(Cheap) Security Keys are very dumb objects. They don't know anything secret except their own secret key. So I think the two naughty things bad guys might do are:
1. Sell you a key whose secret key they already know. This is hard to defend against. But if you just buy a generic key from a reputable manufacturer and aren't a major target this seems pretty safe in practice.
2. Hide something malevolent inside the security key's case, e.g. it's secretly a GPS tracker or it's a tiny USB disk plus keyboard that hacks your PC after detecting inactivity.
In principle devices could be designed with the ability to generate a new key. But if you don't trust the hardware how does that help?
You may be able to make more of the hardware yourself, depending on how capable you are with electronics.
(Much) more expensive devices can implement FIDO while actually using arbitrary new keys for each registration and you could arrange to hand-pick the keys and then verify it behaves as intended and uses your chosen keys.
In the more expensive devices, are the arbitrary new private keys imported from the computer it's plugged into? If the new keys are generated on the hardware you don't trust, it'd still be the same problem, since the private keys could be generated deterministically from a known seed and a counter.
You can at least verify when a cheaply-designed device has changed its secret key, because the public key it offers for github.com is different from before, but yeah, that 'new' secret key could still just be derived from a manufacturer-known seed/secret serial number, too, same as the first one was, but with an incremented counter.
You can order it on a library computer with a Visa debit card you bought at a grocery store you don't usually go to with cash, and ship it to another address than your own.
1. Sell you a key whose secret key they already know. This is hard to defend against. But if you just buy a generic key from a reputable manufacturer and aren't a major target this seems pretty safe in practice.
2. Hide something malevolent inside the security key's case, e.g. it's secretly a GPS tracker or it's a tiny USB disk plus keyboard that hacks your PC after detecting inactivity.