Agency Without Assurance: The Security Risks of OpenClaw