The most obvious that comes to mind is eval. However a custom function could also be dangerous, e.g. a function that posts some sensetive information to a REST API where the attacker can control the variable that defines the API endpoint address and thus can send the information to themselves.
