I'm not very knowledgeable about code injection but I think sm_command is your only worry since it's executing a command without any filtering as far as I know, but stuff like PrintToChat and basically every other function doesn't work like that.
As for your specific worry though, %N is a formatting thing that puts someones name into the string provided a client index, i.e.,
PrintToChat(client, "%N Welcome to the server!", client);
Hopefully someone with more indepth knowledge of sourcepawn can verify these things.