What I found scanning 3 AI agent codebases for unguarded tool calls

669 functions that can write to a database, delete files, charge a card, spawn a subprocess, or hand control to another agent. 553 of them had no guard of any kind. No input validation, no auth check, no rate limit, no confirmation step. Nothing between the model's decision and the side effect. That is 83%. None were confirmed. I got these numbers by pointing a static analyzer at three open-source TypeScript AI agent codebases and counting. Not a pen test. Not a CVE hunt. An inventory of what each agent can do and which of those capabilities have a control in the code.