Most operating systems trust USB devices completely. You can send keystrokes that open a text editor and type malware that'll do whatever you want, and you can control the attack in real time via wifi.
(it couldn't read user keypresses unless they use the cable to plug in their keyboard)
It certainly could read user keypresses after it typed in malware with a keylogger, and then transmit your keypresses over its wifi (not your network, where it might be detectable) back to the attacker.
