Recently I've been doing a pass on my code after I realized a potential security issue with byond links (and I notice in the docs that it didn't escape Dantom either):
There are various ways that a player might generate a link for themselves to click on. If they observe how links are put together, they could conceivably generate a link for themselves to give themselves some access to the internals of the game, or to do damage.
There is a simple way to stop this. Always do a security check on any functionality that is going through Topic() methods. Before a Topic() method does something in your code, it should verify that the usr is someone with permission to give this command.
If you use byond links, your game will be vastly more secure if you stop everything right now and make sure you are covering this. Leaving it for later would not be a good idea, since you might forget.