You just reminded me -- I once wrote a script that decoded and then eval'd a hidden command encoded within the whitespace of the script file itself. My goal was to create an entirely benign looking script that would hold up to visual scrutiny, but still be possibly malicious - in the final variant, it downloaded an additional remote script. Not that I ever used it for anything, but it did temper my natural trust in cursory inspection of benign-seeming open source code.
