What is the most common attack vector to fear? I thought maybe auto-run had been disabled by default, in most modern versions of Windows, for the past 10-15 years at least.
If you plug a USB keyboard, windows will automatically set it up. All the stick needs to do is emulate a keyboard, then it can send keystroke to the OS as yourself, no need for auto-run.