It's been pointed out an awful lot of times, but I'll point it out again:
passing unknown content to /timer can be dangerous. In this case $2 is just a single word, which limits serious attacks like $findfile to mere annoyances (counting the number of files in C:
can be pretty annoying though!), if you ignore aliases. If the attacker knows that the victim has a potentially dangerous alias, they can use that. In this case somebody could type "!gag $p" and have the bot part the channel or something like that. I think you get the point.
I realise it may not be easy for an inexperienced scripter to properly escape stuff passed to /timer, so here's an alias that should help:
; it's important to keep the spacing exactly as it is
alias safe return $!decode( $encode($1,m) ,m)
Then one can use $safe($2) instead of $2 in /timer, /scon or /scid.
The only problem with that is having $encode/$decode disabled for security reasons (a somewhat ironic situation). In such cases, the following (uglier, slower and more prone to hit the maximum-string-length limit) alternative could be used:
alias safe2 bset -tc &a 1 $1 | return $!regsubex(safe, $bvar(&a,1-) ,/(\d+)(?: |$)/g,$chr(\1))
Edit: this recent report implies that even single-word identifiers like $2 can be used to execute arbitrary commands, which makes escaping them even more important.Edit 2: added -c switch in /bset to avoid problems with multiple calls in the same script (thanks Wims)