I was able to totally remotely, over the air, upload a custom firmware to my speaker which I hadn’t paired with, which would reboot, flash the custom firmware, and after rebooting type in the command echo pwned and execute it.

So an attacker can hack someone else’s speaker, turn it into a keyboard to the paired PC, and from there attack the paired PC.