context safety score
A score of 47/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
brand impersonation
The site operates on domain auntymazax3.watch but presents itself as 'AuntyMaza.Com' (the legitimate brand at aauntymaza.com). The favicon is loaded from aauntymaza.com, the JSON-LD schema sets the publisher URL to https://aauntymaza.com, and the Home menu link points to https://aauntymaza.com, all while the actual serving domain is a numbered variant (x3.watch). This is a typosquat/clone impersonating the original brand. (location: page.html:7, page.html:27, page.html:116 — favicon href, JSON-LD publisher URL, and nav Home link all reference aauntymaza.com while domain is auntymazax3.watch)
malicious redirect
External script loaded from //d3ipmxzmjf8cw7.cloudfront.net/?xmpid=1242184 with data-cfasync=false (bypasses Cloudflare rocket loader). This is a known ad/redirect network endpoint that can perform drive-by redirects or malvertising. The xmpid parameter fingerprints the traffic source. (location: page.html:1309 — <script data-cfasync="false" src="//d3ipmxzmjf8cw7.cloudfront.net/?xmpid=1242184">)
malicious redirect
External script loaded from //nappyonsetstiffness.com/on.js with data-cfasync=false and both onerror/onload callbacks firing the same handler nhxaqky(15). The domain name is nonsensical/generated, a hallmark of malvertising or push-notification redirect networks. The script has no clear legitimate purpose. (location: page.html:1327 — <script data-cfasync="false" data-clocid="2085897" async src="//nappyonsetstiffness.com/on.js">)
obfuscated code
A large self-executing JavaScript block uses multi-layer obfuscation: URL-encoded string decoded with decodeURI(), a Caesar-cipher-style character rotation using charCodeAt/fromCharCode with positional offset, array slicing by computed index offsets, and dynamic property/method resolution. The obfuscation pattern is consistent with malvertising payloads or fingerprinting/redirect scripts designed to evade static analysis. (location: page.html:1326 — inline <script data-cfasync="false">!function(){"use strict";for(var n=decodeURI("wd%60andp%5E..."))
hidden content
A large block of SEO keyword spam is injected in a .hero div that is visually present in the DOM but styled to blend into the page background or serve search-engine crawlers. It contains hundreds of brand names (xhamster, pornhub, xnxx, fsiblog, etc.) and keyword phrases designed to manipulate search rankings and attract traffic under false pretenses. This content is not the primary visible content to users. (location: page.html:1332-1334 — <div class="hero"><div class="container"><div class="hero-text"> ... keyword block)
hidden content
Duplicate SEO keyword spam injected as plain text after a closing </div> tag at the bottom of the content area, outside any visible content container. Contains repetitive anchor links all pointing to internal search queries (/?s=...) stuffed with the same title phrase, inflating internal link counts for SEO manipulation. (location: page.html:1342-1346 — repeated <a href="/?s=Desi Girl Romance..."> anchor links and raw keyword text injected outside main content div)
social engineering
The site presents a login/registration modal collecting username and password credentials. Registration is disabled (shown via alert), yet the login form remains fully functional, submitting credentials via POST to auntymazax3.watch (not the canonical aauntymaza.com). Users believing they are on the legitimate AuntyMaza site may submit credentials to this impersonating domain. (location: page.html:1392-1411 — <form id="vtt_login_form" action="https://auntymazax3.watch/"> collecting vtt_user_login and vtt_user_pass)
credential harvesting
Login form on an impersonating domain (auntymazax3.watch masquerading as AuntyMaza.Com) collects username and password via POST. Users who believe they are logging into the legitimate service at aauntymaza.com are actually submitting credentials to a third-party domain. The form action explicitly posts to auntymazax3.watch rather than the brand's canonical domain. (location: page.html:1395-1409 — form action="https://auntymazax3.watch/" with inputs name="vtt_user_login" and name="vtt_user_pass")
malicious redirect
StripchatSpot widget loaded from creative.ladkibaazi.com with a hardcoded userId/affiliate tracking token. The widget mounts directly onto document.body with autoplay enabled, can inject overlays, pop-unders, or redirect users to external cam/adult sites without explicit user interaction. (location: page.html:1315-1323 — <script src="https://creative.ladkibaazi.com/widgets/Spot/lib.js"> with spot.mount(document.body))
prompt injection
The SEO keyword spam block contains a raw backslash-prefixed token '\kand' embedded in plain text content. While likely a typo for a Hindi word, the pattern of injecting unescaped control-like tokens within text content that AI agents may parse represents a low-level prompt injection surface if the page text is ingested by an LLM-based crawler or agent without sanitization. (location: page.html:1332 — '...masa49 viral \kand thehappycenter...' within the hero keyword block)
curl https://api.brin.sh/domain/auntymazax3.watchCommon questions teams ask before deciding whether to use this domain in agent workflows.
auntymazax3.watch currently scores 47/100 with a suspicious verdict and medium confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.