context safety score
A score of 40/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
obfuscated code
A heavily obfuscated JavaScript block using Function(new TextDecoder('utf-8').decode(new Uint8Array(atob(...)))) multi-layer encoding (base64 -> byte array -> UTF-8 -> dynamic Function eval) is present in the page head. This pattern is used to hide malicious logic from static analysis and execute arbitrary code at runtime. (location: page.html line 720, inline <script> block in <head>)
brand impersonation
The site presents itself as 'BlockAway' but the embedded CSS carries a CroxyProxy copyright notice ('Copyright (C) CroxyProxy service owners'), the AddToAny social share widget points to https://www.croxyproxy.com, and premium upgrade buttons link to https://www.patreon.com/croxyproxy. The site is a rebranded clone of CroxyProxy misrepresenting its true identity to users. (location: page.html lines 35-38 (CSS copyright), line 962 (AddToAny data-a2a-url), lines 753 and 929 (Patreon links))
credential harvesting
The site operates as a web proxy that routes all user traffic through its servers, positioning itself as a man-in-the-middle for every website the user visits. All credentials, session tokens, and personal data entered on proxied sites (Google, Facebook, Instagram, etc.) are exposed to the proxy operator. The 'Sign in' modal also dynamically loads content from /account/session/form, enabling capture of BlockAway account credentials. (location: page.html lines 757-763 (accountModal), lines 907-926 (proxy form), line 957 (quick links to major services))
social engineering
The site uses trust-building language ('High security and privacy', 'safeguard your privacy', 'keep your personal information anonymous') to convince users to route sensitive traffic through a third-party proxy. It specifically targets school, university, and work environments where users may be trying to bypass security controls, and encourages sharing the proxy link with friends to expand reach. (location: page.html lines 867-873, 980-983, 997-1000, 1044-1070; page-text.txt lines 121-126)
malicious redirect
The fixed top info bar contains a banner link to https://reflect4.me/register?utm_source=front_top_banner — an external third-party site unrelated to BlockAway. This is a persistent, fixed-position element that appears on every page load and attempts to redirect users to sign up for a separate service, using the proxy site's traffic as an acquisition funnel. (location: page.html lines 1108-1113)
hidden content
The extensionOrigins meta tag lists five specific Chrome extension IDs (lmmpgfjnchldhcieiiegcpdmaidkaanb, djpehmepgepfpoiaendmglmnjmmfalio, ckjnnmdnpicjmpmcheonhjhbhamjclhi, haanbmjmhcofgngkioelkdablmmmbhoo, docbehmolikiogjomonmfieaidgfcbpc). This allows the page to communicate with those specific browser extensions via postMessage or extension APIs, enabling privileged access to browser state beyond what a normal webpage can access. (location: page.html line 10, <meta name='extensionOrigins'>)
hidden content
The server's backend IPv6 address (2600:1900:0:2d03::2e00) is exposed in an HTML comment at the end of the page, and the server's public IPv4 address (143.244.207.157) is disclosed in the visible footer. Exposing infrastructure IPs aids attackers in direct server targeting and bypassing CDN protections. (location: page.html line 1116 (HTML comment IPv6), page-text.txt line 318 / page.html line 1086 (footer IPv4))
curl https://api.brin.sh/domain/blockaway.netCommon questions teams ask before deciding whether to use this domain in agent workflows.
blockaway.net currently scores 40/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.