Just created this due to the root vulnerability discovered today (2017-11-28)
<?xml version="1.0" encoding="UTF-8"?><extensionAttribute>
<displayName>Root shell</displayName>
<description>Check root's login shell</description>
<dataType>string</dataType>
<scriptContentsMac>#!/bin/sh
result=$(sudo dscl . -read /Users/root UserShell | awk '{print $NF}')
echo "<result>$result</result>"
</scriptContentsMac>
<scriptContentsWindows/>
</extensionAttribute>
If $result is /usr/bin/false, you should be ok according to #security at the Macadmins slack
