URL Safety Inspector

Heuristically rate a URL's phishing risk — IP-literal hosts, an @ in the authority, excessive subdomains, punycode and lookalike TLDs — right in your browser. No request is ever made to the site.

Try:
Risk report

About this tool

The URL Safety Inspector reads the structure of a link and rates how much it looks like a phishing URL. It never contacts the site and never queries a blocklist — every signal comes from the URL string itself, so the check is instant, private, and deterministic (the same URL always produces the same rating).

It runs these heuristic checks:

Each match adds to a 0–100 composite score that maps to a MINIMAL / LOW / MEDIUM / HIGH / CRITICAL rating, and every finding is listed with its severity.

Worked example

Inspecting http://[email protected]/login returns:

Phishing risk: CRITICAL (score 78/100)
URL: http://[email protected]/login

Findings (4):
  [high] Authority contains '@': the browser connects to '192.168.0.1', while the 'paypal.com' shown before the '@' is ignored — a classic disguise.
  [high] Host is an IP literal (192.168.0.1), not a domain name — legitimate sites almost always use a registered domain.
  [low] URL uses plain http:// — traffic is unencrypted and the site presents no TLS identity.
  [low] Contains urgency/credential keywords (login) — common in pages that fake a login or verification prompt.

A clean link such as https://www.example.com/pricing returns Phishing risk: MINIMAL (score 0/100) with no findings.

Limits & edge cases

FAQ

Does this tool visit the URL or send it anywhere?

No. The entire check runs locally in your browser (WebAssembly) using only the text of the URL. Nothing is uploaded, no request is made to the site, and no blocklist is queried — so it works offline and never tips off a phishing site that you inspected it.

What does the score and rating actually mean?

Each finding contributes points by severity (high/medium/low/info), and the total is capped at 100. The bands are: 0MINIMAL, 1–19LOW, 20–44MEDIUM, 45–69HIGH, 70+CRITICAL. It is a relative "how suspicious does this look" measure, not a probability that the site is malicious.

Why is a URL I know is safe flagged as risky?

The heuristics catch patterns that phishing often uses, but legitimate sites use some of them too — real login subdomains, marketing links on .xyz, or shortened share links. That's why every finding is explained: use it to understand what looked unusual rather than treating the rating as a verdict.

What is the `@` (userinfo) trick it warns about?

In a URL like http://[email protected]/, everything before the @ is userinfo that the browser ignores for routing — it actually connects to evil.example. Attackers put a trusted brand there so the link looks legitimate at a glance. The tool always reports the real host (the part after the last @).

What is punycode and why does it matter?

Punycode (xn--…) encodes non-ASCII characters in a domain. It enables homograph attacks: a label using a Cyrillic а or Greek ο can look identical to a Latin letter, so аpple.com can visually impersonate apple.com. Any xn-- label is flagged so you can decode and compare it before trusting the link.

Developer & Automation Access

Run it from the terminal

Same engine as this page, headless — via the gizza CLI:

gizza tool url-safety-inspect "https://secure-login.example.tk/verify-account"

New to the CLI? Get gizza →

Open it by URL

Pre-fill and auto-run this tool with query parameters — the names match the API/CLI:

https://gizza.ai/tools/url-safety-inspect/?url=https%3A%2F%2Fsecure-login.example.tk%2Fverify-account

Machine-readable descriptor: tool.json — title + parameters JSON Schema for agents.