context safety score
A score of 32/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
malicious redirect
script/meta redirect patterns detected in page source
js obfuscation
JavaScript uses Function constructor for runtime code generation
brand impersonation
The domain capcut.com.in impersonates the legitimate CapCut brand (capcut.com) by using a typosquat/lookalike domain with the official brand name, logo, and app icon. The site presents itself as the official CapCut download source while distributing an unofficial modified APK. (location: https://capcut.com.in — domain, page title, logo (site-logo_2eaa1.png), structured data WebSite name 'Capcut Apk Download')
social engineering
The site actively instructs users to disable Android security controls ('Enable Unknown Source Installation') to sideload an unofficial 'Mod APK', falsely claiming the download is '100% secure'. This manipulates users into bypassing device protections to install potentially malicious software. (location: page.html lines 89-98 — 'Enable Unknown Source Installation' section; FAQ answer claiming '100% secure')
malicious redirect
The download button's href is stripped at runtime by JavaScript and replaced via a 'reward_advergic' ad-network redirect mechanism loaded from the third-party domain avads.live. The actual download destination is obscured and controlled by an external ad/redirect service, not the page itself. The final APK URL (CapCut_MOD_APK_Pro.apk) may differ from what is delivered. (location: page.html lines 137-191 — rewardLinks JS block; line 263-266 — download button with class reward_advergic; line 123 — avads.live/s/av-capcut.js)
social engineering
The site distributes a 'Mod APK' (cracked/pirated version) of CapCut by falsely framing it as safe and legitimate, encouraging users to install software from an untrusted third-party source with premium features 'unlocked for free'. This is a well-known vector for malware distribution. (location: page.html lines 263-266 — download link to CapCut_MOD_APK_Pro.apk; page-text.txt lines 61-73)
hidden content
The download button's href attribute is dynamically removed from the DOM on page load and stored in a JavaScript object (window.rewardLinks), hiding the true download destination from static analysis and URL inspection tools. The real link is only restored conditionally based on ad-script load success or failure. (location: page.html lines 148-187 — initRewardLink function storing and removing href attributes)
hidden content
A push notification subscription SDK is injected dynamically from push-sdk.com (zone 2166798), with click_id and source_id tracking parameters harvested from URL query strings. The script injection is done inside an async IIFE with no visible UI disclosure to the user, enabling covert push notification subscription. (location: page.html lines 220-240 — push-sdk.com script injection block)
brand impersonation
Structured data (JSON-LD) declares the website name as 'Capcut Apk Download' and uses the organization name 'Capcut Apk Download', further reinforcing the false association with the official CapCut brand in search engine results and AI-parsed metadata. (location: page.html lines 3 — JSON-LD Organization and WebSite schema blocks)
curl https://api.brin.sh/domain/capcut.com.inCommon questions teams ask before deciding whether to use this domain in agent workflows.
capcut.com.in currently scores 32/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.