Skills¶
Skills are guided multi-step workflows that an AI agent loads when it recognizes a matching user request. Each skill is a Markdown file (SKILL.md) with YAML frontmatter that lives under skills/ in the repository — the same file is consumed by Claude Code, Cursor, and any MCP client that supports the Anthropic skill spec.
The Zscaler MCP Server ships 42 skills across 8 services and one cross-product workflow.
How skills work¶
Each skill has a name, a description (the trigger phrases an admin would use), and a body of step-by-step instructions that reference specific tool names. The matching client auto-activates the skill when the user’s prompt fits the description, so an admin can say “block ChatGPT for everyone” and the matching zia-create-cloud-app-control-rule skill runs without anyone having to remember the tool sequence.
Skills are organized by service. The skills/ directory tree:
skills/
├── zpa/ # 11 skills — application onboarding, policy rules
├── zia/ # 12 skills — rule creation, lookups, schedules
├── zdx/ # 7 skills — user experience, deep traces, alerts
├── zms/ # 5 skills — microsegmentation audits, agents
├── zins/ # 4 skills — analytics, shadow IT, incidents
├── easm/ # 1 skill — attack surface review
├── zcc/ # 1 skill — logout OTP for offboarding
└── cross-product/ # 1 skill — end-to-end user connectivity
ZPA — Zscaler Private Access (11 skills)¶
Skill |
What it does |
|---|---|
|
Walk through the full onboarding chain for a standard ZPA application segment: app connector group → server group → segment group → application segment → access policy rule. |
|
Onboard a Browser Access (BA) application segment, including BA certificate selection. |
|
Onboard a Privileged Remote Access (PRA) application segment, including PRA portal + credentials. |
|
Create an access policy rule with v2 conditions (APP, APP_GROUP, SAML, SCIM, SCIM_GROUP, PLATFORM, COUNTRY_CODE, POSTURE, TRUSTED_NETWORK, RISK_FACTOR_TYPE, CLIENT_TYPE, MACHINE_GRP, LOCATION, CHROME_ENTERPRISE). |
|
Create a conditional access rule that combines identity + device + network conditions. |
|
Create a client forwarding policy rule. |
|
Create a server group with the right app-connector-group association and optional servers. |
|
Create a session duration policy rule (also known as Re-Auth policy). |
|
Create a timeout policy rule for idle-session disconnect. |
|
Audit a tenant against ZPA security baseline (default rules, posture profiles, isolation policies). |
|
Diagnose app connector connectivity and health. |
ZIA — Zscaler Internet Access (12 skills)¶
Skill |
What it does |
|---|---|
|
Create a URL filtering rule with action (ALLOW / BLOCK / CAUTION / ISOLATE), scoped by category, user, group, location, device trust level, and optional schedule. |
|
Create a Cloud Firewall rule (network services, network apps, IP groups, time windows, locations, users). |
|
Create an SSL Inspection policy rule. Auto-resolves friendly cloud-app names to canonical enums. |
|
Create a Cloud App Control rule for a specific application class (file sharing, social, AI/ML, etc.). |
|
Onboard a new ZIA location: static IP → VPN credential → location, in the right order. |
|
Audit which categories, applications, and URL classifications are bypassed in SSL Inspection. |
|
Determine whether a given user can reach a given URL (URL categorization + rule simulation). |
|
Pull a Sandbox report for an MD5/SHA-256 and surface the verdict. |
|
Look up a URL’s category, super-category, and any custom-category overrides. |
|
Resolve a friendly cloud-application name (e.g. |
|
Resolve user / group / department / location / time-window names to the IDs the rule API requires. |
|
Create / update / list reusable Time Interval objects referenced by policy rules via the |
ZDX — Digital Experience (7 skills)¶
Skill |
What it does |
|---|---|
|
Investigate a user’s experience: device health, app scores, network path, active alerts. |
|
Score an application across the user base and surface affected users / locations. |
|
Compare experience metrics across two or more office locations. |
|
Walk active and historical alerts, with affected devices and root-cause hints. |
|
Correlate scores across multiple applications to identify a common path-of-failure. |
|
Start a deep trace, wait for the result, and interpret the trace output. |
|
Inventory installed software across the device fleet and identify outdated or unauthorized packages. |
ZMS — Microsegmentation (5 skills)¶
Skill |
What it does |
|---|---|
|
Audit the microsegmentation posture across resources, policy rules, and agent groups. |
|
Walk the active policy rules and flag default-allow / overly-broad CIDRs. |
|
Surface unprotected workloads (resources without applicable policy rules). |
|
Audit the tag-namespace hierarchy and surface unclassified resources. |
|
Diagnose ZMS agent enrollment and connection issues. |
Z-Insights — Analytics (4 skills)¶
Skill |
What it does |
|---|---|
|
Walk a security incident across firewall, threats, and cyber-incident streams. |
|
Surface unsanctioned applications discovered by Z-Insights with risk scoring. |
|
Break down web traffic by protocol, location, and content category. |
|
Score the tenant against firewall posture and surface high-risk gaps. |
EASM — Attack Surface (1 skill)¶
Skill |
What it does |
|---|---|
|
Review external attack surface findings, lookalike domains, and surface critical exposures. |
ZCC — Client Connector (1 skill)¶
Skill |
What it does |
|---|---|
|
Generate a logout OTP for offboarding a ZCC-enrolled device. |
Cross-product (1 skill)¶
Skill |
What it does |
|---|---|
|
End-to-end user connectivity troubleshooting that combines ZCC (device), ZDX (experience), ZPA (private apps), and ZIA (internet) data into a single root-cause analysis. |
Skill chaining¶
Some skills are deliberately small and intended to chain — the parent skill recognizes when a sub-step needs work, and the agent loads the matching helper skill. The most-used chains today:
zia-look-up-rule-targets— chained from every ZIA rule-creation skill to resolve user / group / location names to IDs.zia-look-up-cloud-app-name— chained from SSL Inspection / Web DLP / Cloud App Control / File Type Control rule creation to resolve friendly app names to canonical enums.zia-manage-time-interval— chained when a rule needs a recurring schedule.
Skill frontmatter constraints¶
The Anthropic skill spec enforces a hard ceiling on the YAML frontmatter description field of 1024 characters. Skills exceeding this are rejected by the Claude skill uploader with the error field 'description' in SKILL.md must be at most 1024 characters. When you need more keywords than 1024 characters can carry, the right move is to split into two chained skills instead of cramming everything into one description.
How to invoke a skill¶
In any MCP client that supports the skill spec (Claude Desktop, Claude Code, Cursor, Gemini CLI, Kiro IDE), the skill description doubles as the matcher. You don’t invoke a skill by name — you describe the task and the matching skill activates.
Examples:
“Block ChatGPT for everyone outside the engineering group” → activates
zia-create-cloud-app-control-rule(which chains tozia-look-up-cloud-app-namefor the canonical enum).“Why is the SAP app slow for users in Frankfurt?” → activates
zdx-troubleshoot-user-experience(and chains tozdx-diagnose-deeptraceif the data requires it).“Onboard a new HR app over ZPA” → activates
zpa-application_segment-onboard.
Where skills live¶
The canonical source of every skill is the skills/ directory in the repository: github.com/zscaler/zscaler-mcp-server/tree/master/skills. The integration plugins (claude-code-plugin, cursor-plugin, gemini-extension, kiro/) reference these files directly — there is no separate per-client copy.
See also¶
Toolsets — the toolset grouping system that scopes which tools are loaded
Zscaler Integrations MCP Server Tools — the underlying tool catalog
Integrations — how skills are wired into each MCP client