context safety score
A score of 38/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page checks user-agent for bot/crawler strings to serve different content
cloaking
Page conditionally redirects based on referrer or user-agent
js obfuscation
JavaScript uses Function constructor for runtime code generation
js obfuscation
Obfuscated document.write with encoded content
js obfuscation
Very long base64 or hex string assigned in JavaScript — likely encoded payload
obfuscated code
Heavily obfuscated JavaScript block using multi-stage decode: URL-percent-encoding decode followed by character rotation cipher applied to a long encoded string. The script dynamically reconstructs function names, URLs, and script injection logic at runtime, making static analysis impossible. This pattern is characteristic of malvertising loaders or drive-by download initiators. (location: page.html:170 — inline <script data-cfasync="false">!function(){"use strict";for(var n=decodeURI("wd%60andp%5E...")
malicious redirect
Script tag loading from third-party domain '//improperscrubbedvendor.com/on.js' with data-cfasync="false" to bypass Cloudflare rocket-loader. The domain name 'improperscrubbedvendor.com' is highly suspicious and not a recognized ad network. The async script loaded from this domain executes a callback function 'ebnlezv(15)' on both load and error, indicating tracking/redirect logic regardless of outcome. (location: page.html:171 — <script data-cfasync="false" data-clocid="2089807" async src="//improperscrubbedvendor.com/on.js")
malicious redirect
Six suspicious third-party domains are pre-connected via <link rel="preconnect"> in the page head: bartererfaxtingling.com, chestgoingpunch.com, preferencenail.com, professionaltrafficmonitor.com, skinnycrawlinglax.com, tellpicturesquedistress.com. These are all algorithmically-named domains (characteristic of domain generation algorithms or ad-fraud networks) that will receive DNS and connection data for every visitor. None are recognized CDN or ad-network domains. (location: page.html:93 — <link rel="preconnect" href="https://bartererfaxtingling.com" ...> and five similar entries)
social engineering
Site prominently advertises and distributes non-consensually shared intimate images ('leaked sextapes', 'exposed', 'naked videos') of named real individuals identified by location and social platform (e.g. 'Leaked Sex Tapes of South African Model & TV Host Cindy Makhathini', 'Naked Video of Mary From Aba', 'KNUST Girl Anita'). The site solicits user-uploaded content via 'UPLOAD LEAK' to crowdsource acquisition of non-consensual intimate imagery, which constitutes a social engineering ecosystem targeting victims. (location: page.html:843 and throughout content listings; page-text.txt:387,584,639,698,792,839)
hidden content
Ad insertion framework (AI plugin) uses base64-encoded payloads stored in data-code attributes that are decoded and injected into the DOM at runtime via createContextualFragment(). The base64 payload in the ai-viewport div (page.html:607) decodes to an iframe loading from acceptable.a-ads.com — the indirection through base64 hides the actual third-party ad destination from static scanners. (location: page.html:607 — data-code='PGRpdiBjbGFzcz0nY29kZS1ibG9jayBjb2RlLWJsb2Nr...' within div.ai-viewports)
malicious redirect
TLS certificate expires in only 12 days (days_until_expiry: 12). While not a redirect, a near-expiry DV certificate on a site serving third-party scripts and ad payloads increases risk of certificate mis-issuance or domain takeover coinciding with expiry, particularly given the suspicious third-party script ecosystem already present. (location: metadata.json — tls.days_until_expiry: 12)
social engineering
Prominent 'JOIN New Telegram' call-to-action linking to t.me/+Cu-YEOJg2u9hNGNk drives users to an unverified Telegram channel, a common vector for further malware distribution, scam links, or credential harvesting in the adult content niche. (location: page.html:843 — <a href="https://t.me/+Cu-YEOJg2u9hNGNk" target="_blank">JOIN 🔥New Telegram</a>)
curl https://api.brin.sh/domain/leaktube.netCommon questions teams ask before deciding whether to use this domain in agent workflows.
leaktube.net currently scores 38/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.