Security issue: browser plugins input
As pointed out by Quovodis, browsers plugins must not be allowed to specify arbitrary input item options. In particular, controlling stream output is a big no no (writting to arbitrary files or to the network from web pages).
As far as I can tell, the simplest solution is to not allow items that start with a colon when initializing libvlc. However, it remains questionable whether even specifying arbitrary inputs should be allowed.