context safety score
A score of 40/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page conditionally redirects based on referrer or user-agent
js obfuscation
JavaScript uses Function constructor for runtime code generation
malicious redirect
Popunder/tabunder ad system configured to fire on user clicks across the page, redirecting users to third-party ad networks (tubecup.net, ntvpforever.com, boannred.com, online-hd.amazingcontent.site). The system is designed to suppress pops for Google-referred traffic to avoid detection while aggressively firing for other traffic sources. (location: page.html:lines 97-489, window["_rb6w3t7z1l"] config and popOptions config blocks)
malicious redirect
Hard-link navigation items dynamically injected via JavaScript redirect users to obfuscated affiliate tracking URLs: https://s.ku34bh9la09.com/v1/d.php?z=2928 (labeled 'Teamskeet FREE WEEK') and https://rtr2perf1.com/37f77684-ae10-45df-9af0-40b738f664dc (labeled 'AI JERK OFF'). These use tracker-style domains that obscure the final destination. (location: page.html:lines 103-144, hlink_1 variable assignments)
obfuscated code
Obfuscated string constructed by reversing a char-code array: var mk = [101,99,114,117,111,115,95,97,109,103,97,109].map(function(e){ return String.fromCharCode(e) }).reverse().join('') decodes to 'magma_source'. This value is then sent to Yandex Metrika analytics as a user parameter, obscuring what data is being exfiltrated. (location: page.html:line 47, iirEf analytics function)
hidden content
Base64-encoded configuration blob in variable cGAm2MphS contains siteId, ad server references (vstvstsa.com for VAST ads), and hardlink URL. Decoded value reveals ad infrastructure details hidden from casual inspection. A second blob fqp3VeZWI encodes placeholder configuration. (location: page.html:line 94, body-opening script block)
social engineering
Time-gated promotional links use urgency tactics: 'Teamskeet FREE WEEK' (active until 2026/04/01) and 'AI JERK OFF' (active until 2026/03/15) are injected as top navigation items using a blinking green dot animation to draw attention. These are affiliate traffic redirects disguised as site navigation. (location: page.html:lines 103-144, hlink_1 conditional blocks)
social engineering
In-player button labeled 'FULL VIDEO HERE' (active until 2026/03/31) redirects to https://fhgte.com/tour with affiliate tracking parameters, implying free full video access while actually routing to an external paid/affiliate content site. The locker_url and _plBtn mechanism gates content behind an external redirect. (location: page.html:lines 962-976, window._plBtn and window._plBtnText assignments)
hidden content
Yandex Metrika analytics (ym ID 61864270) tracks user cookie values and campaign parameters and transmits them to mc.yandex.ru. The tracked cookie key is obfuscated via char-code reversal. This sends visitor cookie data to a Russian analytics service without explicit disclosure. (location: page.html:lines 59-65, Yandex Metrika initialization block)
malicious redirect
Push notification service worker registered at /ps/vOK8Xj.js and /ps/jenya14.js with auction URL at notification.tubecup.net and subInterstitialSettings directLink pointing to online-hd.amazingcontent.site. This enables persistent background redirects after notification permission is granted. (location: page.html:line 97, window["_rb6w3t7z1l"] push spot config)
curl https://api.brin.sh/domain/pornhits.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
pornhits.com currently scores 40/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.