context safety score
A score of 40/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
js obfuscation
JavaScript uses Function constructor for runtime code generation
social engineering
Site operates as a CS2/CS:GO case opening gambling platform targeting gamers with promises of 'free cases daily' and high-value skin drops. The model is designed to encourage repeated spending through variable-reward mechanics characteristic of gambling, targeting a largely young audience. (location: page.html:68-69, page-text.txt:25)
credential harvesting
Login flow redirects users to 'key-drop2.com' (a different domain than key-drop.com) via the __login.link configuration. This cross-domain Steam login redirect could intercept Steam credentials on a domain separate from the main site, which is a common credential harvesting pattern. (location: page.html:458)
malicious redirect
The login link is configured to redirect to 'https://key-drop2.com/?q=%2Fen%2F' rather than staying on key-drop.com. Sending users to a different domain (key-drop2.com) for Steam authentication is suspicious and could facilitate credential theft or session hijacking. (location: page.html:458)
hidden content
A hidden 1x1 pixel iframe is injected dynamically via an inline script (Cloudflare challenge script). The iframe is absolutely positioned at top:0, left:0, with visibility:hidden, and injects further JavaScript into its document. While this is a Cloudflare bot-detection mechanism, the pattern of hidden iframes dynamically injecting scripts is a known technique for cloaked malicious activity. (location: page.html:1030)
hidden content
The Cloudflare challenge inline script uses a hidden iframe to inject a secondary script tag with encoded parameters (r:'9d7156729e794417', t:'MTc3MjYzMjA5OC4wMDAwMDA=') and loads '/cdn-cgi/challenge-platform/scripts/jsd/main.js'. The base64 value 'MTc3MjYzMjA5OC4wMDAwMDA=' decodes to a timestamp, which is consistent with Cloudflare but the obfuscated multi-stage injection pattern warrants flagging. (location: page.html:1030, page-text.txt:247)
social engineering
The site uses multiple aggressive engagement hooks including live drop feeds, giveaways, free daily cases, upgrader, and case battles — all designed to create compulsive engagement loops and normalize gambling behavior with in-game cosmetics. (location: page.html:629-708)
hidden content
A third-party push notification script is loaded from '//web.webpushs.com/js/push/9090d5cfc0cf08342cd70ab91d0dfa27_1.js' using a protocol-relative URL. This third-party script can silently request browser push notification permissions and is loaded without user interaction or visible consent UI at page load. (location: page.html:601)
credential harvesting
The site collects Steam Trade URL via an endpoint at 'https://key-drop.com/en/panel/Profil/change_trade_url' and stores it in window.__exchanger__tradeUrlForm. Steam Trade URLs, combined with Steam session tokens, can be used to initiate unauthorized item trades from a user's inventory. (location: page.html:422-425)
curl https://api.brin.sh/domain/key-drop.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
key-drop.com currently scores 40/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.