diff --git a/scripts/moicen-remote-readonly-check.sh b/scripts/moicen-remote-readonly-check.sh
index 6e8c830..704e5bf 100755
--- a/scripts/moicen-remote-readonly-check.sh
+++ b/scripts/moicen-remote-readonly-check.sh
@@ -4,6 +4,13 @@ set -euo pipefail
 
 echo "=== moicen readonly verify $(date -u +%Y-%m-%dT%H:%M:%SZ) ==="
 
+sanitize_output() {
+  sed -E \
+    -e 's/(Bearer )[A-Za-z0-9._-]+/\1<redacted>/g' \
+    -e 's/((token|password|passwd|secret)[=: ]+)[^[:space:]]+/\1<redacted>/Ig' \
+    -e 's/[0-9]{1,3}(\.[0-9]{1,3}){3}/<redacted-ip>/g'
+}
+
 HTYPROC_ENV="${HOME}/works/huike-back/htyproc/.env"
 if [[ ! -r "$HTYPROC_ENV" ]]; then
   echo "ERROR: cannot read ${HTYPROC_ENV}"
@@ -27,9 +34,9 @@ echo "--- Redis ---"
 redis-cli ping
 
 echo "--- htyproc log (tail, last 50 lines) ---"
-tail -n 50 "${HOME}/works/huike-back/htyproc/htyproc.nohup.log" 2>/dev/null || echo "(no htyproc log)"
+tail -n 50 "${HOME}/works/huike-back/htyproc/htyproc.nohup.log" 2>/dev/null | sanitize_output || echo "(no htyproc log)"
 
 echo "--- OpenResty error.log (tail, last 30 lines) ---"
-tail -n 30 /usr/local/openresty/nginx/logs/error.log 2>/dev/null || echo "(no nginx error log)"
+tail -n 30 /usr/local/openresty/nginx/logs/error.log 2>/dev/null | sanitize_output || echo "(no nginx error log)"
 
 echo "=== moicen readonly verify OK ==="