Introducing CleanMyPrompt for VS Code — Stop Leaking Secrets to GitHub Copilot

TL;DR: Install the CleanMyPrompt VS Code extension to get inline secret detection (squiggly underlines on API keys, emails, and credentials) plus one-command redaction and token compression — all local, no server calls.

You're Probably Leaking Secrets to Your AI Coding Assistant

When you use GitHub Copilot Chat, you typically paste context — a file, a function, a config snippet. If that context contains an API key, a database password, or a customer email, it goes straight to the model.

The same is true for other AI-in-the-editor tools: Cursor, Cline, Windsurf, Tabnine. They all operate on whatever text is in your editor.

The CleanMyPrompt VS Code extension sits between your file and your AI assistant. It scans open files, highlights findings inline, and lets you redact with one click — before you paste anything.

How It Works

Install from the VS Code Marketplace by searching CleanMyPrompt (publisher: cleanmyprompt), or install the VSIX directly.

Once installed, you get three capabilities:

1. Inline Diagnostics — See Secrets Highlighted in Real Time

Open any file and CleanMyPrompt immediately underlines detected secrets with diagnostic markers. Hover over the underline and you see:

The finding type (OPENAI-KEY, EMAIL, ANTHROPIC-KEY, etc.)
The severity (HIGH / MEDIUM / LOW)
A hint: "Run 'CMP: Fix File' to redact"

This is powered by the VS Code diagnostics API — the same mechanism ESLint uses. It integrates seamlessly with the Problems panel (Cmd+Shift+M).

2. One-Command Redaction

Open the command palette (Cmd+Shift+P) and run:

CMP: Scan File — shows findings for the current file in the Problems panel
CMP: Fix File — replaces all secrets in-place with safe placeholders
CMP: Squeeze File — compresses tokens (removes comments, unused imports, whitespace)
CMP: Fix All Open Files — sweeps all open editor tabs at once

Redacted values look like this in your code:

const client = new OpenAI({ apiKey: "[OPENAI-KEY]" });
const client = new Anthropic({ apiKey: "[ANTHROPIC-KEY]" });
const email = "[EMAIL]";

The placeholders are clearly labeled and machine-reversible — you know exactly what was there.

3. Scan Before Copying Context to Copilot

The recommended workflow:

Open the file you're about to use as Copilot context
Run CMP: Scan File — see the findings
Run CMP: Fix File — redact them
Now paste safely into Copilot Chat or reference the file

Or, if you want a clean workspace every session:

Run CMP: Fix All Open Files once
Everything is redacted, then proceed with your Copilot session

What Gets Detected

The extension uses the same detection engine as the CLI, with three priority tiers:

HIGH (always redacted first):

OpenAI keys (sk-...), Anthropic keys (sk-ant-...), Google AI, AWS, GitHub tokens
Generic bearer tokens, base64 credentials
Private key PEM headers (-----BEGIN RSA PRIVATE KEY-----)

MEDIUM:

Email addresses, US phone numbers, SSNs, credit card numbers, IBANs

LOW:

Hardcoded variable assignments (SECRET_KEY = "...", process.env.TOKEN = "...")

The engine uses two-pass deduplication — when a HIGH finding overlaps a LOW one, HIGH always wins. You won't see a generic [HARDCODED-SECRET] tag when the value is actually an Anthropic key.

It Doesn't Touch What It Shouldn't

The extension includes negative-lookahead patterns that skip already-redacted values. If you run CMP: Fix File and then scan again, you'll get zero findings — because [OPENAI-KEY] is not treated as a secret. Re-running fix is idempotent.

Token Squeeze in the Editor

If you're using Copilot for code review or explanation, you often paste large files as context. The squeeze command removes noise before it counts against your context window:

Strips single-line and block comments
Removes unused import statements (supports import Default, import { Named }, and import Default, { Named } forms)
Collapses excessive blank lines
Deduplicates repeated text blocks

Result: a file that costs 40–50% fewer tokens to send as context — measurable savings if you're on a usage-based Copilot plan.

Privacy: Your Code Never Leaves Your Machine

The extension processes everything locally. No code, no file contents, no metadata is sent to CleanMyPrompt servers. The extension has no telemetry, no analytics, no network calls of its own. It reads your file, processes it, writes it back. That's it.

Free for Personal Use

The extension is free for individual developers and personal use. If your team or organization deploys it across an engineering org — as part of a standardized developer toolchain — a commercial license applies. See pricing.

Install It Now

Search for CleanMyPrompt in the VS Code Marketplace, or go to cleanmyprompt.io/vscode for the direct link and full documentation.

The extension is version 1.1.2, which includes all current bug fixes: correct Anthropic key tagging, full unused-import stripping, false-positive suppression on already-redacted files, and priority-correct deduplication.

If Copilot is part of your daily workflow, this is the one extension worth installing before anything else.

Frequently Asked Questions

Does the extension send my code to CleanMyPrompt servers?

No. All scanning and redaction happens inside your VS Code process. No code, file contents, or metadata leaves your machine. The extension has no network calls, no telemetry, and no analytics.

How does inline diagnostic detection work?

The extension registers a VS Code diagnostic provider. When you open or save a file, it runs the detection engine synchronously and populates the Problems panel with findings, including type, severity, and line number. The same squiggly-underline mechanism ESLint uses.

Does "Fix File" permanently modify my file?

Yes — the redaction is in-place. If you want to preview first, run CMP: Scan File and review the Problems panel before running CMP: Fix File. Using Git means the original is always recoverable via git diff.

Does it work in Cursor, Windsurf, and other VS Code forks?

Yes. Any editor built on VS Code — Cursor, Windsurf, VSCodium — supports VS Code extensions. Install it the same way (Extensions panel → search CleanMyPrompt).

Is idempotent — what happens if I run Fix File twice?

Yes. Redacted placeholders like [OPENAI-KEY] are excluded from the detection patterns. Running CMP: Fix File on an already-redacted file produces no changes.

Is there a team or organizational license?

Yes. The extension is free for individual developers and personal use. For commercial deployment across an engineering organization, a commercial license applies. See pricing.