Custom Box Skills apps should have the same security options as regular apps
Currently when you go into the development console, create a new app, and select "Custom Skill", the configuration section gives you a client ID. However a "Custom app" gives you a clientId as well as a client secret in the OAuth 2 section. I have a box skill that generates metadata as well as facilitates an integration with another system, requiring me to create a client (box sdk) in order to modify sharing on the file and generate a link to view in the portal.
To get around this I created a second app (Custom App) just for the auth - but that seems sloppy.