video-download

This appears to be a functional third-party automation/downloader rather than an explicit malware implant, with no obvious credentials or persistence. However, it introduces meaningful security risk: it executes JavaScript in a remote page context (agent-browser eval) and then downloads content from a URL extracted from untrusted remote state without strong allowlisting/validation. If greenvideo.cc or the page state is compromised or returns unexpected values, the host running the script could download unintended content from arbitrary network locations and write it to the filesystem (operator-controlled directory).

SUSPICIOUS. The primary yt-dlp path is coherent and mostly benign, but the Douyin/TikTok fallback is a material inconsistency: it sends URLs and browser-driven session context through an unrelated third-party site (`greenvideo.cc`) instead of official endpoints. Cookie-based retry is somewhat proportionate for restricted downloads, yet combining browser cookie access, untrusted browser automation, and third-party parsing raises medium-high security risk.