Have a look at
https://en.wikichip.org/wiki/mirc/msl_injection for some examples of things to watch out for in scripts. Some of these issues are caused simply by people writing their own scripts in a careless manner, but these things can be found in publicly available scripts that people innocently don't know have these types of problems. While the scripts work perfectly fine when used as intended, you must be careful about how you use timers, specifically in how you use text not created by you. As you can see from these examples, even $calc could be used against you in a limited context.
You can create aliases to defend against some of the built-in /commands, but not against $identifiers. However, the ! prefix would make even this defense pointless. For example, "run" was one of the commands on the old list being blocked. You could make this alias which would intercept a script trying to use "run something", and would block it unless it did "run password something". However, if they used "!run something" it would execute the built-in identifier without checking for the existence of this alias, in the same way this alias evades another alias created to alter the format of the /echo command.
run {
!if ($1 != password) { !echo -a halt: attempt to use /run command without password! | !halt }
!run $2-
}
Some of the other things on the old "block" list were identifiers, which you can't intercept using an alias. You create an "alias decode" to intercept "/decode parameters", but it can't intercept "$decode(parameters)".