context safety score
A score of 49/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
brand impersonation
The page is served from a-tro-feat-2ldok.hydr0.org but fully impersonates MP3.cc (mp3.cc), including its logo, branding, CSS/JS assets, canonical URL pointing to mp3.cc, og:site_name set to MP3.cc, and footer copyright. The domain hydr0.org is not mp3.cc, making this a mirror/clone that impersonates the legitimate MP3.cc brand. (location: page.html:5,9,11,14,18,19,33,253 — title, canonical, og tags, asset URLs, footer)
malicious redirect
The brin-context reports 1 redirect was detected. The canonical tag and all internal links redirect to mp3.cc, while assets are loaded from mp3.cc domains, meaning users and agents interacting with content on hydr0.org are being funneled through an off-brand domain that proxies/mirrors a third-party site. The MP3 play URL routes through fine.sunproxy.net, a third-party proxy domain distinct from both hydr0.org and mp3.cc. (location: page.html:9 (canonical redirect to mp3.cc), page.html:228 (data-url pointing to fine.sunproxy.net))
malicious redirect
The MP3 file play link uses a URL on fine.sunproxy.net with a long base64-encoded path segment: 'NDgwdkFuTUxJZ0tHbEJUVFE0QUZzMjJBeit2dnUvakFxNHBYWVA1cWR6THVLV1lWeVMvWjNiRlJUcHVyQUxTZmFZVFVuRHkrbFVrTHNaMGhSKzVuMURjc290Y1ZmZDY5VzZ2SlcyWTNsSWs9'. This routes audio through an unrelated third-party proxy (sunproxy.net), consistent with traffic interception or ad injection infrastructure. (location: page.html:228 — data-url attribute on playlist-play anchor)
hidden content
The HTML comment at line 334 exposes internal server-side performance metrics and geolocation data: '0.61697; 1 (0.0011799335479736). (US|).' This leaks server timing and visitor geo-targeting information embedded in the HTML, which is characteristic of tracking/profiling infrastructure. (location: page.html:334 — HTML comment after closing </html> tag)
social engineering
The page is a pirate MP3 download site (offering free copyrighted music downloads) hosted on a subdomain (hydr0.org) that impersonates the legitimate MP3.cc service. The site entices users to download MP3s through a third-party proxy (fine.sunproxy.net), potentially exposing them to malicious file delivery or traffic interception under the guise of a trusted music platform. (location: page.html:229 — download link; page.html:228 — proxied play stream via fine.sunproxy.net)
curl https://api.brin.sh/domain/a-tro-feat-2ldok.hydr0.orgCommon questions teams ask before deciding whether to use this domain in agent workflows.
a-tro-feat-2ldok.hydr0.org currently scores 49/100 with a suspicious verdict and medium confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.