context safety score
A score of 27/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
malicious redirect
The scanned URL is vailonxx.co but the canonical URL, all internal links, pingback, and resource loads redirect to vailonxx.me. The .co domain acts as a redirect/cloaking layer to funnel users to the primary .me domain, likely to evade blocklists targeting the main domain. The page itself states the original VLXX domain was blocked by ISPs and this is a mirror. (location: page.html:8 (rel=pingback href=vailonxx.me/xmlrpc.php), line 16 (canonical href=vailonxx.me), line 33 (dns-prefetch vailonxx.me))
brand impersonation
The site impersonates the well-known Vietnamese adult brand 'VLXX' by operating under the name 'Vailonxx' across multiple domains (vailonxx.co, vailonxx.me, vailonxx.com, vailonxx.net). It explicitly positions itself as an unofficial mirror/clone of VLXX, capitalizing on the brand's traffic after ISP blocks. This is a deliberate brand hijack to capture users searching for the original VLXX brand. (location: page.html:14 (title tag), page.html:1396 (body text explicitly stating it is a VLXX clone after domain blocking))
hidden content
Tags dynamically fetched from the WordPress REST API are split into visible ('dpl_tags') and hidden ('hidden_tags') categories. Tags beyond index 9 are assigned class 'hidden_tags' and immediately hidden with jQuery ($('a.hidden_tags').hide()). CSS also sets 'a.hidden_tags { background: #000!important; }' making them invisible. This is a classic SEO cloaking technique to inject keyword-rich hidden links into the DOM not visible to ordinary users but potentially readable by crawlers or AI agents. (location: page.html:365-408 (JavaScript tag injection), page.html:166 (CSS: a.hidden_tags { background: #000!important; }))
social engineering
The upload button in the navigation links to https://tuoi69hd.net/myacount/?action=register — an external third-party domain registration page. Users are prompted to register an account on a separate unrelated domain (tuoi69hd.net) under the guise of uploading videos to Vailonxx. This cross-site registration harvesting uses the trust of the Vailonxx brand to drive account creation on a different platform. (location: page.html:289 and page.html:1544 (anchor href=https://tuoi69hd.net/myacount/?action=register))
malicious redirect
An external JavaScript file is loaded from the third-party domain axx.hellobabygirl.live: https://axx.hellobabygirl.live/axx/js/adx_vailonxx.js. This domain is prefetched via dns-prefetch (page.html:34) and the script is loaded without any integrity (SRI) hash. The subdomain 'axx' and domain 'hellobabygirl.live' are unrelated to the site and represent an opaque third-party ad/redirect script with full DOM access, capable of injecting popups, redirects, or credential harvesters. (location: page.html:34 (dns-prefetch axx.hellobabygirl.live), page.html:1626 (script src=https://axx.hellobabygirl.live/axx/js/adx_vailonxx.js))
credential harvesting
The 'Upload video' CTA present in both desktop and mobile navigation links to https://tuoi69hd.net/myacount/?action=register — a registration form on an external domain. Users of vailonxx.co are directed to create accounts on a completely separate domain (tuoi69hd.net) without disclosure that they are leaving the site. This pattern is consistent with credential harvesting via cross-site account registration under false affiliation. (location: page.html:289 (desktop nav), page.html:1544 (mobile nav sidebar))
hidden content
All thumbnail images use lazy-load SVG placeholders (data:image/svg+xml blank SVGs) as the src attribute, with actual image URLs only in data-src. While this is a common performance pattern, it means the real content is deferred and only rendered by JavaScript. An AI agent or crawler parsing static HTML would see blank placeholder images rather than actual thumbnails, creating a discrepancy between machine-perceived and human-perceived content. (location: page.html:430, 454, 478 (and throughout post thumbnails — data:image/svg+xml placeholder src with data-src containing real image URL))
prompt injection
The page contains a JavaScript syntax error embedded in an event handler: '$('a.hidden_tags').show();im' — the stray token 'im' after the statement (line 391 of page.html) is syntactically invalid. While likely a typo, stray tokens in inline scripts within page content can be used as a technique to embed unexpected content that may be interpreted differently by AI code-reading agents versus browsers that silently ignore certain parse errors. (location: page.html:391 ($('a.hidden_tags').show();im — stray token after JS statement))
curl https://api.brin.sh/domain/vailonxx.coCommon questions teams ask before deciding whether to use this domain in agent workflows.
vailonxx.co currently scores 27/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.