context safety score
A score of 41/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page conditionally redirects based on referrer or user-agent
cloaking
Page loads content in transparent or zero-size iframe overlay
js obfuscation
JavaScript uses Function constructor for runtime code generation
obfuscated code
Script loaded from a deliberately obfuscated path '/djjdjdjdjdjdjdjdklfklsjffallsls/ngnsdgksgkk3m3mk7.10.13.30b534f9020679393392f92bad0973d2.js' with a nonsensical directory name and MD5-like hash in the filename. The config object explicitly labels the adver script as '7.10.13.obfuscated.js'. This pattern is used to evade static analysis and URL-based blocklists. (location: page.html:78, page.html:76)
malicious redirect
Country-gated forced redirect targeting Ukrainian users ('ua' country code) to 'https://directsle.com/in/2652/' with a heavily encoded parameter string. This silently overrides all popunder destinations for an entire geo-segment without user interaction or consent, directing them to an opaque traffic distribution system. (location: page.html:114-116)
malicious redirect
Aggressive popunder/tabunder ad system that hijacks click events on the video player and page body, programmatically opening new tabs to third-party destinations including 'https://kts.bartcons.com/in/849/', 'https://s.pemsrv.com/splash.php', and 'https://magma.tube/' without explicit user consent. The system uses capping bypass logic and resets capping counters to maximize unwanted redirects. (location: page.html:335-388, page.html:496-507)
social engineering
'UNLOCK FULL' and 'FULL VIDEO HERE' button labels injected via window._plBtnText into the video player UI to deceive users into clicking affiliate/premium links (g2fame.com, javhd.com, kink.com, etc.) under the false pretense of unlocking full video content. The button text is deliberately deceptive. (location: page.html:89-111)
social engineering
Tab-link overlays labeled 'AI Undress Porn', 'AI porn', and 'LIVE CAMS'/'LIVE SEX' with animated blinking green dot indicators designed to simulate live activity and urgency, pushing users toward affiliate adult sites (cmonbae.com, candyai.gg, strip2tip.com, jasmin.com). The 'LIVE' labels are deceptive UI signals, not genuine live indicators. (location: page.html:956-1023)
hidden content
Yandex Metrika tracking pixels loaded inside noscript tags with CSS positioning 'position:absolute; left:-9999px' making them invisible to users. Two separate tracking IDs (49315045 and 33008644) silently beacon user visits to mc.yandex.ru without disclosure. (location: page.html:55-56)
hidden content
window._hidden_channels array defines a set of channel IDs labeled as 'hidden' in the global scope, indicating content or functionality deliberately concealed from the user interface while remaining active in the page logic. (location: page.html:69-70)
malicious redirect
Push notification subscription system deployed via service workers (/ps/klyOn1.js, /kDMekS.js) linked to 'notification.tubecup.net' with subInterstitial direct links pointing to 'https://online-hd.amazingcontent.site/?tag_id=93577' — an unbranded content site used as a traffic destination after push subscription. Users subscribing to push notifications are redirected to this third-party site. (location: page.html:80 (window["_5mgy01za3r"] config block))
obfuscated code
RTB controller URL contains a highly repetitive, pattern-obfuscated 'updateconfig' parameter value ('ushshshhshshshs' repeated many times), which appears designed to confuse automated scanners or logging systems rather than serve any functional configuration purpose. (location: page.html:76)
social engineering
Age verification bypass: code sets localStorage '_agv' and cookie '_agev' to bypass age-lock checks when specific UTM parameters are present, and certain promo codes (e.g., promo=47201 for 'isBravo') automatically set age-verified cookie for 5 years (43800 minutes) without any actual age verification step. (location: page.html:140-148, page.html:192-198)
hidden content
Canonical link points to 'https://hotmovs.com/' while the page is served from 'hotmovs.tube', and the site explicitly detects when it is running as a mirror (window.isMirror). This split-domain mirror structure can be used to serve different ad configurations and evade domain-level reputation systems. (location: page.html:41, page.html:160)
curl https://api.brin.sh/domain/hotmovs.tubeCommon questions teams ask before deciding whether to use this domain in agent workflows.
hotmovs.tube currently scores 41/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.