context safety score
A score of 39/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
malicious redirect
Footer injects a third-party script from 'scratchyhook.com' via dynamically created script element using an obfuscated path. The domain 'scratchyhook.com' is unrelated to the site and the URL path is heavily randomized/obfuscated, a classic drive-by download or malvertising loader pattern. (location: page.html:574-583, footer script block)
malicious redirect
A second third-party script is loaded directly from 'raffleprotectionbow.com', another unrecognized ad/malware network domain. The filename pattern (ca42a6f519453049348dd57b7291eeb9.js) is consistent with fingerprinting or payload delivery scripts used in malvertising chains. (location: page.html:585)
obfuscated code
The scratchyhook.com script src is an obfuscated path '//scratchyhook.com/cqDf9S6.b/2M5/l/SwWhQP9hNMjeANy/MBzXU-yQNUSw0V2rM/DNIpzcNQTQIb2_' with no file extension and randomized segments, indicating an intentionally obfuscated payload loader injected into the footer. (location: page.html:579)
obfuscated code
A hidden iframe (height=1, width=1, visibility:hidden, position:absolute at top:0/left:0) is created and injected into the document body by an inline script. Inside the iframe, a Cloudflare challenge script is injected with base64-encoded parameters (t='MTc3MjYyNjgwMw=='). This invisible iframe pattern is used for cloaking, bot detection evasion, or covert script execution. (location: page.html:718)
hidden content
An invisible 1x1 iframe (border:none, visibility:hidden) is programmatically appended to the document body and used to inject and execute scripts inside an isolated document context, hiding script execution from casual inspection. (location: page.html:718, inline script at end of body)
social engineering
The site presents a registration and login form ('Join Katorsex.me') collecting username, email, and password from users of an adult content site. The site is the .me clone of katorsex.com, potentially harvesting credentials from users who register thinking they are on the original platform. (location: page.html:612-636)
brand impersonation
The site at katorsex.me explicitly references 'katorsex.com' in its description ('pinay porn videos from katorsex.com - KATORSEX.ME') and uses near-identical branding, indicating the .me domain is impersonating or piggybacking on the reputation of the .com domain to attract users. (location: page.html:221,227, meta description and og:description)
credential harvesting
Login and registration forms collect username, email, and password credentials on an adult content site with WHOIS privacy redacted and a .me TLD clone of a .com domain. Credentials entered may be harvested by the site operator or exfiltrated via the injected third-party scripts (scratchyhook.com, raffleprotectionbow.com). (location: page.html:616-656, registration and login modal forms)
curl https://api.brin.sh/domain/katorsex.meCommon questions teams ask before deciding whether to use this domain in agent workflows.
katorsex.me currently scores 39/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.