context safety score
A score of 41/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page checks user-agent for bot/crawler strings to serve different content
js obfuscation
JavaScript uses Function constructor for runtime code generation
obfuscated code
Multiple inline scripts are delivered as base64-encoded data URIs (src="data:text/javascript;base64,..."). While the decoded content is benign (Google Analytics / GTM / lazy-load config), the technique of inlining scripts as data URIs bypasses standard CSP source checks and is a known obfuscation vector used to hide malicious payloads from scanners. Four such scripts are present in the page. (location: page.html lines 2, 3, 8, 536)
malicious redirect
Multiple iframes load ad content from the third-party domain tsyndicate.com (an adult ad-network) with no sandbox attribute and no referrer policy. The network is known to serve pop-under redirects, forced redirects, and drive-by download campaigns. Three separate iframe slots are embedded: IDs 7bd32136c10e4787abeb0c476012a69f, a84a6c92fb874b4799b1d4fef06f98bb, and 001f973256c044c78e6319d0182a9e89. An additional external JS SDK (cdn.tsyndicate.com/sdk/v1/p.js) is loaded with full DOM access. (location: page.html lines 47, 521, 522; page-text.txt lines 28, 358-359)
social engineering
The site presents a login modal that collects a username and password and posts credentials to https://arabnok.com/ (the site root via admin-ajax.php). The decoded ftt-main-js script reveals the AJAX endpoint is //arabnok.com/wp-admin/admin-ajax.php. Although this is a WordPress membership plugin pattern, combined with the adult-content lure, the login wall can be used as a social-engineering credential-harvesting vector targeting users enticed by the explicit content. (location: page.html lines 523-537; decoded ftt-main-js)
credential harvesting
A login form (username + password) and a password-reset form (username or email) are embedded inside a modal. The form action posts to the site root and uses a nonce (a405ed3a7f) with no visible HTTPS-only enforcement in the form markup. The nonce is hardcoded in the HTML and visible to any page visitor, reducing its anti-CSRF effectiveness. Credentials entered are transmitted to //arabnok.com/wp-admin/admin-ajax.php as revealed in the decoded inline script. (location: page.html lines 523-535)
hidden content
GTM container GTM-TLNHT64C is loaded twice — once in the <head> as an inline script block and once again as a separate script tag — resulting in duplicate GTM initialization. GTM containers can inject arbitrary HTML/JS at runtime without any visible page-level indication, making it a persistent hidden-content risk. The duplicate load increases the attack surface if the GTM container is ever compromised. (location: page.html lines 4-19)
curl https://api.brin.sh/domain/arabnok.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
arabnok.com currently scores 41/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.