Is cinecalidad.ec safe?

suspiciouslow confidence
33/100

context safety score

A score of 33/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.

identity
100
behavior
35
content
0
graph
30

13 threat patterns detected

medium

encoded payload

suspicious base64-like blobs detected in page content

high

phishing

1 deceptive links where visible host does not match destination host

high

cloaking

Page conditionally redirects based on referrer or user-agent

high

js obfuscation

JavaScript uses Function constructor for runtime code generation

high

brand impersonation

The page at cinecalidad.ec impersonates multiple well-known streaming brands as clickable ad cards: 'Netflix Premium', 'Disney Plus', and 'MAX (HBO Max)'. These are displayed with official-looking branding images sourced from adsanalytics.org and linked via obfuscated base64-encoded URLs to redirect users to third-party destinations, falsely implying affiliation with these platforms. (location: page.html line 111 — article elements with class 'item movies naadb', images from adsanalytics.org)

high

malicious redirect

Ad card links for Netflix Premium, Disney Plus, and MAX are encoded as base64 strings in href attributes (e.g., href='#aHR0cHM6Ly9hZHNhbmFseXRpY3Mub3JnL2MveHVyaTd5eTV6cm54a2FjY3lnZTVjMml0N2drejFlMTA='). JavaScript decodes these at click time via atob() and opens the decoded URL in a new window, effectively hiding the true redirect destination from users and security scanners. (location: page.html lines 112-126 — handleClick function using atob() to decode and open obfuscated hrefs)

high

obfuscated code

Ad destination URLs for the Netflix, Disney Plus, and MAX brand-impersonation cards are base64-encoded in HTML href attributes and decoded at runtime via atob(). This pattern is specifically designed to hide the true redirect target from static analysis, link scanners, and AI agents crawling the page. (location: page.html lines 111-126 — href values like '#aHR0cHM6Ly9hZHNhbmFseXRpY3Mub3JnL2Mv...' decoded via atob())

medium

obfuscated code

A script block checks if the current URL contains the string decoded from atob('dW5ibG9ja2l0') (which decodes to 'unblockit') and if so, replaces the entire page body with a full-screen image loaded from a URL decoded from atob('aHR0cHM6Ly9sZW1vbnBhcnR5Lm9yZy9sZW1vbnBhcnR5SEQuanBn') — a known shock/NSFW site (lemonparty.org). This is a concealed payload triggered by a URL keyword. (location: page.html line 76-78 — script using atob('dW5ibG9ja2l0') and atob('aHR0cHM6Ly9sZW1vbnBhcnR5...'))

medium

hidden content

The Netflix Premium, Disney Plus, and MAX promotional cards use CSS 'display: none' on the h3 caption element containing the ad copy and links. The clickable overlay covers the entire poster area, making the entire card act as an ad click-target while the text content (including the obfuscated links) is visually hidden from users but present in the DOM and accessible to crawlers. (location: page.html line 111 — h3.hover_caption_caption with style='display: none')

medium

social engineering

A full-screen modal popup (id='bsmessage') is shown on page load promoting 'la.movie' as a 'nueva plataforma' (new platform) — framed as an upgrade from Cinecalidad. The message uses urgency language ('¡No te lo pierdas!'), trust signals ('sin anuncios molestos'), and is styled to look like an official notification, designed to funnel users away to a different site. (location: page.html lines 479-510 and page-text.txt lines 377-408)

medium

brand impersonation

The page's canonical URL, schema.org structured data, and all asset/resource links point to cinecalidad.am and cinecalidad.lol rather than the actual serving domain cinecalidad.ec. The page presents itself as 'EL ÚNICO SITIO OFICIAL DE CINECALIDAD' (THE ONLY OFFICIAL CINECALIDAD SITE) across multiple competing domains, indicating a network of clone/mirror sites each claiming to be the official version. (location: page.html line 1 — canonical href='https://www.cinecalidad.am/', schema @id references cinecalidad.lol, cinecalidad.run; served from cinecalidad.ec)

medium

malicious redirect

A third-party ad script is loaded from cvt-s2.agl003.com (libJS) and used to inject a full-viewport iframe overlay ('overroll') over video player content. The VAST ad URL also points to cvt-s2.agl003.com. This infrastructure intercepts user clicks intended for the video player and routes them through a third-party ad network with no transparency to the user. (location: page.html lines 542-690 — InitOverroll() function loading lib.js from https://cvt-s2.agl003.com/o/f/lib.js)

low

hidden content

Scripts for Google Tag Manager and Facebook SDK are conditionally loaded only when the browser user-agent does NOT include the string 'house'. This suggests bot/crawler detection evasion: analytics and tracking pixels are suppressed when certain automated agents are detected, hiding the true tracking behavior from security scanners. (location: page.html lines 511-535 — userAgent 'house' check before loading GTM and Facebook SDK)

API

curl https://api.brin.sh/domain/cinecalidad.ec

FAQ: how to interpret this assessment

Common questions teams ask before deciding whether to use this domain in agent workflows.

Is cinecalidad.ec safe for AI agents to use?

cinecalidad.ec currently scores 33/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.

How should I interpret the score and verdict?

Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.

How does brin compute this domain score?

brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.

What do identity, behavior, content, and graph mean for this domain?

Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.

Why does brin scan packages, repos, skills, MCP servers, pages, and commits?

brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.

Can I rely on a safe verdict as a full security guarantee?

No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.

When should I re-check before using an entity?

Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.

Learn more in threat detection docs, how scoring works, and the API overview.

Last Scanned

March 4, 2026

Verdict Scale

safe80–100
caution50–79
suspicious20–49
dangerous0–19

Disclaimer

Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.

start scoring agent dependencies.

integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.

api documentationexplore registry