context safety score
A score of 48/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
malicious redirect
script/meta redirect patterns detected in page source
obfuscated code
The page contains heavily obfuscated JavaScript using string array rotation, hex-encoded offsets, and self-defending anti-debugging techniques (console overriding, RegEx ReDoS pattern '(((.+)+)+)+$'). The obfuscation hides the true behavior of the challenge script loaded from /hcdn-cgi/jschallenge and prevents static analysis of what data is collected or where the user is redirected. (location: page.html - inline <script> block and page-text.txt)
malicious redirect
The obfuscated script computes a SHA-256 challenge, submits it via XMLHttpRequest POST to 'jsChallengeUrl', and on HTTP 200 response calls window.location.replace(uri) — where both 'jsChallengeUrl' and 'uri' are runtime-resolved obfuscated variables. The redirect destination is fully opaque at static analysis time, making it impossible to verify the user lands on a legitimate site. (location: page.html - async IIFE at end of inline script)
social engineering
The page mimics a legitimate browser integrity check (Cloudflare-style 'Just a moment...' interstitial) with a spinning loader and reassuring copy ('Checking your browser before accessing', 'Please wait up to 5 seconds'). This UI pattern exploits user trust in CDN bot-protection pages to suppress suspicion while the obfuscated script executes and performs the redirect. (location: page.html - <title>, <h1>, <p> elements and overall page layout)
hidden content
The page sets meta robots 'noindex,nofollow' to prevent search engine indexing and crawling, combined with a meta http-equiv refresh every 30 seconds. This suppresses visibility of the page in security tools and search indexes while ensuring clients that block JavaScript are still periodically refreshed, indicating the page is intentionally hidden from discovery pipelines. (location: page.html - <meta name='robots' content='noindex,nofollow'> and <meta http-equiv='refresh' content='30'>)
obfuscated code
An external script is loaded from /hcdn-cgi/jschallenge — a path mimicking Cloudflare's /cdn-cgi/ convention but served from the suspicious domain 3lawey.com itself. This script is not inspectable at static analysis time and is the likely source of the runtime variables 'cjs', 'jsChallengeUrl', and 'uri' used by the redirect logic. (location: page.html - <script src='/hcdn-cgi/jschallenge'>)
curl https://api.brin.sh/domain/3lawey.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
3lawey.com currently scores 48/100 with a suspicious verdict and medium confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.