Yes, macro languages are generally bad. It’s so easy to make use-vs-mention mistakes and accidentally evaluate bad or malicious user input.
There’s a [unintentionally] hilarious paper I once read on “Security Issues in MUSHes” that describes all of these kinds of security holes. What made it hilarious is that they are exactly the same kinds of security holes you get in Unix systems — where a shellscript running setuid to root has a quoting bug so a hacker can pass it input that gives them control over the script — only in this case it’s a more concrete metaphor where for instance you say some magic string to a poorly-coded dragon and suddenly you have total control over the dragon, which has its ‘wizard’ bit set so it can grant you anything you want. It is, literally, black magic.
Raph Levien wrote something about macro languages a while back... here, which I think I’ve linked to before, talking about the monstrosity that is autoconf. (Since then, I’ve used svn quite a bit, and it felt like I got that database recovery message almost twice a day...)