[Blinx]

I'm not very knowledgeable about code injection but I think sm_command is your only worry since it's executing a command without any filtering as far as I know, but stuff like PrintToChat and basically every other function doesn't work like that.

As for your specific worry though, %N is a formatting thing that puts someones name into the string provided a client index, i.e.,

PrintToChat(client, "%N Welcome to the server!", client);

Hopefully someone with more indepth knowledge of sourcepawn can verify these things.