Okay, first off, that’s an incredibly badly made theme. Your item number 2 there indicates to me that he making AJAX calls in entirely the wrong way.
Secondly, look for anything in the theme that is using http but not in a link. allow_url_include basically lets you include some PHP from a remote site, which is indeed bad, but he might just be using it wrong.
If the theme was freely available, I could look at it and give you more information. Is this theme available for download?