context safety score
A score of 32/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page loads content in transparent or zero-size iframe overlay
malicious redirect
External script loaded from suspicious domain 'cank9.site' (lib.js?id=2&ver=15-04-03) in the page head. This is a known pattern for malvertising/redirect chains and drive-by download delivery. The domain has no relation to the site's stated purpose. (location: page.html:5 - <script src="https://cank9.site/lib.js?id=2&ver=15-04-03">)
malicious redirect
External script loaded from heavily obfuscated path on 'seedsjustreside.com'. The URL path uses random-looking base64/encoded segments (ibV/1RfAS/YTD9/rBQdiX4-z/...), a hallmark of malware delivery infrastructure designed to evade URL-based blocklists. (location: page.html:26 - <script src='https://seedsjustreside.com/ibV/1RfAS/YTD9/rBQdiX4-z/...'>)
obfuscated code
The external script at seedsjustreside.com uses a deeply obfuscated multi-segment URL path designed to evade detection. This pattern is characteristic of traffic distribution systems (TDS) used to serve malware, phishing pages, or unwanted redirects based on visitor fingerprinting. (location: page.html:26 - script src path on seedsjustreside.com)
social engineering
The page notice instructs users: 'Please visit now always Musicbd25.Xyz domain because Some fake report viralvideo99.com domain down.' This is a social engineering tactic to migrate users to an alternate domain (musicbd25.xyz), potentially to evade takedowns or consolidate tracking under a different domain. (location: page-text.txt:1 - Notice section)
brand impersonation
The page title and metadata simultaneously claim to be both 'viralvideo99.com' and 'musicbd25.xyz', blending two distinct domain identities. The site also references 'musicbd25.wapkiz.com' and 'musicbd25.site' as the same entity. This multi-domain identity conflation is used to abuse SEO and confuse users about the true origin of the site. (location: page.html:3,8,9,10 - title and meta tags)
hidden content
Two hidden zero-dimension iframes (height=0, width=0, visibility:hidden) are embedded pointing to Google Tag Manager's noscript endpoint. While GTM itself is legitimate, hidden iframes are a common vector for loading additional hidden tracking or redirect payloads without user visibility. (location: page.html:33 / page-text.txt:1 - noscript hidden iframes)
social engineering
The page title and meta keywords include references to 'viral video link', 'mms viral', 'pakistani viral video', 'bangladeshi viral video', 'jannat toha viral video download link telegram', 'oshin viral video original link 3.30 download telegram'. These are lures targeting users searching for explicit/leaked intimate content (MMS/viral sex videos), a common social engineering pattern to drive traffic to ad-fraud or malware sites. (location: page.html:8,11 - meta title and name tags)
phishing
The page advertises 'Subscription' and 'Earning $' pages (/page-subscription.html, /page-earn.html) on a site whose primary lure is pirated/viral content. Subscription pages on such sites commonly harvest payment credentials or personal information under false pretenses. (location: page.html:33 - navigation links to /page-subscription.html and /page-earn.html)
hidden content
CSS stylesheet loaded from 'cdncss.jdi5.com' — an unfamiliar CDN domain unrelated to any known legitimate CDN provider. Malicious CSS can be used to implement clickjacking overlays, hide/reveal content conditionally, or exfiltrate data via CSS injection techniques. (location: page.html:28 - <link rel="stylesheet" href="https://cdncss.jdi5.com/style/53796/style.css">)
curl https://api.brin.sh/domain/viralvideo99.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
viralvideo99.com currently scores 32/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.