context safety score
A score of 33/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page conditionally redirects based on referrer or user-agent
obfuscated code
Two identical large inline scripts use a multi-layer obfuscation technique: URI-encoded string decoding, character-shift Caesar-cipher substitution (charCodeAt offset by position modulo 95), and index-array slicing to reconstruct URLs and function names at runtime. The payload dynamically builds ad-network endpoints and installs event handlers, making static analysis of the final URLs and behaviours impossible without execution. (location: page.html lines 44 and 46 (duplicate inline <script data-cfasync="false"> blocks))
malicious redirect
External script loaded from //detoxifylagoonsnugness.com/bn.js — a randomly-named, non-reputable domain with no obvious legitimate purpose. The domain name ('detoxifylagoonsnugness') follows a pattern common to malvertising and traffic-redirection networks. The script is loaded async with both onerror and onload callbacks firing the same obfuscated handler ibdfqsil(16), indicating it participates in the redirect/ad-fraud chain regardless of load outcome. (location: page.html line 45: <script src="//detoxifylagoonsnugness.com/bn.js">)
malicious redirect
External ad-network script loaded from //adv.clickadu.net/on.js. Clickadu is a known push-notification and pop-under ad network frequently associated with aggressive redirects, malvertising, and unwanted subscription prompts on adult sites. DNS prefetch and preconnect hints for both clickadu.net and detoxifylagoonsnugness.com are set in <head>, ensuring connections are established before page content is fully parsed. (location: page.html line 47: <script src="//adv.clickadu.net/on.js"> and lines 31-34 (dns-prefetch/preconnect hints))
brand impersonation
The site name 'XNXX Arab' and domain 'xnxxarab.to' deliberately mimics the well-known brand 'XNXX' (xnxx.com). The logo, page title, tag cloud, and in-content labels (e.g. 'xnxx porn', 'xnxx مترجم') all leverage the XNXX trademark to attract users who intend to visit the legitimate site, driving traffic to a third-party domain with unknown ownership and ad monetisation infrastructure. (location: page.html lines 4, 66, 1672 (logo/title); page-text.txt lines 1526, 1560, 1564, 1596)
hidden content
All thumbnail images are initialised with a 1×1 transparent GIF data URI (data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7) as the src attribute, with actual image URLs deferred into data-original and data-webp attributes for lazy-loading. While this is a common performance pattern, it means the true image content is not present in the initial HTML and is injected by JavaScript, allowing the displayed content to differ from what a static scanner would see. (location: page.html lines 214, 246, 278, 310 etc. (all video thumbnail <img> tags))
curl https://api.brin.sh/domain/xnxxarab.toCommon questions teams ask before deciding whether to use this domain in agent workflows.
xnxxarab.to currently scores 33/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.