Back to Blog
AnnouncementsFebruary 17, 20263 min read

Launching brin.sh — the universal allowlist for agents

brin pre-scans packages, MCP servers, repositories, skills, web pages, and contributors for malware, prompt injection, and supply chain attacks. One GET request, no auth, no SDK.

Alan ZabihiCo-founder & CEO
Share:

Launching brin.sh — the universal allowlist for agents. Before your agent acts on any external context, one GET request returns a score, verdict, and detected threats. No SDK, no auth, no signup.

Agents trust everything by default

Spotify's top engineers reportedly haven't written code by hand since December. Cursor, Claude Code, Codex, Gemini CLI — agents are writing production software everywhere. Some companies are already majority agent-written.

This shift happened fast, and our infrastructure hasn't caught up. Agents fetch packages, load web pages, install MCP servers, read contributor profiles, and clone repositories without reviewing any of it. They reduce the distance between "find external content" and "execute untrusted code" to zero.

Typosquatting, malicious install scripts, prompt injection, tool shadowing in MCP servers, sleeper contributor accounts. These threats existed before agents. Agents make every one of them worse because there's no human in the loop to notice something looks wrong.

Securing context, not agents

The default approach to agent security is guardrails — restricting what the agent can do. Block certain tools, sandbox file access, limit network calls. It works, but it cripples the agent. The more you constrain it, the less useful it becomes.

brin takes a different approach. Let agents be as unconstrained as possible and instead score every piece of external context they interact with. The risk was never the agent. It's the external context the agent trusts by default.

Secure the context, not the agent. You get safety without sacrificing capability.

What brin scores

Six types of artifacts that agents consume autonomously, each with a distinct threat model:

  • Packages — install-time attacks, credential harvesting, typosquatting
  • MCP servers — tool shadowing, schema abuse, silent capability escalation
  • Repositories — agent config injection, malicious commits, compromised dependencies
  • Skills — description injection, output poisoning, instruction override
  • Web pages — prompt injection, phishing, cloaking, hidden exfiltration
  • Contributors — sleeper accounts, typosquat identities, anomalous activity

Every artifact is scored 0–100 across four dimensions: Identity (who published this?), Behavior (does it act normal?), Content (is it malicious?), Graph (transitive trust from relationships). Output: score, verdict, confidence, and detected threats.

How it works

Before your agent acts on any external context, make a single GET request:

curl https://brin.sh/npm/lodash

brin returns a score, verdict, and any detected threats. The platform decides what to do: block, warn, or proceed. If brin is unreachable, the agent continues as normal — zero risk to your existing workflow. Sub-10ms cached responses, no SDK, one HTTP call.

All free. No auth, 300 requests per minute per IP. The full dataset is also available as a JSONL data dump you can host locally. The CLI is open source and wraps the API.

Open data

Every score brin produces is public and the tools are open source. The API requires no auth and costs nothing. If you prefer not to depend on the API, download the full dataset and host it on your own infrastructure. The more widely trust signals are available, the harder it becomes for malicious context to spread.

Get started at brin.sh/docs/get-started/quickstart.

Source at github.com/superagent-ai/brin.

Announcements

Join our newsletter

We'll share announcements and content regarding AI safety.