arkose labs (funcaptcha) bot-detector intel

arkose invisible loader

[ok]

https://client-api.arkoselabs.com/v2/invisible/2.10.0/api.js ↗

last ran: 2026-05-19 22:32 utc; (2d ago)
last updated: 2026-05-15 04:50 utc; (6d ago)
size: 71.7kb
sha256: cc819d159bde

apis touched: 146; 146 raw
bot tells: 17
sinks: 1; 0 leaked
hazards: 1
structural: 0
anti-debug: 0; L3/L4 hazards
consistency: 0; cross-checks
providers: 0

categories probed (8)

click a row to drill into every api the script probes in that category.

[+] document
3 apis · 2 tells · 7 hits
- [+] *.contentWindowhigh · bot-tell×1
  details + source hits (1)
- [+] document.currentScriptmedium · bot-tell×2
  details + source hits (2)
- [+] document.createElementlow×4
  details + source hits (4)
[+] introspection
13 apis · 1 tells · 77 hits
- [+] Object.definePropertymedium×16
  details + source hits (16)
- [+] Object.getOwnPropertyDescriptormedium · bot-tell×14
  details + source hits (14)
- [+] Object.getOwnPropertyDescriptorsmedium×14
  details + source hits (14)
- [+] Object.getPrototypeOfmedium×5
  details + source hits (5)
- [+] *.__proto__medium×2
  details + source hits (2)
- [+] Object.setPrototypeOfmedium×2
  details + source hits (2)
- [+] Symbol.toStringTagmedium×2
  details + source hits (2)
- [+] *.toStringlow×6
  details + source hits (6)
- [+] Object.createlow×5
  details + source hits (5)
- [+] *.constructorlow×4
  details + source hits (4)
- [+] *.hasOwnPropertylow×3
  details + source hits (3)
- [+] Symbol.iteratorinfo×3
  details + source hits (3)
- [+] Symbol.toPrimitiveinfo×1
  details + source hits (1)
[+] screen
4 apis · 0 tells · 6 hits
- [+] screen.heightlow×2
  details + source hits (2)
- [+] screen.widthlow×2
  details + source hits (2)
- [+] screen.availHeightlow×1
  details + source hits (1)
- [+] screen.availWidthlow×1
  details + source hits (1)
[+] timing
3 apis · 0 tells · 33 hits
- [+] performance.getEntrieslow×2
  details + source hits (2)
- [+] Dateinfo×25
  details + source hits (25)
- [+] Date.nowinfo×6
  details + source hits (6)
[+] storage
2 apis · 0 tells · 13 hits
- [+] *.keyslow×12
  details + source hits (12)
- [+] localStoragelow×1
  details + source hits (1)
[+] css
1 apis · 0 tells · 2 hits
- [+] *.matchesinfo×2
  details + source hits (2)
[+] media
1 apis · 0 tells · 2 hits
- [+] crypto.getRandomValuesinfo×2
  details + source hits (2)
[+] events
1 apis · 0 tells · 6 hits
- [+] *.addEventListenerinfo×6
  details + source hits (6)

bot-detection tells (3)

strong indicators of bot-detection intent. drill into the categories section below to inspect description, evasion notes, and source snippets for any tell.

*.contentWindow ×1
Object.getOwnPropertyDescriptor ×14
document.currentScript ×2

network sinks (1)

every place the script could ship data off the page. expand a row to see headers and the traced payload entries.

[+] xhrPOST ano leaks
url source · a
location · L15:45002
payload · shape json
- <body>: literal challenge shown
```
JSON.stringify(A)
```
```
L.send(JSON.stringify(A))
```

dynamic-execution hazards (1)

anywhere the script puts code beyond static reach. eval, function, document.write, dynamic import. these are the holes script2builtins-runtime would fill.

FunctionL15:7358
`Function` constructor compiles a string into a function. common eval-equivalent in fingerprinting blobs.
```
Function("r","regeneratorRuntime = r")
```