Thanks, everyone! Aaron found the solution. After you define your command line string, you use "execString" to grab the output (before you actually run the command, of course.) This will get whatever output the script produces (echo, print, etc.)

Steps:

1. Add the necessary namespaces:

<namespace-def name="es" value="http://www.novell.com/nxsl/ecmascript"/>
<namespace-def name="js" value="http://www.novell.com/nxsl/ecmascript"/>
<namespace-def name="cmd" value="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsCommandProcessor"/>
<namespace-def name="runtime" value="http://www.novell.com/nxsl/java/java.lang.Runtime"/>

or, using the Edit Namespaces wizard:

Prefix URI Java ext?
es http://www.novell.com/nxsl/ecmascript
js http://www.novell.com/nxsl/ecmascript
cmd com.novell.nds.dirxml.driver.XdsCommandProcessor yes
runtime java.lang.Runtime yes

2. Define local variables to establish the runtime instance and the command line you want to run.

Runtime instance:

<do-set-local-variable name="runtime-instance" scope="policy">
<arg-object>
<token-xpath expression="runtime:getRuntime()"/>
</arg-object>
</do-set-local-variable>

Command line:

<do-set-local-variable name="cmdLine" scope="policy">
<arg-string>
<token-text xml:space="preserve">/your/path/here/myscript.sh</token-text>
<token-text xml:space="preserve"> </token-text>
<token-attr name="workforceID"/>
<token-text xml:space="preserve"> </token-text>
<token-attr name="CN"/>
</arg-string>
</do-set-local-variable>

This example defines this command line (with arguments) "/your/path/here/myscript.sh workforceID CN" Don't forget to add the spaces between arguments, if you're using them.

If you want, you can echo the resulting command line back to the trace file:

<do-trace-message>
<arg-string>
<token-local-variable name="cmdLine"/>
</arg-string>
</do-trace-message>

3. Define the local variable that prepares to grab the output of the command:

<do-set-local-variable name="result" scope="policy">
<arg-string>
<token-xpath expression="es:execString($cmdLine)"/>
</arg-string>
</do-set-local-variable>

Note the use of the command line variable defined in step 2.

4. Define a local variable that uses the runtime:exec command to execute the script:

<do-set-local-variable name="process" scope="policy">
<arg-object>
<token-xpath expression="runtime:exec($runtime-instance, $cmdLine)"/>
</arg-object>
</do-set-local-variable>

5. (Optional) Print the contents of the result variable to the trace file:

<do-trace-message level="1">
<arg-string>
<token-text xml:space="preserve">Results: </token-text>
<token-local-variable name="result"/>
</arg-string>
</do-trace-message>

I hope this helps someone else! Kudos to Aaron and Steven Tharp (for the original command line wizardry).