branding)
brand impersonation
The site title and metadata explicitly reference 'Google 2FA' and 'Google Authenticator' ('谷歌双重验证码获取', 'Google Authenticator验证码'), and uses 'GET2FA.VIP' branding to imply official or trusted status. The page mimics the function of Google Authenticator to lure users into submitting their actual 2FA secret keys. (location: page.html line 3: <title>谷歌双重验证码获取 - 跨境工具箱</title>; line 40: meta Keywords referencing 'Google Authenticator')
phishing
The site targets users who manage Facebook, Instagram, and Google accounts for cross-border e-commerce, providing tutorials on Facebook login, cookie-based account hijacking ('COOKIE登录FB账号导入教程'), and Instagram error bypass. This ecosystem is designed to facilitate account takeover operations, with the 2FA harvesting tool as the centerpiece. (location: page-text.txt: tutorial list including 'COOKIE登录FB账号导入教程', 'ins账号解决报错登录教程')
hidden content
The hidden content ratio is 1.00, meaning all or nearly all page content is classified as hidden. The page-hidden.txt shows 100 lines of Nuxt.js SSR HTML comment markers ('<!--[-->' and '<!--]-->'), which are standard Vue/Nuxt server-side rendering artifacts. These are not malicious hidden content but rather framework-generated markers. However, the 1.00 ratio warrants noting. (location: page-hidden.txt: lines 1-100 (Nuxt SSR comment markers); .brin-context.md: hidden_content_ratio=1.00)
curl https://api.brin.sh/domain/2fa.lolCommon questions teams ask before deciding whether to use this domain in agent workflows.
2fa.lol currently scores 42/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.