Secret Key auto generation on someone else's device?

The risk of unintended disclosure of your Secret Key and account password when using a web browser on someone else's device depends strongly on your information hygiene when doing so.

If they create an account for you on the device with its own encrypted storage, then your credentials and secrets should remain undisclosed in any web browser, however you use it.
If they let you use their account for this one task under their supervision and you use only a Private or Incognito browser session, and you log out and exit the browser session as soon as your task is finished, then there should be no stored data from that session remaining.
Anything less careful than this creates an opportunity for disclosure, however it's unlikely that there will be a trivial way for them to discover your credentials without some forensic cleverness, or use these to access your account without the TOTP, or if you are foolish enough to leave yourself logged in.

These considerations conveniently ignore the device owner having the intent and capability to compromise your account, in which case there can be no "safe" way to use their device.

The usual caveats of casual risk assessments apply, with the constant danger of cutting yourself on edge cases.