Indeed but only until someone opens their \.$SHELL(rc|_profile) or lists hidden files. Which, for some engineers, wouldn't take long. Bare in mind it might also take a while to collect data from your new boobytrapped SSH client so staying hidden is imperative.
Obviously you wouldn't name the actual directory "bobbytrapped", you'd pick something a little more subtle. Maybe even use an existing folder like ".config". "boobytrapped" was only used here for illustrative purposes.