Interesting. There was an earlier security problem with "smuggled SQL", so we might as well call your hypothetical approach "smuggled Tcl".
Have you looked to see if eval is actually being used on user arguments? If so, depending on the type it may or may not be dangerous, i.e. ad_page_contract does basic type checking so you shouldn't be able to smuggle in a Tcl command string where caller of the eval expects an integer.
