context safety score
A score of 40/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
malicious redirect
script/meta redirect patterns detected in page source
cloaking
Page conditionally redirects based on referrer or user-agent
js obfuscation
JavaScript uses Function constructor for runtime code generation
brand impersonation
The domain xnxxsexarab.com incorporates 'xnxx' in its name, directly impersonating the well-known adult platform XNXX (xnxx.com) to attract traffic through brand confusion. The site title and branding 'Xnxx Sex Arab' and repeated use of 'xnxx' in video titles and tags reinforce this impersonation. (location: page.html:4, page.html:57, page.html:1180, metadata.json:domain)
credential harvesting
The site presents login and signup forms loaded via AJAX modal overlays (data-fancybox='ajax') pointing to /login/ and /signup/ endpoints. This pattern — on a brand-impersonating adult site — is commonly used to harvest user credentials, especially from users who may believe they are registering on the legitimate XNXX platform. (location: page.html:47-48, page.html:1211-1212)
social engineering
Multiple video titles reference real named individuals (e.g., 'هدير عبدالرازق', 'رحمه محسن', 'دينا الراقصه', 'ميرا النوري', 'Rahaf Al Qunun Mohammed') labeled as 'فضيحة' (scandal/leak). Presenting real public figures' names as participants in explicit content is a social engineering tactic designed to exploit curiosity and lure users into account registration or ad-click engagement. (location: page.html:341-384, page.html:433-453, page.html:387-407, page.html:179)
malicious redirect
A pop-under/new-tab ad script from a.pemsrv.com (idzone 4587038) is embedded with 'new_tab: true', 'trigger_method: 2', and triggers on clicks of video items. This will silently open new browser tabs or windows to third-party ad destinations when users interact with content, constituting an unsolicited malicious redirect mechanism. (location: page.html:1246-1268, page-text.txt:1207-1228)
hidden content
The footer contains a Lorem ipsum placeholder text block ('Lorem ipsum dolor sit amet...') that appears to serve no legitimate purpose on a production site. This is a recognized technique to add invisible or visually ignored filler content that may conceal SEO spam, cloaked text, or future injection points not immediately visible to users. (location: page.html:1223, page-text.txt:1183)
hidden content
All thumbnail images use a 1x1 transparent GIF data URI as the src attribute (data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7) with actual content deferred via data-original and data-webp attributes. While lazy-loading is common, combined with the other signals this pattern can be used to obscure the true nature of content from automated scanners. (location: page.html:205, 228, 251 (and throughout))
brand impersonation
The tags cloud and SEO keyword section extensively lists competing adult platform brand names as search tags: 'xhamster', 'youporn', 'pornhub', 'xvideos', 'spankbang', 'beeg', 'tukif', 'fuq', 'ixxx', 'xlxx'. This is SEO brand hijacking — abusing competitor trademarks to divert search traffic to this site. (location: page.html:1100-1190, page-text.txt:1060-1150)
social engineering
The site includes a 'مجتمع وتعارف' (community and dating) section and a user account system (signup/login), encouraging users to create accounts and engage socially on an adult content platform. This expands the attack surface for credential harvesting and personal data collection beyond simple video viewing. (location: page.html:100-101, page.html:47-48)
curl https://api.brin.sh/domain/xnxxsexarab.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
xnxxsexarab.com currently scores 40/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.