I created a plugin using hook location bbcode_create, bbcode_fetch_tags and a .php file to handle a custom bbcode. What should I do to secure the output? For example, do I need to call xss_clean() or filter htmlspecialchars?

Check the do_clean function in includes/class_core.php.

If you defined the type as TYPE_NOHTML, it will do:
htmlspecialchars_uni(trim(strval($data)))

Call it like do_clean($variable, TYPE_NOHTML);

Thanks, I'll try it.