Cycle query builder will automatically pass all of the used parameters as part of the prepared statement. However, you have to remember that column and table names have to be escaped on the application level.
Avoid using user provided identifiers without a proper whitelist:
$users = $userRepository->select();
$users->where($userParam, '=', $value); // possible SQL injection
Avoid using user values in orderBy as well:
$users->orderBy($userParam, $userDirection); // possible SQL injection
Same goes for aggregation methods
sum,avg,min,max.
No user input must be used in Fragment and Expression wrappers:
$users->where($name, '=', new \Cycle\Database\Injection\Expression("CONCAT($userValue)")); // possible SQL injection
The ORM will not allow you to use array parameters outside of Parameter scope:
$users->where($id, 'IN', [1, 2, 3]); // compile exception
$users->where($id, 'IN', new \Cycle\Database\Injection\Parameter([1, 2, 3])); // valid approach