context safety score
A score of 38/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page checks user-agent for bot/crawler strings to serve different content
cloaking
Page conditionally redirects based on referrer or user-agent
js obfuscation
JavaScript uses Function constructor for runtime code generation
brand impersonation
The page title and metadata claim to be 'AAGmaal | Uncut Web Series' and the site name is 'ulluuncut.now', directly impersonating the legitimate Indian OTT platform 'ULLU' (ullu.app) and the brand 'AAGmaal'. The domain name 'ulluuncut.now' is a typosquat/brand-hijack of the official ULLU streaming service to attract users searching for the legitimate platform. (location: page.html:70-78, metadata.json)
brand impersonation
The page logo uses 'ulluuncut.now' branding with a logo image (cropped-ulluuncut512x512.png) that mimics the ULLU brand identity. The structured data (JSON-LD schema) references the organization name 'ulluuncut.now' with branding designed to appear as an official ULLU affiliate or mirror site. (location: page.html:84 (JSON-LD schema), page.html:102-103)
obfuscated code
A heavily obfuscated JavaScript block is injected inside a 'code-block-1' div using a self-executing function with hex-encoded string lookups, shuffled array rotation (while(!![])), and encoded integers (e.g., parseInt(Xo(0xac))/0x1). This pattern is characteristic of obfuscators like javascript-obfuscator used to conceal ad injection, redirect logic, or tracking payload delivery. (location: page.html:281, page-text.txt:184)
obfuscated code
Inline script dynamically constructs and injects a Cloudflare challenge iframe with hardcoded encoded parameters (window.__CF$cv$params with base64-encoded 't' value 'MTc3MjY0ODMwNw=='). The script uses a hidden 1x1 absolute-positioned iframe to execute challenge scripts invisibly, which can be repurposed for covert script execution or fingerprinting. (location: page-text.txt:310, page.html (footer area))
hidden content
Multiple thumbnail images use a 1x1 transparent GIF placeholder (data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7) with real image URLs stored in 'data-wpfc-original-src' attributes. While this is a lazy-loading pattern, it means the actual image sources are not rendered until JS executes, masking the true content from static scanners. (location: page.html:139,147,155,163,171,179,187,195,203,211,219,227,235,243,251,259,267,275)
social engineering
The site presents itself as a streaming platform hosting pirated/unauthorized adult content ('uncut' versions of Indian web series from ULLU, AAGmaal, and similar platforms). It uses deceptive branding to lure users seeking legitimate content, then exposes them to ad networks, pop-ups, and potential drive-by download attacks through the obfuscated ad injection scripts. (location: page.html:70-71, page-text.txt:27-179)
credential harvesting
A login modal form collects username and password credentials and submits them via POST to 'https://ulluuncut.now/wp-admin/admin-ajax.php'. The form is presented under the guise of a legitimate streaming service login on a site impersonating ULLU. Users believing they are logging into the official ULLU service would surrender credentials to this third-party site. (location: page.html:293-294, page-text.txt:195-202)
hidden content
Google Tag Manager (GT-P845Z7DT) is loaded lazily on user interaction events (mousemove, wheel, scroll, touchstart, touchmove) rather than at page load, obscuring analytics/tracking activity from passive scanners and delaying detection of any GTM-based payload delivery. (location: page.html:91)
curl https://api.brin.sh/domain/ulluuncut.nowCommon questions teams ask before deciding whether to use this domain in agent workflows.
ulluuncut.now currently scores 38/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.