Since I have written the vast majority of the multi-sig part of that plug-in, I feel I need to respond to this.
The plugin works by generating new recieve addresses (beyond the gap limit), and then giving the public key to the user. This is passed into the web site, which creates the P2SH address to send the coin to as well as presenting them with the redeemScript (so that they could verify with the person they were purchasing from that the address was with their public key as well).
When you need to complete a transaction, you are provided with json that looks like
{
"tx": Raw partialy signed transaction ,
"pubKey": "public key that this needs to be signed with",
"input" : {
"txid": tx of funding transaction,
"vout": vout of funding transaction ,
"scriptPubKey": from the funding transaction,
"redeemScript": the redeemscript
},
"wallet": thebitcoin 'address' that pubKey makes
}
The plugin then signs the transaction and allows you to broadcast it or save it. If you used the plugin to create the public key it needs, it will be found automatically. If you created a public key somewhere else when you created the escrow address, then you are prompted to supply private key that will be used to sign the transaction.
The main problem with the implementation is it mixes up your keys for making p2sh wallets and the keys you use to handle your coin. I've suggested to all the users they create a seperate wallet that is only used for signing transactions that is kept offline. A full BIP_32 implementation would be a lot nicer, but the plugin is essentially a quick and dirty hack which allows people to use the site without having to use bitcoin-qt.