context safety score
A score of 40/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
js obfuscation
JavaScript uses eval() with String.fromCharCode — common obfuscation
obfuscated code
Heavy JSFuck-style obfuscation using eval() with bracket-notation arrays to construct strings at runtime. The values() function uses eval() on JSFuck expressions to build cookie values, concealing the actual strings being computed. This pattern is used to evade static analysis of cookie values being set. (location: page.html:35-41 (second <script> block, values() function))
obfuscated code
Hex-indexed variable array obfuscation (_0x4541, _0x2d84, _0x37209d, etc.) combined with a rotating array shuffle (push/shift loop with 0x127 iterations) to obscure control flow and string lookups. This is a standard javascript obfuscator pattern used to hide malicious logic from static scanners. (location: page.html:41 (var _0x4541 = [...] block))
hidden content
Page renders two hidden sections (class 'error-section--hide') and uses JavaScript to selectively reveal one based on timezone detection (Tehran/Iran). Non-Iranian visitors see an English 'Transferring to the website...' page while Iranian visitors see a Farsi version. Content is hidden from direct inspection until runtime timezone check completes. (location: page.html:1 (error-section--hide sections, isTehranTimezone() function))
malicious redirect
The page does not display real content; it shows a transit/loading screen ('Transferring to the website...') and then calls location.reload() after setting obfuscated cookies. This is an anti-bot challenge gate that redirects/reloads the browser after planting cookies derived from obfuscated computed values, masking the true destination or gating access. (location: page.html:43-48 (DOMContentLoaded setTimeout with location.reload()))
obfuscated code
Cookie values (__arcsjs and __arcsjsc) are computed by double-applying a custom XOR cipher (key 0x6) over obfuscated input strings built via JSFuck eval. The actual cookie values are never visible in plaintext source, making it impossible to statically determine what browser fingerprint or token is being transmitted. (location: page.html:41,45-46 (hash_v1/hash computation and cookie assignment))
curl https://api.brin.sh/domain/ut.ac.irCommon questions teams ask before deciding whether to use this domain in agent workflows.
ut.ac.ir currently scores 40/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.