Once in a while I log into an application server and check the log for certain entries:
Now I have 3 similar application servers and I need to do the same thing on each server.
But rather than manually log into each of them one-by-one, I would like to copy
the last 100 lines of the respective server's /var/log/messages file to my
system and then do tail.

I only have ssh/scp access.

Questions:

1. Is scp the way to go? Are there any other options?

2. How can I script this so that my ids and passwords are not visible?

Eventually, I would like to then run this script via cron.

1.) I don't think so, The ssh command can run a program. You could use the same command and redirect the output to a file. Then the next line could use the scp command to download that file.
This needs testing. An alternative is to have this oneliner on the server and run the script in the ssh command.

2.) You can configure sshd_conf so that you use the ssh/authorized_keys to authenticate. Another way would be to use ssh-agent. You would need to start the agent manually once, so it might not be ideal for a cron job, however this method is the most secure, because if someone gains access to your account, they would be able to copy your keys and then have access to the application servers. For this you would need to generate keys with an ssh passphrase as well. This is more secure because someone gaining access to your keys would still need to guess a long passphrase.
http://www.snailbook.com/faq/no-passphrase.auto.html
I don't think you can hide your username from 'ps'. You could have your username read in by running a private script that a normal user can't read. ( ssh may replace the username part of the /proc/<pid>/cmd with xxx's. )

Because /var/log/messages is a root readable file, and you want to run this as a cron script, it looks like this would mean that the app servers will need to allow ssh root logins. You will have to decide if the convenience of a cron job outways the additional risk to the server.
You could have a sudoers line (on each server) which would allow you to run that exact command (and only that command) as root without a password. Then you could login as a normal user, and use sudo instead of su'ing to root to run the tail command on /var/log/messages.