context safety score
A score of 47/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page loads content in transparent or zero-size iframe overlay
brand impersonation
The site uses Instagram's visual identity (gradient logo matching Instagram's exact color scheme, 'Save Insta Free' branding, Instagram™ trademark reference in disclaimer) to position itself as an Instagram-affiliated tool. The explicit disclaimer 'Save Free is not affiliated with Instagram™' confirms deliberate mimicry of Instagram brand assets to attract users searching for official Instagram services. (location: page.html line 4 (SVG logo with Instagram gradient #FDBE52→#ED2540→#AB3C95→#5755A3), page.html line 109 (disclaimer text), og:title meta tag 'Save Insta Free')
social engineering
The site prompts users to input Instagram usernames and profile URLs, collecting this data under the guise of anonymous viewing and downloading. The form collects email addresses via the 'Report an issue' modal (required field), and push notification consent is solicited via Perfecty Push with askPermissionsDirectly:true, enabling persistent browser-level access to the user. (location: page.html line 213 (issue form with required email field), decoded base64 blob: PerfectyPushOptions with askPermissionsDirectly:true and visitsToDisplayPrompt:0)
hidden content
Multiple JavaScript payloads are delivered as base64-encoded data:text/javascript URIs rather than plain script tags. While most decode to benign functionality, this obfuscation pattern hides the full behavior of the page from casual inspection, including push notification configuration (VAPID key, server endpoints), ad modal logic, Histats tracking initialization routed through a local theme JS file (/wp-content/themes/dt.v.0.1/assets/js/js15_as.js), and a dynamically injected promotional HTML block targeting the .note_to_users DOM element. (location: page.html lines 3, 204, 206, 212 (multiple data:text/javascript;base64 script src attributes))
hidden content
A Cloudflare challenge script is injected via a hidden 1x1 pixel iframe appended to the document body at runtime. The iframe executes a script that loads /cdn-cgi/challenge-platform/scripts/jsd/main.js with an encoded parameter (r:'9d72b14c782eeb07', t:'MTc3MjY0NjMwNA=='). This is a standard Cloudflare bot detection mechanism but constitutes a non-visible, dynamically injected execution context invisible to users. (location: page.html line 214 (inline script creating hidden iframe with Cloudflare challenge JS injection))
social engineering
Sticky bottom banner and interstitial overlay aggressively promote app downloads (Google Play: app.storyloader.videodownloader, Apple App Store: id6747391595) with a 15-second countdown and 720-minute suppression window, pressuring users toward installing third-party apps. The interstitial auto-intercepts clicks on Apple App Store links (selector: 'a[href*="apps.apple.com"]') to display a promotional overlay before redirecting. (location: page.html line 212 (decoded __DTSP__ config), decoded SF_INTERSTITIAL config with countdownSeconds:15, decoded DTSP_INTERSTITIAL selector hijacking apple app store links)
curl https://api.brin.sh/domain/save-free.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
save-free.com currently scores 47/100 with a suspicious verdict and medium confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.