Visual Studio Code AI Extensions
MicrosoftAI API3 credentials
AI Extension Provider API Key
vscode-ai-extensions / extension-provider-api-key
VS Code AI extensions commonly use provider API keys supplied through environment variables, workspace settings, extension settings, devcontainers, or SecretStorage.
Looks like
examplesk-proj-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX«redacted:sk-…»«redacted:AIza…»Location
OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY, GEMINI_API_KEY, GOOGLE_GENERATIVE_AI_API_KEY, AZURE_OPENAI_API_KEY, OPENROUTER_API_KEY~/.config/Code/User/settings.json, ~/.config/Code/User/globalStorage/state.vscdb, ~/.config/Code - Insiders/User/settings.json, ~/.config/Code - Insiders/User/globalStorage/state.vscdbVS Code user settings and extension SecretStorage metadata/blobs on Unix-like systems
%APPDATA%\Code\User\settings.json, %APPDATA%\Code\User\globalStorage\state.vscdb, %APPDATA%\Code - Insiders\User\settings.json, %APPDATA%\Code - Insiders\User\globalStorage\state.vscdbVS Code user settings and extension SecretStorage metadata/blobs on Windows
.vscode/settings.json, .vscode/mcp.json, mcp.json, .env, .env.local, .env.production, devcontainer.json, .devcontainer/devcontainer.json, docker-compose.yml, compose.ymlWorkspace settings, MCP files, env files, and development container configuration used by AI extensions
VS Code SecretStorage, OS keychain, password vaults, GitHub/Codespaces secrets, Docker secrets, Kubernetes Secrets, and cloud secret managers
Extension settings examples, notebooks, scripts, test fixtures, tool configs, MCP server definitions, and prompt/agent files
Extension host logs, AI extension output channels, terminal transcripts, MCP server stdout/stderr, CI traces, and debug dumps
Notes
VS Code SecretStorage generally stores secrets through OS keychain-backed encrypted storage; state.vscdb is an exact extension storage surface but not guaranteed plaintext.
GitHub Copilot Token
vscode-ai-extensions / copilot-token
Built-in and marketplace Copilot integrations use GitHub/Copilot tokens, including environment variables passed to integrated terminals or automation.
Location
COPILOT_GITHUB_TOKEN, GITHUB_COPILOT_GITHUB_TOKEN, GH_TOKEN, GITHUB_TOKEN~/.config/Code/User/globalStorage/state.vscdb, ~/.config/Code/User/settings.json%APPDATA%\Code\User\globalStorage\state.vscdb, %APPDATA%\Code\User\settings.json.vscode/settings.json, .github/workflows/copilot-setup-steps.yml, .devcontainer/devcontainer.json, devcontainer.jsonVS Code SecretStorage, OS keychain, GitHub Actions secrets, Codespaces secrets, and enterprise secret stores
Copilot Chat logs, extension host logs, coding-agent logs, and terminal traces
Notes
GitHub token value shapes are intentionally modeled in github.yaml. This VS Code entry keeps editor/Copilot storage and environment context only so it does not override canonical GitHub token classification.
MCP Server Secret
vscode-ai-extensions / mcp-server-secret
VS Code MCP and AI-agent extensions can invoke local or remote MCP servers with API keys and OAuth tokens in configuration or command environments.
Location
.vscode/mcp.json, mcp.json, .vscode/settings.json, settings.json, .env, .env.localOPENAI_API_KEY, ANTHROPIC_API_KEY, GITHUB_TOKEN, GH_TOKENVS Code SecretStorage, OS keychain, password vaults, and cloud secret managers used by MCP servers
MCP server command wrappers, extension configs, and workspace automation
MCP server logs, extension output channels, terminal transcripts, and debug traces
Notes
MCP credential formats vary by server; scanner value patterns should come from the specific provider or server template where possible.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.