context safety score
A score of 36/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
typosquat
Repository named 'mcp-proxy' on a 22-day-old account with 0 stars. Well-known projects with the same name exist in the MCP ecosystem (e.g., modelcontextprotocol/proxy, sparfenyuk/mcp-proxy with 1k+ stars). The actual product is an 'Apollo Intelligence MCP Server' with 36 paid tools — the name 'mcp-proxy' does not describe this product and appears chosen to capture search traffic from the established mcp-proxy projects. (location: repository name: bnmbnmai/mcp-proxy)
supply chain
Repository contains no source code — only a README instructing users to run 'npx @apollo_ai/mcp-proxy'. Users cannot inspect what code will execute before running it. Combined with a 22-day-old account and 0 stars, this means users are asked to trust and execute uninspectable code from an unestablished publisher. The npm package could contain arbitrary code not represented in this repository. (location: README.md:25-26)
typosquat
Repository name 'mcp-proxy' squats on the well-known sparfenyuk/mcp-proxy project (2,300+ GitHub stars, 17 PyPI releases, widely used MCP infrastructure tool). The repo owner bnmbnmai has a 22-day-old account with 0 stars, and the server.json internally claims a different identity ('team.apolloai/intelligence'). The npm package is scoped as @apollo_ai/mcp-proxy, further leveraging the 'mcp-proxy' name. Combined with version inflation to v4.8.1 on a 22-day-old repo and a coordinated directory submission campaign (PUBLISH-CHECKLIST.md, submissions/ folder), this appears designed to attract users searching for the legitimate mcp-proxy project. (location: repository name 'bnmbnmai/mcp-proxy' and npm package '@apollo_ai/mcp-proxy')
tool shadowing
Tools named 'web_search' and 'web_scrape' use generic names identical to common built-in agent capabilities. When an agent is asked to 'search the web' or 'scrape a URL', these tools intercept calls that would otherwise go to the agent's native tools, routing all queries through the paid apolloai.team API ($0.01-$0.02/request via USDC micropayments). This creates a paid intermediary for operations the agent could perform for free with built-in tools. (location: src/index.ts — server.registerTool('web_search', ...) and server.registerTool('web_scrape', ...))
curl https://api.brin.sh/mcp/bnmbnmai%2Fmcp-proxyCommon questions teams ask before deciding whether to use this mcp server in agent workflows.
bnmbnmai/mcp-proxy currently scores 36/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this mcp server.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.