context safety score
A score of 41/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
phishing
1 deceptive links where visible host does not match destination host
js obfuscation
Very long base64 or hex string assigned in JavaScript — likely encoded payload
phishing
The site is hosted on id.tc-v.com, a subdomain of tc-v.com, which is the rebranded domain of Tradecarview (tradecarview.com). The page itself contains a warning about a 'site name change from Tradecarview to TCV' and instructs users to re-certify devices 'to prevent phishing'. This pattern — a login page on an unfamiliar subdomain referencing a brand migration — is a classic pretexting technique used by phishing sites to justify why the URL looks different from the expected domain. The legitimate brand (Tradecarview/TCV) operates at tc-v.com; this login is served from id.tc-v.com with cross-links to www.tc-v.com, which is consistent but the subdomain isolation of credentials warrants scrutiny. (location: page.html:183-185, page.html:314-316)
credential harvesting
The page presents a full login form collecting Login ID or Email address and Password, submitted via HTTP POST to ./loginregist_new.aspx on the same origin. With 11 credential form inputs detected by pre-scan heuristics, the form collects username, password, and a 'Remember Me' checkbox. The login seal feature (TextBox_MagicWord) also collects a user-defined secret text. All inputs are submitted in a single ASP.NET form, creating a broad credential collection surface. (location: page.html:262-305, page.html:354)
brand impersonation
The page simultaneously references two brand identities: 'Tradecarview' (tradecarview.com) and 'TCV' (tc-v.com), framing them as equivalent. The logo links to http://www.tc-v.com/ and the page title is 'MembersID'. The page instructs users that 'Tradecarview and TCV have the same ID and password', which could be used by a spoofed site to harvest credentials valid on both platforms. The domain id.tc-v.com is structurally consistent with the brand but the dual-brand messaging increases impersonation surface area. (location: page.html:121, page.html:183-185, page.html:314-316)
social engineering
The prominent red-bordered warning box states users were 'forced to log out due to site name change' and instructs re-certification of all devices. This creates urgency and normalizes the act of re-entering credentials on what may be an unfamiliar domain. This is a textbook social engineering pretext: manufacturing a plausible reason for why security context has been reset and credentials must be re-submitted. (location: page.html:183-185, page-text.txt:87-89)
hidden content
A Google Tag Manager noscript iframe (height=0, width=0, display:none, visibility:hidden) is present. While GTM iframes of this type are standard, the pre-scan flagged a user-agent differential ratio of 0.22, suggesting content may differ based on the requesting agent. The hidden iframe loads external GTM JS (GTM-PFJDBMQ) which can dynamically inject arbitrary scripts, making the full behavior of the page dependent on GTM container configuration that is not visible in the static HTML. (location: page.html:99-100)
hidden content
Two 1x1 pixel tracking images are embedded in noscript blocks, loading from //googleads.g.doubleclick.net with conversion tracking parameters including currency and label values. While standard for remarketing, these fire on page load and transmit visit data to Google Ads infrastructure without user awareness. (location: page.html:418-420, page.html:436-438)
curl https://api.brin.sh/domain/id.tc-v.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
id.tc-v.com currently scores 41/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.