Eric Warnke has discovered that, if asked nicely, SSHKeychain will print out the passphrase used to encrypt a loaded private key. This is bad, as the whole point of an ssh agent/keychain is to provide secure access to encrypted keys, meaning you cannot get the passphrases or plaintext keys out.

http://www.sshkeychain.org/pipermail/users/2007-August/000098.html

Crud on a cracker, Batman!

Verified in the latest (v0.8.1) -- hopefully there will be a patch soon, but this just shouldn't be possible.

http://www.sshkeychain.org/