consider using Kleros TCR (token curated registry) as reference for listing permission less tokens

[ilanDoron]

For permission less tokens, Kyber has no control over the listed tokens. this enables any token to be listed. including scam tokens, and worse then that. tokens that attack kyber as part of the ERC20 methods like transfer(), transferFrom() etc.

Kleros TCR is a decentralized registry that could protect from these tokens (to a certain extent).

see this reference: https://blog.kleros.io/erc20-becomes-part-of-the-token/