This page will download a generic OTP watchapp, unpack it, add your key and time zone, repack it, and send it to you.
It's part of a problem I had to solve for empebble - it's the second no-compiler-involved watchface customizer. (The first one wasn't as good, so I scrapped it.) Your secret key does not leave your machine. This can probably be applied to other, more useful, tools.
All of the magic happens in your browser - my server just provides this static page and the generic OTP watchapp. The key isn't sent over the network in any form - the PBW you'll "download" is being created on-the-fly by your browser using JSZip. Once the page finishes loading (and the Build button turns blue) unplug your network cable, turn off your WiFi, enter your data and build. It will work just fine.
QR codes can't hold entire apps, just URLs. If there was a URL you could download your customized OTP app from it would mean that your OTP app was being hosted somewhere and possibly intercepted by a third party (or saved by the service provider for nefarious purposes.)
Note that this should work just fine on Mobile Safari.