WaterWall

🌊 WaterWall: The Security Layer for OpenClaw Agents 🚨 The Problem In the era of OpenClaw, autonomous agents bring unprecedented convenience. However, as users delegate more authority to AI, they face significant hidden risks. An Agent can be manipulated via Prompt Injection or tricked into executing malicious smart contracts without the user's knowledge. The user often realizes too late—only after their wallet has been drained.

🛡️ The Solution WaterWall acts as a mandatory security middleware between the OpenClaw Agent and the Sui Blockchain. It ensures that no transaction is signed without passing a safety check.

Core Features:

🚫 Blocks Prompt Injection Attacks: WaterWall analyzes the context of the user's request against the Agent's actions.

Success Case: We successfully demonstrated blocking a hidden injection attack from a malicious phishing site ("BuyVegetables"), preventing the Agent from unauthorized asset transfers.

🛑 Prevents Malicious Contract Execution (Dry Run Enforcement): WaterWall enforces a strict "Simulate First, Sign Later" policy. It automatically performs a Dry Run on every transaction.

If the simulation reveals suspicious outcomes (e.g., wallet draining or interacting with blacklisted contracts), WaterWall aborts the execution instantly to protect the user.

💡 The Name "Water" represents the Sui ecosystem."Wall" pays homage to the traditional Firewall.WaterWall is the firewall for the Web3 AI era.

👤 About the Author k66 I started developing on Sui and Ethereum last year, with a strong focus on on-chain security. I am currently the Co-Founder of SuiAudit, an AI-powered Sui-Move smart contract auditing solution.

I'm passionate about building safer tools for the decentralized future. Let's connect!

🛠️ Tech Stack WaterWall is built using:

2 ways for dry run, using both Sui CLI, and pysui (3rd-party on github)

🔄 User Flow & Test Cases Case 1: Defending Against Prompt Injection

Scenario: A user employs OpenClaw to shop on a website that contains hidden malicious instructions (e.g., our proof-of-concept demo site: buy-vegetables.vercel.app, where the injection is visible via F12 -> Console).

Defense Mechanism: Before OpenClaw processes the hidden malicious prompt, WaterWall intervenes. As defined in waterwall.py, it performs a Natural Language Intent Analysis, comparing the user's original command against the website's HTML content. If a semantic mismatch or hidden command is detected, the action is blocked immediately.

Case 2: Blocking Malicious Smart Contracts

Scenario: A user attempts to interact with a "Fake Airdrop" contract using OpenClaw.

Defense Mechanism: WaterWall automatically triggers a Sui CLI dry run in the background to simulate the transaction outcome. Upon detecting malicious behavior (such as unauthorized asset draining) in the simulation results, WaterWall rejects the transaction, preventing the user from signing it.