I wouldn't say you're absolutely "safe", because you're never technically safe if you accept user input in a SQL query (even if you've manipulated it... when there's a will, there's a way).
Once you relinquish control over what is given to your application, you must be very careful how you deal with that data so that you don't open yourself up to an injection attack.
XSS Clean will help with POST
or cookie data -- it does not run automatically on GET
variables. I would manually run $data = $this->security->xss_clean($data);
on the input if it's from the GET
array.