The user's password is copied from PAM to expect's
space to send to the ssh-add utility. Both PAM and
ssh-add are smart enough to wipe the memory the user's
password is stored in, but expect is not. This means
that the user's password may be left in memory (in
cleartext) potentially long after login, and thus
malicious programs can easily sniff out and find it.
I'm not sure how much of a real problem this is, but
every text I know of that covers passwords recommends
wiping clean any and all memory used to store the clear
text problem to avoid the risk of memory being scanned
by malicious code.