Researchers have warned OpenClaw users after malicious skills surfaced on ClawHub, exposing supply chain risks tied to weak plugin reviews.