External contract interactions are tricky to get right. They require a good understanding of the third-party contracts, correct invocation as well as protecting against hostile third-party contracts (for example with the use of reentrancy guards).
A good starting point is to generate a Call / Control flow graph using a Visual Inspection Tool. This will bring up all relevant third-party contracts and exactly which functions are being invoked.
Smart contracts should only rely on audited and reliable external contracts. If there is a need to interact with contracts that do not meet these standards, additional care should be exercised to mitigate the impact an issue can cause. Some external contracts may follow best practice from a code perspective but may be fairly centralized in their ownership. In that case it's important to consider possible governance attacks or theft of keys and implications on safeguards.
For token contracts specifically, we recommend following the token integration checklist prepared by Trail of Bits.
It's impossible to review external interactions without understanding the contracts that are being invoked in great detail. Follow the process outlined in How to Quickly Understand a Protocol and study each dependency carefully, paying more attention to the relevant modules that are being used.
Study each invocation paying special attention to the intended purpose, the use of arguments and return values. Check if a reentrancy guard is present (it's good practice even if the risk of reentrancy is deemed to be low).
To do this formally, you may elect to conduct a simplified form of Access Control Review, State Transition Review, Flow of Value Analysis for each external contract. The trust or state machine model in each scenario will focus on the relevant submodule of the external code.
If possible, use a Transaction Debugger to step through each external call. Doing so for some example transactions will reveal what specific external code is getting invoked and may surface some assumptions that third-party libraries are making about the call site.
Use of external contracts is not just limited to code security threats. Consider scenarios of front-running, token supply manipulation and other economic attacks that could make external calls problematic.
Consider using Fuzzing if third-party contracts are incorporating a significant amount of state (for example if they are custodial of your contract's assets).