context safety score
A score of 33/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
phishing
1 deceptive links where visible host does not match destination host
brand impersonation
The site operates on the domain ko1.y2mate.is and presents itself as the legitimate Y2Mate YouTube downloader service, including branded logos, favicon, og:image, and footer copyright. Y2Mate is a well-known brand; this subdomain-based clone on a .is TLD with unknown domain age may be an unauthorized impersonation or pirate mirror of the original service, deceiving users into trusting it as official. (location: page.html:6, page.html:71, page.html:293)
malicious redirect
A third-party ad/tracking script is loaded from zl.keyhamates.com (//zl.keyhamates.com/tPb6NqKGgGNwRKb/133628), an unrecognized domain with no clear affiliation to Y2Mate. Such ad network scripts commonly trigger malicious redirects, pop-unders, or drive-by downloads on user interaction. This corresponds to the one redirect flagged by Tier 2 analysis. (location: page.html:170)
social engineering
A push notification SDK is silently loaded from push-sdk.com (https://push-sdk.com/f/sdk.js?z=666129) with tracking parameters click_id and source_id extracted from the URL. The SDK includes callbacks for onPermissionGranted/Denied, indicating it will prompt users for browser push notification permissions — a common social engineering vector used to deliver spam or malicious push notifications after consent. (location: page.html:376-395)
hidden content
A Cloudflare challenge script is injected via a hidden 1x1 pixel invisible iframe (height=1, width=1, position absolute, visibility hidden) created dynamically at runtime. The iframe injects a script tag with a base64-encoded timestamp parameter t='MTc3MjkzNTM3Mg==' (decodes to '1772935372'). While this pattern is consistent with Cloudflare Bot Management, the hidden iframe injection with inline script execution is the suspicious base64 blob flagged by Tier 2 and warrants noting as hidden content. (location: page.html:401)
social engineering
The page tip instructs users to insert 'pi' after 'youtube' in the URL bar (turning youtube.com into youtubepi.com), directing users away from the legitimate YouTube domain to a potentially attacker-controlled or affiliate domain. This is a subtle manipulation tactic embedded in user-facing instructions. (location: page.html:162, page-text.txt:98)
curl https://api.brin.sh/domain/ko1.y2mate.isCommon questions teams ask before deciding whether to use this domain in agent workflows.
ko1.y2mate.is currently scores 33/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.