context safety score
A score of 30/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
social engineering
Site claims to offer leaked private/OnlyFans content of real named individuals without consent, using exploitative language ('slut', 'whore', 'fucktoy', 'fuckdoll', 'cum dumpster') to lure visitors. This is a non-consensual intimate image (NCII) distribution platform designed to exploit victims and attract traffic through shock/prurient appeal. (location: page.html: throughout video listings, titles, and meta description)
malicious redirect
Multiple ad scripts dynamically load external JavaScript from sharebang.com using document.createElement('script') and document.head.appendChild(), with referrerPolicy set to 'unsafe-url'. This sends the full referring URL (including any sensitive path/query parameters) to a third-party ad server and loads arbitrary remote code that can redirect users or serve malicious payloads. (location: page.html:341, 417, 447, 1244, 1255, 1257; page-text.txt:51, 126, 156, 951, 962, 964)
obfuscated code
A popunder/ad injection script uses base64-encoded URLs in an array (x=["d3d3LnZpc2FyaW9tZWRpYS5jb20v...","ZDEzazdwcmF4MXlpMDQu...","d3d3LnV3dXlrdnZjbS5jb20v...","d3d3LnJrb2FpdGd4a3N4Znlz..."]) that are decoded at runtime via atob() and loaded as scripts with onerror fallback chaining. This hides the actual third-party script sources (visariomedia.com, d13k7prax1yi04.cloudfront.net, uwuykv vcm.com, rkoaitgxksxfys.com) from static analysis. A hardcoded timestamp (1790698650000) acts as an expiry/kill-switch. (location: page.html:1378; page-text.txt:1085)
hidden content
Ad containers (AADIV52, AADIV53, AADIV58, AADIV61, AADIV64, AADIV66) are injected via JavaScript with no visible fallback content. Their actual ad payloads are fetched dynamically from sharebang.com at runtime, meaning the true content served to users is invisible to static analysis and can change arbitrarily. Cookie values ('adcapban') are read and passed as 'psc' parameters to the ad server, transmitting browser state to a third party. (location: page.html:341, 404-431, 433-461, 1244, 1255, 1257)
credential harvesting
A login modal form (id='wpst_login_form') collects username and password and POSTs to https://nudeleaks.tv/. Given the site's nature as a non-consensual content platform and the presence of aggressive third-party ad/tracking scripts with obfuscated code, credentials entered here may be at risk. The nonce value 'ba811828b2' is also exposed in the page source, potentially enabling CSRF attacks. (location: page.html:1307-1321)
social engineering
Navigation buttons labeled 'FREE ONLYFANS', 'Girls Nearby', 'AI Sex Chat', and 'Live Cams' are affiliate redirect links to sharebang.com tracker URLs (flp=54/55/56/57). These use deceptive labels implying free content or nearby people to drive affiliate traffic to external sites, a classic bait-and-redirect social engineering pattern. (location: page.html:335-338)
malicious redirect
A tsyndicate.com SDK script is loaded (//cdn.tsyndicate.com/sdk/v1/p.js) with a spot ID, session duration, and delay parameters. tsyndicate.com is a known ad network associated with pop-under and redirect advertising. Combined with the 'videoslider' adMoxy plugin loaded from live.trudigo.com, users are exposed to unsolicited redirects and pop-under windows. (location: page.html:1382-1393)
hidden content
A footer widget contains a link to an external escort service site (https://www.umraniyetip.net/anadolu-yakasi/) styled as normal site content. This is hidden from most desktop users via CSS (display:none on .fixed-button-container for desktop) and is likely a paid link insertion for SEO purposes, obscuring its true nature. (location: page.html:1262-1266)
curl https://api.brin.sh/domain/nudeleaks.tvCommon questions teams ask before deciding whether to use this domain in agent workflows.
nudeleaks.tv currently scores 30/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.