The plugin maintains a list of 'known vulnerable functions'. It then scans the binary and makes a list of any calls to those functions and their addresses for further investigation.
The plugin has a list of functions that it knows return input from a user (gets/socket recv/etc.) and similarly reports them for further investigation.
Could operate in a couple different ways: