Well, unless they've fixed it karma was traditionally vulnerable to a CSRF attack, which is sort of why it got turned off on vL. I have no idea if that's been fixed, but I generally just turn off karma. It's easier than letting people abuse it.
Off-site avatars can cause minor privacy issues, like user-tracking, but I don't know of any real danger.
I can't really think of anything serious.