at: only retain variables whose name consists of alphanumerics and underscores

Since a recent security update[1] bash might export variables named
BASH_FUNC_*() to the environment which the serialization code in at
cannot handle properly.

  [1] <https://www.debian.org/security/2014/dsa-3035>