openclaw hit 145,000 github stars in under two weeks. 1.5 million agents on moltbook. steinberger just joined openai. the project is now foundation-backed. the hype is earned. for the first time, there's an ai agent that runs locally, connects to your messaging apps, remembers context across sessions, and takes real actions on your behalf. the excitement makes sense. what doesn't make sense is how people are deploying it. cisco's ai security team tested a third-party openclaw skill and found it performing data exfiltration and prompt injection without the user knowing. security researchers scanned for exposed instances and found over 30,000 openclaw gateways open to the public internet with no authentication. noma security reported that 53% of their enterprise customers gave openclaw privileged system access over a single weekend. a malicious vs code extension called "clawdbot agent" appeared on the marketplace the same day as the moltbot rename, installing remote access trojans. researchers estimated that 12-20% of skills on clawdhub were malicious or vulnerable. one of openclaw's own maintainers posted on discord: "if you can't understand how to run a command line, this is far too dangerous of a project for you to use safely." and that's just the security side. the financial side is wide open. openclaw can browse the web, interact with services, and take actions that cost money. it can make purchases, hit paid apis, trigger compute jobs, and interact with blockchain services. when you give it system-level access with no spending controls, there is nothing stopping it from executing transactions you didn't anticipate, at volumes you didn't budget for, with services you've never heard of. this is the pattern repeating across the entire agent ecosystem. teams get excited about what the agent can do. they give it broad permissions to maximize capability. they skip the part where they define what the agent is allowed to spend, how much, on what, and with whom. then they're surprised when the bill shows up, or worse, when the funds are gone. the capability layer is moving incredibly fast. openclaw proved that. the control layer hasn't kept up. giving an agent the ability to act in the world without defining the financial boundaries of that action is like giving someone your credit card and house keys and saying "do whatever you think is best." the missing piece is a financial control layer between the agent and the economy it operates in. spending limits per agent. budget allocation across tasks. rules about which services and counterparties are approved. real-time monitoring of cumulative spend. the ability to freeze an agent's economic activity instantly when something looks wrong. audit trails for every transaction so you can reconstruct what happened and why. openclaw is a great agent. the problem was never the agent. the problem is deploying any agent, openclaw or otherwise, into an environment where it can spend money without programmatic guardrails. ampersend is building the control layer for this. we're live in closed beta. link in bio to request early access. dms open for questions.