context safety score
A score of 35/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
malicious redirect
Domain thebellmurrow.co.uk is serving content entirely belonging to legoutrmets.com — a Vietnamese adult content site. The page's canonical URL, all assets, links, and branding point to legoutrmets.com, not the registered domain. This is a classic domain hijack/parking redirect where a legitimate-looking aged UK domain silently serves content from a completely different site. (location: page.html:11-13, <link rel='canonical' href='https://legoutrmets.com/'> and all asset/href references)
obfuscated code
A large obfuscated JavaScript block labeled '<!--PUPUNDER-->' uses a multi-step decode pipeline: decodeURI on a long encoded string, followed by a Caesar-cipher-style character shift keyed on array index offsets extracted from a position table. This pattern is characteristic of popunder ad malware that dynamically constructs and executes URLs/scripts to evade static analysis. (location: page.html:36, <script data-cfasync='false'>!function(){"use strict";for(var n=decodeURI(...))
malicious redirect
Popup/popunder script explicitly opens random URLs from a hardcoded list ('https://jun8899.me/sextop2' and 'https://mb6688.me/sextop2MB66') in a new tab on any user click, after a 10-second initial delay and once per 60 seconds. These are affiliate gambling/adult redirect links disguised as banner ads. (location: page.html:44-92, popupConfig links array and openPopup() function)
malicious redirect
External script loaded from //bodybossmotivate.com/on.js with data-clocid attribute, a known third-party popunder/redirect ad network script. This script can deliver unsolicited redirects or malicious payloads independently of the page content. (location: page.html:37, <script data-cfasync='false' data-clocid='2030212' async src='//bodybossmotivate.com/on.js'>)
hidden content
A script tag is injected inside a <script> block as a string assigned to scriptElement.src, rendering it syntactically broken and non-executing in normal parsing — but the URL 'https://www.vipads.live/vn/FD2635C2-E5F4-1993-33-E9455AE179BE.blpha' is exposed in rendered page text (page-text.txt line 39). This appears to be an attempt to conditionally load a third-party ad payload on mobile screens while partially evading script scanners. (location: page.html:132-138, page-text.txt:37-41)
hidden content
A commented-out script tag references 'https://www.vipads.live/vn/A4FA082A-2351-1993-33-DBDDC45340F3.blpha', a different UUID on the same vipads.live domain. This is a dormant/inactive payload URL hidden in an HTML comment, suggesting a staged delivery mechanism or backup redirect script. (location: page.html:40, <!--CATFIT BANNER <script src='https://www.vipads.live/vn/A4FA082A-2351-1993-33-DBDDC45340F3.blpha'>-->)
social engineering
Recent search terms displayed on the page include queries strongly suggestive of child sexual abuse material (CSAM): 'Tre Em' (children), 'Hoc Sinh 2k10 Du Nhau' (students born 2010), 'Sex Nu Sinh Moi 2k10 Da Bi Chich' (new female students born 2010 who have been injected/had sex), 'Lop 8' (grade 8, ~13-14 year olds), 'Gai Teen'. These search terms are prominently surfaced as clickable links to normalize and funnel users toward potentially illegal content. (location: page.html:623-643, recent search section)
malicious redirect
Footer 'Liên Kết' (Links) section contains outbound links to multiple .co.uk domains (sportatschool.org.uk, hassanbalti.co.uk, nasiha.co.uk, tiamoitalian.co.uk) with anchor text labeling them as Vietnamese adult content sites. This is a link farm pattern: legitimate-appearing aged UK domains are cross-linked to funnel SEO authority and traffic between compromised or parked sites in the same network. (location: page.html:668-674, footer links section)
hidden content
Thumbnail images use a 1x1 transparent GIF as the src placeholder (data:image/gif;base64,iVBORw0KGgo...) with actual image URLs deferred to a data-original attribute loaded by a lazyload script. While common for performance, in this context it also means image content is not rendered without JavaScript execution, obscuring the actual visual content from static scanners. (location: page.html:273-274 and throughout movie listing items)
curl https://api.brin.sh/domain/thebellmurrow.co.ukCommon questions teams ask before deciding whether to use this domain in agent workflows.
thebellmurrow.co.uk currently scores 35/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.