Execute any code on your machine. Because of the way USB has access to pretty deep hardware internals, whilst OS software tries to prevent this, it's a massive security issue.
Yes, this.
Basically, for the OS, something you plug into an USB slot can be anything which includes keyboards. The OS has to trust the device plugged in that it is what it says it is. Since there is basically no way to prevent plug and play without making the UX abysmal1, USB sticks can pretend to be keyboards and execute keystrokes when you insert them which includes opening reverse shells. With a reverse shell, the attacker now has full control of your machine (except root if you have a strong root password etc).
This is what rubber duckies do: https://shop.hak5.org/products/usb-rubber-ducky

Footnotes

  1. If you are really plugging in a keyboard, you just want it to work immediately since you might have no other human interface device.