and 2) this opens a whole new playground for NoSQL injections: I don't know a lot (well. anything) about lua embedding, but I could imagine that these lua scripts somehow could get access to the file system. This means that you have to be really, really careful not to expose redis to the outside world and not to have it execute injected commands.
Also, LUA is a very small at core and I don't think it by default includes things like file system access. You pretty much just get what the host applications gives you, which in this case seems to be just the Redis API.
Secondly, it does include filesystem access by default, and right now there is no decent protection against it. Hopefully, sandboxing will be implemented before this reaches anything related to stable.
Sandboxing Lua does seem quite easy though: http://stackoverflow.com/questions/1224708/how-can-i-create-...