context safety score
A score of 26/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page conditionally redirects based on referrer or user-agent
js obfuscation
Obfuscated document.write with encoded content
obfuscated code
Two identical inline scripts use a custom Caesar-cipher-style character-rotation obfuscation (charCodeAt offset loop) to decode and execute payload at runtime. The scripts load ad network code from bartererfaxtingling.com and adv.clickadu.net and register error/load callbacks (vavsevhs, kkakizt). The true behavior of the decoded payload cannot be determined from static analysis, and the obfuscation pattern is consistent with malvertising loaders that perform environment fingerprinting, redirect decisions, or payload injection. (location: page.html lines 150 and 152 — inline <script data-cfasync="false"> blocks)
malicious redirect
External ad script loaded from //bartererfaxtingling.com/bn.js — a domain whose name is a nonsense string consistent with algorithmically-generated ad-fraud or malvertising domains. The script is loaded asynchronously with data-cfasync="false" (bypasses Cloudflare's rocket-loader filtering) alongside the obfuscated loader that invokes callback kkakizt(16) on both load and error. This pattern is used by pop-under and forced-redirect ad networks. (location: page.html line 153 — <script src="//bartererfaxtingling.com/bn.js">)
malicious redirect
External ad script loaded from //adv.clickadu.net/on.js — ClickAdu is a known pop-under / push-notification ad network frequently associated with unwanted redirects, fake virus alerts, and push-notification subscription abuse targeting mobile users. Loaded with data-cfasync="false" and accompanied by the obfuscated loader. (location: page.html line 151 — <script src="//adv.clickadu.net/on.js">)
hidden content
A <script type="application/ld+json" class="rank-math-schema-pro"> block in the <head> misrepresents the site's schema.org type as both a 'Person' and a 'WebSite', embedding keyword-stuffed descriptions in Unicode-escaped Hindi (\u0939\u093f\u0902... etc.) that are not rendered visibly to users. This is a hidden SEO-spam technique used to manipulate search engine indexing while keeping the content invisible to human visitors. (location: page.html line 94 — rank-math-schema-pro JSON-LD block)
social engineering
The page presents a user registration and login modal (Username, Email, Password fields with 'Sign up' / 'Login' / 'Lost Password?' flows) embedded within an adult content site using a .to ccTLD with unknown domain age and WHOIS privacy. Users attracted by adult content are prompted to create accounts and supply email addresses and passwords, which may be harvested or reused for credential-stuffing attacks. No visible privacy policy or data-handling disclosure is presented in the modal itself. (location: page-text.txt lines 554–625 — registration/login modal)
credential harvesting
Login form collects Username and Password credentials on an adult site (xxxhindi.to) with a DV-only TLS certificate, unknown domain age, and WHOIS privacy redacted. DV certificates provide no identity assurance. Users who reuse passwords from other services are at risk of credential exposure. The 'Lost Password?' reset flow also collects email addresses via a modal overlay that does not navigate to a dedicated secure page. (location: page-text.txt lines 585–614 — login and reset password modal)
prompt injection
The page title and meta description contain an unusually long, keyword-stuffed string that also embeds the competitor domain 'HindiXXXHD.COM' as if it were part of the site's own identity. If an AI agent or crawler ingests this page's metadata for summarization or classification purposes, the injected competitor brand reference and keyword soup could corrupt agent memory, skew categorization, or cause the agent to associate unrelated domains with this site. (location: page.html lines 74–75 — <title> and <meta name="description"> tags)
hidden content
All video thumbnail images use data-src lazy-loading attributes (no src attribute) combined with empty alt text fallbacks in some cases. This means the actual image URLs are never rendered in a standard HTML parse without JavaScript execution, masking the true visual content of the page from static scanners and content-classification tools. (location: page.html lines 229, 238, 247, etc. — <img data-src=...> throughout video listing)
curl https://api.brin.sh/domain/xxxhindi.toCommon questions teams ask before deciding whether to use this domain in agent workflows.
xxxhindi.to currently scores 26/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.