Just because a channel name is provided by the server, it doesn't mean it's safe. As has been mentioned several times, strings like #$someident(param) are evaluated by mirc like normal identifiers (eg try //echo -a #$upper(blah) ).

Now imagine that a malicious person creates the channel #$q (a perfectly legal channel name) and sets it invite-only, then starts advertising it in popular channels. People try to join #$q but because it's +i, the server sends them a 478 reply with $2 being "#$q". /q is one of the default aliases in mirc and looks something like /q /quit $1-. So evaluting #$q will make you quit... using further knowledge about a victim's installed aliases, one could do even worse things. #$input(blah) is another example of the problem, and it's not even an alias.

All this of course assuming the server is trusted. If not, things can be even worse, as a malicious server could fill $2 with more dangerous things (you can squeeze a $findfile that executes arbitrary commands in $2 in a little more elaborate way - this too has been mentioned in the forums).

Arguing about the feasibility of a particular attack is missing the point however. Just because you are unable to think of a plausible attack scenario, it doesn't mean you can go ahead and use $2 carelessly inside /timer. Attackers are imaginative, and it's better to play safe than to try to second-guess them on a case-by-case basis.

/.timerQ 1 0 echo /.timerQ 1 0 $timer(Q).com