If your password leaks from a single service, and I somehow know that you use this tool, I could then try all the combinations of the secret key until the service produces the same password as the one leaked. Now I have your secret key, and can derive your other passwords.

Notice how traditional password managers don't have this problem at all. If a password leaks, it tells you absolutely nothing about the other passwords.

Yes but if I use a proper secret key, you won't be able to brute force it. You can't brute force anything 20+ chars in a billion years (inaccurate approximation)

That would still be very difficult I believe. The algorithm is CPU and Memory intensive because I'm using scrypt internally.

Think about what would happen if everyone uses this tool and its known around the world.

The basic principle still holds: "Kerckhoff's principle is the concept that a cryptographic system should be designed to be secure, even if all its details, except for the key, are publicly known" - which seems to be happening here (caveat emptor, also this should be self-hostable).

In other words, the security still hinges on the secret key, except you're not directly using the password Secr3tKey#website.example, but its hash. If everyone used this, the password strength would still be only dependent on the secret key strength, and wouldn't provide an easier avenue to a preimage (i.e. can't find the key otherwise than bruteforce; even though the explanation has some worrying confusion between hashing and encryption). Fairly straightforward, except some opsec concerns (e.g. "domain name lapses in a few years and Evil Operator starts logging the secret keys", or "site is unavailable for initial load, even though it does work offline afterwards")

Sure, if everyone used this, you'd have a copy of the algorithm used. But you're trying to solve for two unique variables, master password and secret key.