Ambos man mplayer e man mpv alertam sobre a opção -playlist :
--playlist=
Play files according to a playlist file (Supports some common formats. If no format is detected, it will be treated as list of files, separated by newline characters. Note that XML playlist formats are not supported.)
You can play playlists directly and without this option, however, this option disables any security mechanisms that might be in place. You may also need this option to load plaintext files as playlist.
WARNING:
The way mpv uses playlist files via --playlist is not safe against maliciously constructed files. Such files may trigger harmful actions. This has been the case for all mpv and MPlayer versions, but unfortunately this fact was not well documented earlier, and some people have even misguidedly recommended use of --playlist with untrusted sources. Do NOT use --playlist with random internet sources or files you do not trust!
Playlist can contain entries using other protocols, such as local files, or (most severely), special protocols like avdevice://, which are inherently unsafe.
Mas como nos proteger, se nunca vimos o exemplo de arquivos construídos com malícia ?
Eu sei que av://v4l2:/dev/video0 e tv:// ( mpv desativou) podem gravar webcam, mas é possível gravar com silêncio (-novídeo) apenas com nome de arquivo? Ou pode fazer o upload para ip externo com apenas nome de arquivo? Quais são os possíveis nomes de arquivos ou protocolos maliciosos que devemos conhecer?