In 2026, OpenClaw operators rarely debate “whether agents are useful” — they debatehow much power each session should carry. Tool allowlists, explicit tools.profile choices, and guarded sessions_spawn paths decide whether parallel sub-agents speed work up or amplify mistakes. maxSpawnDepth is the circuit breaker that keeps recursion honest. This FAQ maps the usual denial messages to fixes, offers a minimal-permission profile template you can copy, and closes with a multi-region Mac mini M4 cloud Mac pattern for spreading long macOS jobs without turning one gateway into a bottleneck.
1. Mental model: profiles first, spawn second, depth last
Treattools.profileas the contract that lists which builtins, skills, and OS affordances a session may touch.sessions_spawnthen answers “may this session start another session with its own budget?”maxSpawnDepthcaps how deep that tree may grow. When errors appear out of order — for example spawn succeeds but tools fail — the root cause is often aprofile mismatch between parent and child, not “OpenClaw broke.” Align manifests on the same host, then re-run your health command from both shells. For workspace trust and Skills onboarding, pair this page with OpenClaw Skills & workspace onboarding FAQ.
2. Minimal-permission template around tools.profile
Start from aread-only research profile: filesystem reads limited to the workspace root, network egress restricted to your package registry and model endpoint, and shell execution limited to a small set of verbs you already use in CI. Add one capability at a time with a named profile so reviewers can diff changes. Keep secrets out of prompts; mount them the same way you would on a self-hosted runner. A practical skeleton is: default deny → explicit allowlist for git, curl/wget, your build driver, and any skill-specific binaries → separate “release” profile that adds signing tools only on hosts that already hold identities.
3. sessions_spawn: typical denials and what they mean
Operators most often hit“spawn not permitted for this profile”when the parent profile forgot to include the spawn capability, or when an orchestrator template still points at an older policy file.“Session budget exceeded”signals you are fanning out faster than your gateway’s configured concurrency — fix with queueing or by moving embarrassingly parallel work to additional dedicated hosts.“Child session failed during bootstrap”usually means PATH, locale, or workspace env differs between login and non-login shells; export the same snippet you use for CI before invoking spawn. When you need visibility into instances, storage, and SSH/VNC hygiene on vpszap metal, read Running OpenClaw on vpszap Cloud: Instances, Storage, SSH/VNC & Observability.
4. maxSpawnDepth: recursion, fan-out, and the errors that matter
Depth exceededalmost always means an agent is delegating to another agent that delegates again without a terminating plan — tighten prompts, lower depth while debugging, or replace deep chains with a single coordinator session plus idempotent scripts.Shallow depth with wide breadthis often healthier: one parent, many siblings, each with a narrow profile. If siblings contend for disk or Xcode-derived data, budget NVMe headroom and remote-cache placement the same way you would for any parallel CI pool so tool calls are not fighting the same working tree.
- Parent and child reference the same policy file path on disk
- Spawn budget documented next to gateway CPU and SSD targets
- Depth turned down during incident response, restored after graphs are stable
- Each child has a single owner queue to avoid double-scheduling the same repo checkout
5. Case study: long jobs across six-region M4 cloud Macs
Picture nightly analysis that mixes clone, static analysis, and multi-hour builds. Instead of stacking every phase on one gateway Mac, placestage-specific dedicated Mac mini M4hosts in Singapore, Tokyo, Seoul, Hong Kong, US West, and US East according to where your data and reviewers live. A coordinator session (strict profile, spawn allowed) dispatches child sessions on regional hosts with profiles that only include the tools needed for that stage — clones near the artifact registry, builds near the largest working trees. The gateway stays a control plane; heavy IO happens next to the NVMe that holds the checkout. Measure RTT and cache hits before you celebrate parallelism.
6. Close the loop
Publish a one-page matrix: profile name, allowed tools, spawn yes/no, max depth, and which region owns which stage. Re-run your health checks after every upgrade, and snapshot disk before widening profiles. When the matrix stays boring, parallel agents stay safe.
On vpszap cloud hardware, this playbook is easier
The workflows above assumededicated Apple Siliconhosts you control end to end, with clear SSH boundaries per region. vpszap providesphysical M4 Mac minimachines — no virtualization, no noisy neighbors — with aboutfive minutesfrom order to workingSSH and VNC. Billing is flexible by the day, week, month, or quarter, withno long-term contract, and nodes acrossSingapore, Tokyo, Seoul, Hong Kong, US West, and US Eastso you can place coordinators and workers where latency and storage make sense.
If you want spawn-friendly automation sitting on the same class of metal your release train already trusts, vpszap cloud Mac mini is a low-friction place to start.
